My apologies for steering you in the wrong direction I missed the two WANs above in the first post.
The LAN where you want most functionality I would stick on the bridge (at least for my hex I get speed of switch chip that way) and my DMZ is not on the bridge (separate LAN).
As noted they if connected at layer 2 (same bridge) they can see each other regardless of firewall rules (poor or no control), meaning, by decoupling them from the same bridge, you can decide if they can see each other through firewall rules.
If you have explicit drop all else forward rules, they will not talk and you would have to make explicit rules to allow this routing (my preference).
allow lan 1 to lan 2
allow lan2 to lan 1
Alternatively If you dont have a drop else rule as your last forward rule, then the router knows about each LAN and will route a request from one lan to the other.
( if for some reason you didnt want them routable you would have to make explicit block rules. lan 1 to lan 2 drop and lan2 to lan1 drop)
I would be cautious about using ! notation in rules in general, often have weird consequences.
Before going down the source nat rules, do you have one internet provide, ONE WAN interface (physical connection) with two IP addresses from the ISP, or
do you have two separate ISPs?
I will assume the former and thus it would look like
add chain=srcnat source-address=10.30.11.0/24 action=src-nat to-addresses=ipA out-interface=wan
add chain=srcnat source-address=10.30.13.0/24 action=src-nat to-addresses=ipB out-interface=wan
If you have two different ISPs
add chain=srcnat source-address=10.30.11.0/24 action=masquerade out-interface=wanA
add chain=srcnat source-address=10.30.13.0/24 action=masquerade out-interface=wanB
(on my router and considering fail over I just use masquerade rules and do not put source address, meaning whatever Wan interface my traffic goes out on, it will be handled correctly in terms of source nat rules. What you are setting up is a very strict determination that defeats failover for two different ISPs, if your have one WAN (one ISP) and two IP addresses then obviously failover is a moot point.)
In any case, the above is step ONE - to tell the router to mark private to public and back public to private in terms of the packet flow in and out of the router.
One still has to route the packets accordingly.
Step Two is Route rules.
I suspect one has to mangle rules and then use that in route rules and in the rules make use of the preferred source entry.
Read up on that, as I recall there are ways to do this more efficiently, probably using connections vice packets, as once a connection has been identified/established the rest of that connection traffic follows automatically (whereas in packets every packet has to be inspected - at least thats what I recall LOL).
Last edited by anav
on Fri Nov 09, 2018 8:42 pm, edited 1 time in total.
I'd rather manage rats than software.