I already have a LAN-side network, WAN and WAN2 networks that set up correctly. It works perfect, if WAN route is unreachable, WAN2 works instead.
What I have done now:
Code: Select all
/ip firewall mangle print
15 ;;; Mark all connections to Route-thru-WAN2 addr list
chain=prerouting action=mark-connection new-connection-mark=route-thru-wan2
passthrough=yes dst-address-list=route-thru-wan2 log=no log-prefix=""
16 ;;; Do the same thing for routing
chain=prerouting action=mark-routing new-routing-mark=route-thru-wan2
passthrough=yes connection-mark=route-thru-wan2 log=no log-prefix=""
/ip firewall filer print
280 chain=forward action=add-src-to-address-list
address-list=illegal-access address-list-timeout=1d
out-interface=wan2 log=yes log-prefix="Illegal access"
281 chain=forward action=drop out-interface=wan2 log=no
log-prefix=""
/ip route export
add check-gateway=ping distance=7 gateway=wan2 routing-mark=route-thru-wan2
/ip firewall nat print
chain=srcnat action=masquerade out-interface=wan2 log=no log-prefix=""Code: Select all
22:48:29 firewall,info Illegal sccess: in:wan2 out:wan2, proto TCP (SYN,ACK), xx.xx.xx.xx:443->100.64.25.2:34068, NAT xx.xx.xx.xx:443->(xx.xx.xx.xx:34068(white address on wan2-interface)->100.64.25.2:34068 (address on the lan-side)), len 52 If I just do simple rule without marks (add check-gateway=ping distance=7 gateway=wan2 dst-address=some-range), everything works fine.
What I'm doing wrong?