How to separate traffic routing via IP address blocks on same interface?
Posted: Thu Apr 09, 2020 10:20 pm
I have a HAP AC that I am trying to set up with voip phones and public internet. The voip service is spotty and its basically come down to the phones trying to pass through NAT.(SIP ALG is disabled) The phones and Inet are provided by the same provider. We have 5 phones using a PoE smart switch. The phones are on a VLAN 100 and the computers are untagged using VLAN 1. Each pull from a different IP pool via DHCP.
The provider offered to give us a PPPoE user for static private IPs that do not need to be NAT'd but cannot pass DHCP over the PPPoE. A limitation I am working with is that we only have a single switch and all ports are used on it leaving only 1 port to connect to the mikrotik. I also can only have 1 WAN connection to the mikrotik because the Inet hand-off only has 1 port. I am using ether 2 for LAN, ether 1 will be WAN.
I have gotten this to work when I have 2 different LAN interfaces and splitting routing between ether1 and virtual interface pppoe-out1 by specifying a routing mark for Inet and applying this routing mark for specific interfaces. An example:
/interface vlan
add comment=Phones interface=ether4 name=Phones vlan-id=100
/ip address
add address=172.16.200.1/28 interface=Phones network=172.16.200.0
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-out1 list=VoipWAN
add interface=ether1 list=InetWAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=InetWAN routing-mark=INET
/ip route
add distance=1 gateway=ether1 routing-mark=INET
/ip route vrf
add interfaces=ether1,bridge route-distinguisher=1:1 routing-mark=INET
This marks packets using ether1 or bridge with mark INET and then the static route sends INET marked packets to ether1. ether1 is using DHCP and spawns default routes via the provider. I removed ether4 from the bridge, added the voip VLAN to ether4, and it follows pppoe-out1's default route instead due to no mark.
----------------
The difference in this new build is I don't have the luxury of specifying the interface on the LAN side because there is only 1 LAN connection to the switch. Is there a way to convert what I have done above so that rather than using the interface to mark packets, I can do so via an address range instead so it doesn't matter what port the LAN traffic passes through.
in a nut shell, using ether2 as the LAN, ether1 as Inet DHCP, and pppoe-out1 as Voip statics; is there a way I can differentiate traffic via IP address range?
The provider offered to give us a PPPoE user for static private IPs that do not need to be NAT'd but cannot pass DHCP over the PPPoE. A limitation I am working with is that we only have a single switch and all ports are used on it leaving only 1 port to connect to the mikrotik. I also can only have 1 WAN connection to the mikrotik because the Inet hand-off only has 1 port. I am using ether 2 for LAN, ether 1 will be WAN.
I have gotten this to work when I have 2 different LAN interfaces and splitting routing between ether1 and virtual interface pppoe-out1 by specifying a routing mark for Inet and applying this routing mark for specific interfaces. An example:
/interface vlan
add comment=Phones interface=ether4 name=Phones vlan-id=100
/ip address
add address=172.16.200.1/28 interface=Phones network=172.16.200.0
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-out1 list=VoipWAN
add interface=ether1 list=InetWAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=InetWAN routing-mark=INET
/ip route
add distance=1 gateway=ether1 routing-mark=INET
/ip route vrf
add interfaces=ether1,bridge route-distinguisher=1:1 routing-mark=INET
This marks packets using ether1 or bridge with mark INET and then the static route sends INET marked packets to ether1. ether1 is using DHCP and spawns default routes via the provider. I removed ether4 from the bridge, added the voip VLAN to ether4, and it follows pppoe-out1's default route instead due to no mark.
----------------
The difference in this new build is I don't have the luxury of specifying the interface on the LAN side because there is only 1 LAN connection to the switch. Is there a way to convert what I have done above so that rather than using the interface to mark packets, I can do so via an address range instead so it doesn't matter what port the LAN traffic passes through.
in a nut shell, using ether2 as the LAN, ether1 as Inet DHCP, and pppoe-out1 as Voip statics; is there a way I can differentiate traffic via IP address range?