Hello,
I have 2 WANs with their respective /56s and would like to distribute each to its respective VLAN, so that clients on VLAN1 would get an IP from ISP1 and clients on VLAN2 would get an IP from ISP2. This is not provider-independent space (and the ISPs wouldn't support that anyway) so I need to make sure that the traffic actually gets *routed* to the proper ISP.
I am currently doing it as follows:
* mangle rule to tag relevant traffic with a routing mark
* routing table corresponding to said routing mark
* default route in each routing table with a gateway of "%<outbound-interface-name>" for the corresponding ISP - this bit doesn't work
The problem I see is that it does not appear to work unless I also have a default route in the main table, but then I am only able to have one default route (having them with the same "distance" results in seemingly-undefined behavior where the last added route "wins"). I have tried setting "fe80::1%<outbound-interface-name>" as the gateway but that does not appear to work either.
It seems like I would be able to make it work if I had a gateway IP address for each ISP, then I could reference said gateway in each ISP's respective routing tables, and have a specific route for each gateway in the main table. However, in IPv6, it doesn't look like I have a gateway address?
Description:
fr-wan: WAN interface for ISP1
uk-wan-l2tp: WAN interface for ISP2
ISP1/fr-wan prefix: fd7a:95ad:8f85:9900::/56
ISP2/uk-wan-l2tp prefix: fde7![:3a9c:]()
93e5:a6e0::/60
(first 3 groups censored by sample ULA address block for privacy, but these are otherwise publicly-routable IP addresses; censoring is consistent within the entire file)
fr-lan & fr-untrusted-lan: VLAN which should go out via ISP1
uk-lan & uk-untrusted-lan: VLAN which should go out via ISP2
Relevant config:
I would appreciate if an expert could either go over the config and tell me where I'm going wrong, or alternatively outline how to do this from scratch.
Thanks!
I have 2 WANs with their respective /56s and would like to distribute each to its respective VLAN, so that clients on VLAN1 would get an IP from ISP1 and clients on VLAN2 would get an IP from ISP2. This is not provider-independent space (and the ISPs wouldn't support that anyway) so I need to make sure that the traffic actually gets *routed* to the proper ISP.
I am currently doing it as follows:
* mangle rule to tag relevant traffic with a routing mark
* routing table corresponding to said routing mark
* default route in each routing table with a gateway of "%<outbound-interface-name>" for the corresponding ISP - this bit doesn't work
The problem I see is that it does not appear to work unless I also have a default route in the main table, but then I am only able to have one default route (having them with the same "distance" results in seemingly-undefined behavior where the last added route "wins"). I have tried setting "fe80::1%<outbound-interface-name>" as the gateway but that does not appear to work either.
It seems like I would be able to make it work if I had a gateway IP address for each ISP, then I could reference said gateway in each ISP's respective routing tables, and have a specific route for each gateway in the main table. However, in IPv6, it doesn't look like I have a gateway address?
Description:
fr-wan: WAN interface for ISP1
uk-wan-l2tp: WAN interface for ISP2
ISP1/fr-wan prefix: fd7a:95ad:8f85:9900::/56
ISP2/uk-wan-l2tp prefix: fde7
93e5:a6e0::/60(first 3 groups censored by sample ULA address block for privacy, but these are otherwise publicly-routable IP addresses; censoring is consistent within the entire file)
fr-lan & fr-untrusted-lan: VLAN which should go out via ISP1
uk-lan & uk-untrusted-lan: VLAN which should go out via ISP2
Relevant config:
Code:
# WAN interfaces/interface pppoe-client add comment="upstream ftth" name=fr-wan/interface l2tp-client add comment="upstream l2tp" name=uk-wan-l2tp# LAN interfaces/interface vlan add comment="french lan" interface=bridge1 name=fr-lan vlan-id=100/interface vlan add comment="french untrusted lan" interface=bridge1 name=fr-untrusted-lan vlan-id=110/interface vlan add comment="uk lan" interface=bridge1 name=uk-lan vlan-id=200/interface vlan add comment="uk untrusted lan" interface=bridge1 name=uk-untrusted-lan vlan-id=210# interface lists, used in firewall rules below/interface list add comment="trusted lans" include=LAN name="trusted lans"/interface list add comment="untrusted lans" name=untrusted-lans/interface list add comment="to go out via UK" name=out-via-uk/interface list add comment="to go out via fr" name=out-via-fr/interface list add comment="allow wan access" include=out-via-fr,out-via-uk name="allow wan access"/interface list add comment="allow basic network services - DHCP, DNS, ICMP, etc" include="trusted lans,untrusted-lans" name=allow-basic-network-services# interface list members/interface list member add interface=fr-wan list=WAN/interface list member add interface=uk-wan-l2tp list=WAN/interface list member add interface=fr-lan list="trusted lans"/interface list member add interface=uk-lan list="trusted lans"/interface list member add interface=fr-lan list=out-via-fr/interface list member add interface=fr-untrusted-lan list=out-via-fr/interface list member add interface=uk-lan list=out-via-uk/interface list member add interface=uk-untrusted-lan list=out-via-uk/interface list member add interface=fr-untrusted-lan list=untrusted-lans/interface list member add interface=uk-untrusted-lan list=untrusted-lans# routing tables/routing table add disabled=no fib name=out-via-fr/routing table add disabled=no fib name=out-via-uk# IPv6 misc config - ND, etc/ip neighbor discovery-settings set discover-interface-list=LAN/ip settings set rp-filter=loose/ipv6 settings set accept-router-advertisements=no# IPv6 addresses/ipv6 address add address=fd7a:95ad:8f85:9904:: comment="fr lan" interface=fr-lan/ipv6 address add address=fd7a:95ad:8f85:9905:: comment="fr untrusted lan" interface=fr-untrusted-lan/ipv6 address add address=fde7:3a9c:93e5:a6e0:: advertise=no comment="uk internet-facing" interface=uk-wan-l2tp/ipv6 address add address=fde7:3a9c:93e5:a6e2:: comment="uk untrusted lan" interface=uk-untrusted-lan/ipv6 address add address=fd7a:95ad:8f85:9900:: advertise=no comment="fr internet facing" interface=fr-wan/ipv6 address add address=fde7:3a9c:93e5:a6e1:: comment="uk lan" interface=uk-lan# IPv6 routing/ipv6 route add disabled=no distance=1 dst-address=::/0 gateway=fe80::1%fr-wan routing-table=out-via-fr suppress-hw-offload=no/ipv6 route add disabled=no distance=1 dst-address=::/0 gateway=fe80::1%uk-wan-l2tp routing-table=out-via-uk suppress-hw-offload=no/ipv6 route add comment="system fr" disabled=no distance=1 dst-address=::/0 gateway=fe80::1%fr-wan routing-table=main suppress-hw-offload=no/ipv6 route add comment="system uk" disabled=no distance=1 dst-address=::/0 gateway=fe80::1%uk-wan-l2tp@main routing-table=main suppress-hw-offload=no# IPv6 firewall - filter/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10/ipv6 firewall filter add action=accept chain=input comment="accept dhcpv6" dst-port=547 in-interface-list=allow-basic-network-services protocol=udp src-port=546/ipv6 firewall filter add action=accept chain=input comment="accept DNS" dst-port=53 in-interface-list=allow-basic-network-services protocol=udp/ipv6 firewall filter add action=accept chain=input comment="accept DNS TCP" dst-port=53 in-interface-list=allow-basic-network-services protocol=tcp/ipv6 firewall filter add action=accept chain=input comment="allow wg" dst-port=13231 protocol=udp/ipv6 firewall filter add action=accept chain=input comment="accept http, https, ssh from wan" dst-port=2222,80,443 in-interface-list=WAN protocol=tcp/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else"/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139/ipv6 firewall filter add action=accept chain=forward comment="allow from LAN to WAN" in-interface-list="allow wan access" out-interface-list=WAN/ipv6 firewall filter add action=accept chain=forward comment="allow between trusted LANs" in-interface-list="trusted lans" out-interface-list="trusted lans"/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else"# IPv6 firewall - mangle/ipv6 firewall mangle add action=mark-connection chain=input in-interface=uk-wan-l2tp new-connection-mark=received-from-uk passthrough=no/ipv6 firewall mangle add action=mark-connection chain=input in-interface=fr-wan new-connection-mark=received-from-fr passthrough=no# IMPORTANT - mark outbound connections with their respective routing mark - this is where the problem might be?/ipv6 firewall mangle add action=mark-routing chain=prerouting dst-address-list=!our-addresses dst-address-type=!local in-interface-list=out-via-fr new-routing-mark=out-via-fr passthrough=yes src-address-list=our-addresses/ipv6 firewall mangle add action=mark-routing chain=prerouting dst-address-list=!our-addresses dst-address-type=!local in-interface-list=out-via-uk new-routing-mark=out-via-uk passthrough=yes src-address-list=our-addresses/ipv6 firewall mangle add action=mark-routing chain=output connection-mark=received-from-fr new-routing-mark=out-via-fr passthrough=no/ipv6 firewall mangle add action=mark-routing chain=output connection-mark=received-from-uk new-routing-mark=out-via-uk passthrough=no# IPv6 ND - advertise the subnet-specific DNS server address/ipv6 nd add dns=fd7a:95ad:8f85:9904:: hop-limit=64 interface=fr-lan/ipv6 nd add dns=fd7a:95ad:8f85:9905:: hop-limit=64 interface=fr-untrusted-lan/ipv6 nd add dns=fde7:3a9c:93e5:a6e1:: hop-limit=64 interface=uk-lan/ipv6 nd add dns=fde7:3a9c:93e5:a6e2:: hop-limit=64 interface=uk-untrusted-lanThanks!
Statistics: Posted by Rjevski — Tue Dec 12, 2023 12:52 pm