I have a hAP ac3 which works perfectly for me out of the box with the QuickSet "Home AP Dual" configuration.
It is connected via ether1 (renamed ether1-WAN1) using PPPoE to my ISP's modem.
I now have a second PPPoE-based internet connection and I would like to use this alongside the first, but only for traffic going to a specific IP address.
Starting from the QuickSet "Home AP Dual" configuration, I've done the following:
Removed ether2 from the bridge (leaving ether3, 4 and 5 as LAN ports with DHCP),
Renamed ether2 to ether2-WAN2
Added a second PPPoE Client on ether2-WAN2 with the appropriate credentials and *removed tick from the default route tick box*.
On physically connecting ether2-WAN2 to the second ISP's modem, after a moment or two it shows as connected, is assigned the static public IP that ISP has allocated to me, and all therefore seems well on that front.
But at this point I get lost. Very lost.
Lets say that I want all traffic from the LAN going to 1.2.3.4 to go via this second ISP on ether2-WAN2, leaving the default route for all other traffic via the first ISP on ether1-WAN1
In my ignorance, I thought maybe all I had to do was add a Route to 1.2.3.4 via ether2-WAN2.
But of course it isn't as simple as that! It didn't work.
Based on the various howtos I've read and watched on YouTube, which are all to do with load balancing between WANs rather than what I want to do, I get the feeling that I need to do something with srcnat rules...err....I think...to ensure packets go out and replies come back in on the correct WAN interface, maybe?
Unfortunately I'm additionally confused by the fact that the "Home AP Dual" configuration makes use of Interface List items, with a LAN and WAN being defined.
LAN contains the bridge (LAN with DHCP).
By default, WAN contains ether1-WAN1 and pppoe-out1.
I wasn't sure whether to add ether2-WAN2 and pppoe-out2 to the existing WAN list item, or to create a new WAN2 and add ether2-WAN2 and pppoe-out2 to it, so that they can be manipulated separately from ether1-WAN1 pppoe-out1. In the end I did so, but then I realise I'll probably need to add Firewall Filter rules similar to the ones that are there by default for WAN - although there only seems to be one, right at the end, which drops anything from WAN that's not dstnat-ed.
But that's as far as I've got.
I was hoping that someone could point me in the right direction, please? I think the WAN interface list item may be bogging me down when trying to compare the howtos I'm reading and viewing with what I actually have as a starting point may not be helping, but I'm loath to start from a blank slate because (a) I'm new to this! and (b) the default Home Dual config really does seem to do everything I would need if I only needed one WAN interface.
Here's a version of my config (without my desired static route added) with what I think is the unrelated stuff (wlan, ntp, that sort of thing) removed and any usernames removed or redacted:
Code: Select all
#
# Most stuff relating to wlan, ntp etc removed
/interface bridge
add admin-mac=[REDACTED] auto-mac=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
set [ find default-name=ether3 ] name=ether3-LAN3
set [ find default-name=ether4 ] name=ether4-LAN4
set [ find default-name=ether5 ] name=ether5-LAN5
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-WAN1 name=pppoe-out1 \
use-peer-dns=yes user=USERNAME1
add disabled=no interface=ether2-WAN2 name=pppoe-out2 user=\
USERNAME2
/interface list
add name=WAN
add name=LAN
add name=WAN2
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.50
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether3-LAN3
add bridge=bridge ingress-filtering=no interface=ether4-LAN4
add bridge=bridge ingress-filtering=no interface=ether5-LAN5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=bridge list=LAN
add interface=ether1-WAN1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether2-WAN2 list=WAN2
add interface=pppoe-out2 list=WAN2
/ip address
add address=192.168.1.1/24 interface=bridge network=\
192.168.1.0
/ip dhcp-client
add disabled=yes interface=ether1-WAN1
# I wonder if I need to disable DHCP for ether2-WAN2 as well?
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN