With my setup, I have two separate PPPoE interfaces. (We'll call them pppoe-out1 and pppoe-out2). I have a switch plugged into ether3 with a bunch of hosts. I have another switch plugged into ether5 with more hosts. I need to have all of the traffic from ether3 go out through pppoe-out1 and all the traffic from ether5 go out through pppoe-out2.
I've read a few snippets here and there about how setting up a mangle rule to mark the packets and then set up static routes to route based on the mangle mark? Is this possible or advisable to do? How would I go about this?
Any other solutions?
Re: Routing based on SOURCE IP or SOURCE interface?
/ip route rule
setup rules for the source address and a lookup in a second table
set a default route via the second interface in that second table
setup rules for the source address and a lookup in a second table
set a default route via the second interface in that second table
Re: Routing based on SOURCE IP or SOURCE interface?
Sorry your wording is a little confusing. Can you provide me an example of what you mean?/ip route rule
setup rules for the source address and a lookup in a second table
set a default route via the second interface in that second table
Re: Routing based on SOURCE IP or SOURCE interface?
route rules are a simplified way to do policy routing, as opposed to the "mainstream" method of using action=mark-routing new-routing-mark=ISP2 on mangle table rules.
Basically, the thing you want to do is make some route rules which list your local addresses (both LANs and both WANs) and set the action is to lookup in table "main"
i.e. - for your own stuff, don't do anything fancy.
Let's say pppoe1 is isp1 and you let it install the default GW route into the main routing table.
You'll want to set pppoe2 to use a larger admin distance on its default GW route so that the main table will use isp1....
Then make a static default GW route with dst=pppoe2 as the main route (lowest distance value) and optionally a second one with pppoe1 as a backup default GW (higher admin distance value) for the "isp2" routing table. (routing-mark=isp2)
Once those exist, you can make a route rule which says if the source IP is from lan2, then action=lookup-only-in-table table=isp2
So long as this rule comes after the ones that force local addresses to always be looked up in the main table, you're done.
Basically, the thing you want to do is make some route rules which list your local addresses (both LANs and both WANs) and set the action is to lookup in table "main"
i.e. - for your own stuff, don't do anything fancy.
Let's say pppoe1 is isp1 and you let it install the default GW route into the main routing table.
You'll want to set pppoe2 to use a larger admin distance on its default GW route so that the main table will use isp1....
Then make a static default GW route with dst=pppoe2 as the main route (lowest distance value) and optionally a second one with pppoe1 as a backup default GW (higher admin distance value) for the "isp2" routing table. (routing-mark=isp2)
Once those exist, you can make a route rule which says if the source IP is from lan2, then action=lookup-only-in-table table=isp2
So long as this rule comes after the ones that force local addresses to always be looked up in the main table, you're done.
Re: Routing based on SOURCE IP or SOURCE interface?
Hi ZeroByte,route rules are a simplified way to do policy routing, as opposed to the "mainstream" method of using action=mark-routing new-routing-mark=ISP2 on mangle table rules.
I keep running into your posts in my search for answers. This topic gave me a working direction, I appreciate the help. If it's not too much trouble, would you mind weighing in here:
viewtopic.php?f=13&t=130469
I apologize if this is unorthodox, but I see no way of tagging you in my thread or PM'ing you on this board. Thank you.
-
-
millanbelsue
just joined
- Posts: 18
- Joined:
Re: Routing based on SOURCE IP or SOURCE interface?
Sorry but it is very dificult for me to configure it in a V7.3.1
I have a router with 3 Interface:
- Interface ETH1: Host with IP: 172.22.x.x/16 and host with 172.23.x.x/16
- Interface ETH2 (192.168.1.1/24: Connect to Firewall1 (192.168.1.2/24)
- Interface ETH3 (192.168.2.1/24: Connect to Firewall2 (192.168.2.2/24)
I need to sent to Firewall 1 the traffic with with IP source 172.22.x.x and to Firewall 2 the traffic with IP source 172.23.x.x
Any one can help me?
I have a router with 3 Interface:
- Interface ETH1: Host with IP: 172.22.x.x/16 and host with 172.23.x.x/16
- Interface ETH2 (192.168.1.1/24: Connect to Firewall1 (192.168.1.2/24)
- Interface ETH3 (192.168.2.1/24: Connect to Firewall2 (192.168.2.2/24)
I need to sent to Firewall 1 the traffic with with IP source 172.22.x.x and to Firewall 2 the traffic with IP source 172.23.x.x
Any one can help me?
Re: Routing based on SOURCE IP or SOURCE interface?
The basic idea is
TO DIRECT OUTGOING LAN TRAFFIC OUT A SPECIFIC WANIP
NEED DEFAULT ROUTES
dst-address=0.0.0.0/0 gwy=wan1-gwy table=main distance=1 check-gateway=ping
dst-address=0.0.0.0/0 gwy=wan2-gwy table=main distance=2 check-gateway=ping
dst-address=0.0.0.0/0 gwy=wan3-gwy table=main distance=3 check-gateway=ping
Now you can use this approach with distance to direct all users out 1, if 1 is down they go to 2, and if 2 is down they go to 3.
Then for specifc subnets to work around this you can use the below rules as well!
OR
If each WANIP needs a specific LANSUBNET ONLY and no failover needed then.........
dst-address=0.0.0.0/0 gwy=wan1-gwy table=main distance=1
dst-address=0.0.0.0/0 gwy=wan2-gwy table=main distance=1
dst-address=0.0.0.0/0 gwy=wan3-gwy table=main distance=1
Lets take the latter case and we have subnets A, B, C and A goes to 1, B goes to 2, and C goes to 3.
First step need 3 tables...
/routing table
add name=use-WAN1 fib
add name=use-WAN2 fib
add name=use-WAN3 fib
Second step need 3 additional routes to go along with the defaults.
add dst-address=0.0.0.0/0 gwy=WAN1-gwy table=use-WAN1
add dst-address=0.0.0.0/0 gwy=WAN2-gwy table=use-WAN2
add dst-address=0.0.0.0/0 gwy=WAN3-gwy table=use-WAN3
Then three routing rules.......
add src-address=subnetA action=lookup-only-in-table table=use-WAN1
add src-address=subnetB action=lookup-only-in-table table=use-WAN2
add src-address=subnetC action=lookup-only-in-table table=use-WAN3
If one wanted a subnet to go out another WAN if their WAN was not available for some reason, change action to
action=lookup and the router will go to the main table to see if any other routes are available/working.
+++++++++++++++++++++++++++++++++++++++++++++++++++++
Yuu should note that by using distance you can force all users to that WAN1 and thus dont need another route or table or route rule for any subnet needing this route direction.
However if you didnt want subnets to deviate to other subnets as failover, then no requirement for a distance approach. I like it because it can be more efficient and useful but each scenario is slightly different and nuanced.
++++++++++++++++++++++++++++++++++++++++++++++++++++
Another point, this DOES NOT cover the requirements where both incoming and outgoing traffic are involved. If you have traffic coming in on a particular WAN and you have adjusted the outgoing traffic rules, there may be a conflict. Therefore when controlling traffic both ways one really has to get into the mangle game to identify the traffic coming in on a particular wan to ensure it goes out the same wan.
Final point: Be careful of directing LAN users by the above method. IF you need LAN subnet A, to also be able to talk to SUBNET B, they will never reach B as you forced them out WAN1.
If you need internal traffic for subnets then simply add additional ROUTING RULES BEFORE (order counts) the wan rules.
ex.
add dst-address=subnetA action=lookup-only-in-table table=main { all subnets need access to LAN A }
add src-address=subnetA action=lookup-only-in-table table=use-WAN1
add src-address=subnetB action=lookup-only-in-table table=use-WAN2
add dst-address=subnetB src-address=subnetC action=lookup-only-in-table table=main { subnet C needs access to subnet B }
add src-address=subnetC action=lookup-only-in-table table=use-WAN3
note1: if your paying attention I don't really need the src-address=subnet C in the second addition, as the rule placement kinda will only effect subnet C anyway.
note2. still need appropriate firewall rules.
TO DIRECT OUTGOING LAN TRAFFIC OUT A SPECIFIC WANIP
NEED DEFAULT ROUTES
dst-address=0.0.0.0/0 gwy=wan1-gwy table=main distance=1 check-gateway=ping
dst-address=0.0.0.0/0 gwy=wan2-gwy table=main distance=2 check-gateway=ping
dst-address=0.0.0.0/0 gwy=wan3-gwy table=main distance=3 check-gateway=ping
Now you can use this approach with distance to direct all users out 1, if 1 is down they go to 2, and if 2 is down they go to 3.
Then for specifc subnets to work around this you can use the below rules as well!
OR
If each WANIP needs a specific LANSUBNET ONLY and no failover needed then.........
dst-address=0.0.0.0/0 gwy=wan1-gwy table=main distance=1
dst-address=0.0.0.0/0 gwy=wan2-gwy table=main distance=1
dst-address=0.0.0.0/0 gwy=wan3-gwy table=main distance=1
Lets take the latter case and we have subnets A, B, C and A goes to 1, B goes to 2, and C goes to 3.
First step need 3 tables...
/routing table
add name=use-WAN1 fib
add name=use-WAN2 fib
add name=use-WAN3 fib
Second step need 3 additional routes to go along with the defaults.
add dst-address=0.0.0.0/0 gwy=WAN1-gwy table=use-WAN1
add dst-address=0.0.0.0/0 gwy=WAN2-gwy table=use-WAN2
add dst-address=0.0.0.0/0 gwy=WAN3-gwy table=use-WAN3
Then three routing rules.......
add src-address=subnetA action=lookup-only-in-table table=use-WAN1
add src-address=subnetB action=lookup-only-in-table table=use-WAN2
add src-address=subnetC action=lookup-only-in-table table=use-WAN3
If one wanted a subnet to go out another WAN if their WAN was not available for some reason, change action to
action=lookup and the router will go to the main table to see if any other routes are available/working.
+++++++++++++++++++++++++++++++++++++++++++++++++++++
Yuu should note that by using distance you can force all users to that WAN1 and thus dont need another route or table or route rule for any subnet needing this route direction.
However if you didnt want subnets to deviate to other subnets as failover, then no requirement for a distance approach. I like it because it can be more efficient and useful but each scenario is slightly different and nuanced.
++++++++++++++++++++++++++++++++++++++++++++++++++++
Another point, this DOES NOT cover the requirements where both incoming and outgoing traffic are involved. If you have traffic coming in on a particular WAN and you have adjusted the outgoing traffic rules, there may be a conflict. Therefore when controlling traffic both ways one really has to get into the mangle game to identify the traffic coming in on a particular wan to ensure it goes out the same wan.
Final point: Be careful of directing LAN users by the above method. IF you need LAN subnet A, to also be able to talk to SUBNET B, they will never reach B as you forced them out WAN1.
If you need internal traffic for subnets then simply add additional ROUTING RULES BEFORE (order counts) the wan rules.
ex.
add dst-address=subnetA action=lookup-only-in-table table=main { all subnets need access to LAN A }
add src-address=subnetA action=lookup-only-in-table table=use-WAN1
add src-address=subnetB action=lookup-only-in-table table=use-WAN2
add dst-address=subnetB src-address=subnetC action=lookup-only-in-table table=main { subnet C needs access to subnet B }
add src-address=subnetC action=lookup-only-in-table table=use-WAN3
note1: if your paying attention I don't really need the src-address=subnet C in the second addition, as the rule placement kinda will only effect subnet C anyway.
note2. still need appropriate firewall rules.
Re: Routing based on SOURCE IP or SOURCE interface?
Thank you very much, Anav, for this very comprehensive explanation. What should I do if I have a DSTNAT rule applied?
Re: Routing based on SOURCE IP or SOURCE interface?
Well one cannot design a config in a vaccuum and each part is related.
So to ask to one thing and later to ask another question about another need is the wrong approach.
1. Identify all the user(s)/device(s), groups of users/devices, including admin and external users
2. State all their traffic requirements ( internet access, server access, admin access etc..........)
3. Provide a network diagram
4. explain the ISP setup.
Seems that 1 and 2 are not yet complete!
So to ask to one thing and later to ask another question about another need is the wrong approach.
1. Identify all the user(s)/device(s), groups of users/devices, including admin and external users
2. State all their traffic requirements ( internet access, server access, admin access etc..........)
3. Provide a network diagram
4. explain the ISP setup.
Seems that 1 and 2 are not yet complete!
Re: Routing based on SOURCE IP or SOURCE interface?
Seems like ert fell asleep.............