force subnet through specific gateway

lurch · Fri Apr 25, 2025 4:30 pm

So from below config i have 2 default routes I would like the default router to always be via 10.20.0.2 so i can access management via 10.20.0.48 BUT i need any traffic from dhcp_pool1 ranges=10.10.10.2-10.10.10.254 to go out via 192.168.26.1

# jan/02/1970 00:24:52 by RouterOS 6.45.9
# software id = 9E4S-CKUW
#
# model = CRS326-24G-2S+
# serial numbe
/interface bridge
add admin-mac=auto-mac=no comment=defconf name=bridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2 lease-time=1d name=\
    dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.20.0.48/24 interface=bridge network=10.20.0.0
add address=192.168.26.254/24 interface=ether23 network=192.168.26.0
add address=10.10.10.1/24 interface=ether2 network=10.10.10.0
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=1.1.1.1 gateway=10.10.10.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether23
/ip route
add distance=1 gateway=192.168.26.1
add distance=1 gateway=10.20.0.2
/system routerboard settings
set boot-os=router-os

jaclaz · Fri Apr 25, 2025 5:36 pm

I am not sure to have understood exactly what you want to do, but this kind of "connection steering" is usually done through a separate (additional) routing table and either a routing rule or a mangle mark or both, see:
https://help.mikrotik.com/docs/spaces/R ... cy+Routing
viewtopic.php?t=192006

loosely we can say that routing rules are easier to establish but are less selective, while mangling is usually more complex but can be more selective.

There are some difference in syntax between v6 and v7, I see from your config that you are running RouterOS 6.45.9 (which you shouldn't).

You should run either latest "long term" of v6, i.e. 6.49.18:
viewtopic.php?t=214509
or "take the jump" and get a version 7 (IMHO possibly not the latest-latest one that may still have bugs).
It is entirely up to you, latest v6 is very stable while v7 has still some quirks but offers some features that v6 doesn't have and never will have, but I wouldn't "finalize" a configuration on v6 to then decide to upgrade and need to translate/convert/adapt it to the new release. For a CRS - which is a switch with some router capabilities - probably the v6 is fine.

lurch · Fri Apr 25, 2025 5:40 pm

Thanks for the reply and sorry for the confusion. Basically users will connect to specific ports i.e eth2 as configured and get an ip via dhcp from the mikrotik. Internet traffic for them should go out via the 192.168.26.1 isp gateway BUT I still need to be able to access the miktorik via winbox etc via my internal network using the ip 10.10.20.48

jaclaz · Fri Apr 25, 2025 5:57 pm

Yep, but you have a "strange" set of IP addresses.
bridge has BOTH 192.168.88.1 AND 10.20.0.48 it is not clear at all if it is conceptually LAN, WAN or what
ether2 has the dhcp server on it and is 10.10.10.1, it is conceptually LAN
ether23 is the WAN port and has 192.168.26.254 (this connects to the router/modem/gateway at 192.168.26.1)

I have to presume that you are not using the bridge for connecting clients, and you have another switch connected to ether2 to which all users are connected.

The 10.20.0.48 is an address given to the bridge, so you can access it from any port BUT ether2 and ether23.

As well, to one of these ports you need to connect the device that has 10.20.0.2 and that is indicated as a possible gateway in routes (but without a NAT).

So it is not clear if the bridge is used as management network or as a link to a gateway or what.

Maybe if you could post a sketch of your network setup it will be easier to understand, even a photo of a hand drawn one on a piece of paper would do.

anav · Fri Apr 25, 2025 7:08 pm

draw a network diagram.
Do you mean you have two WAN connections?
Do you mean you have two Subnets?

Etc..............

lurch · Fri Apr 25, 2025 9:57 pm

Yep, but you have a "strange" set of IP addresses.
bridge has BOTH 192.168.88.1 AND 10.20.0.48 it is not clear at all if it is conceptually LAN, WAN or what
ether2 has the dhcp server on it and is 10.10.10.1, it is conceptually LAN
ether23 is the WAN port and has 192.168.26.254 (this connects to the router/modem/gateway at 192.168.26.1)

I have to presume that you are not using the bridge for connecting clients, and you have another switch connected to ether2 to which all users are connected.

The 10.20.0.48 is an address given to the bridge, so you can access it from any port BUT ether2 and ether23.

As well, to one of these ports you need to connect the device that has 10.20.0.2 and that is indicated as a possible gateway in routes (but without a NAT).

So it is not clear if the bridge is used as management network or as a link to a gateway or what.

Maybe if you could post a sketch of your network setup it will be easier to understand, even a photo of a hand drawn one on a piece of paper would do.

Bridge is just used for management nothing else i.e not connecting clients.192.168.88.1 can be removed and was only there as was default ip. No switch in ether 2 it will just have a single lan client per port.

ether2 lan
ether23 wan

what i need to do is lan cleint plugged into ether2 and get ip from mikrotik dhcp server (works) from lan client i can ping wan gateway (isp router) i.e 192.168.26.1 but form lan client I can't ping internet i.e 8.8.8.8 through 192.168.26.1

jaclaz · Sat Apr 26, 2025 10:23 am

I am confused, that was the issue in your other thread (that I believe has been solved);
viewtopic.php?p=1139991

And that this thread was about another request/setting (which I don't fully understand), connected to the use of 10.20.0.48 (which is another IP address on the bridge) and 10.20.0.0 network.
What is the device with IP 10.20.0.2 that is set as (secondary?) gateway?

anav · Sat Apr 26, 2025 6:25 pm

Without some diagrams nothing makes sense.

force subnet through specific gateway

force subnet through specific gateway

Re: force subnet through specific gateway

Re: force subnet through specific gateway

Re: force subnet through specific gateway

Re: force subnet through specific gateway

Re: force subnet through specific gateway

Re: force subnet through specific gateway

Re: force subnet through specific gateway