Thu Dec 22, 2022 7:09 pm
distance=2 dst-address=0.0.0.0/0 gwy=ISP1 table=main
distance=5 dst-address=0.0.0.0/0 gwy=ISP2 table=main
Right off the bat all users will be directed to to ISP1.
If you wanted to diirect a subnet or subnets out WAN2, very easy without using mangling.
If you wanted a few users lets say 10 or less, (because you need a route rule per user), then mangling can also be avoided.
However if you have a large number of users and also from different subnets then that would be more difficult and would need mangling.
(1) The easy method consists of creating a table, an additional route for WAN2 ( third route in total) with table=new table name, and corresponding routing rule(s).
add distance=5 dst-address=0.0.0.0/0 gwy=ISP2 table=useWAN2 distance=5
/routing table add name=useWAN2 fib
/routing rule add src-address=subnet OR single IP action=lookup table=useWAN2
Note: If you never wanted them to have access to WAN1 (lets say WAN2 is not available) then use action=lookup-only-in-table
(2) The more complex method consists of mangling/identifying that address list of users in pre-routing heading for the internet and basically,
ensuring they are also routed out WAN2.
First ( for V7) you need to create the table.
/routing table add name=specific-users fib
Then the Mangle.........
/ip firewall mangle
add chain=prerouting src-address-list=special-group mark=no-mark action=mark-routing new-routing-mark=specific-users { (same for v6 and v7)}
Then the routes
/ip route
distance=2 dst-address=0.0.0.0/0 gateway=ISP1 table=main
distance=5 dst-address=0.0.0.0/0 gateway=ISP2 table=main
and the additional third route
distance=5 dst-address=0.0.0.0./0 gateway=ISP2 routing-mark=specific-users (V6)
OR
distance=5 dst-address=0.0.0.0/0 gateway=ISP2 table=specific-users (v7)
If you wish to keep fasttrack for the rest of the traffic, modify two copies of the regular established,related rule and put them in front of the fasttrack rule - one rule for originating traffic and one rule for returning traffic. The modification is the addition of the firewall address list!
add action=accept chain=forward connection-state=established,related src-address-list=special-group
add action=accept chain=forward connection-state=established,related dst-address-list=special-group