0

I want to forward all TCP packets to one interface (a dedicated Internet connection only for downloads) and all UDP packets to another one (a dedicated internet connection only for streaming and videogames). How can I do that? My router is the Mikrotik RB750.

Dessa Simpson
  • 491
  • 7
  • 25
Aldo Astupillo
  • 1
  • 1
  • 2

3 Answers3

1

If you want to split the incoming network traffic between two local connections, assuming each of your interfaces have a different address, you could do it with dst-nat:

/ip firewall nat
add in-interface=[incoming interface] action=dst-nat protocol=tcp dst-address=[TCP address]
add in-interface=[incoming interface] action=dst-nat protocol=udp dst-address=[UDP address]

In case what you meant was to split the outgoing traffic between two outside connections, and each of the connections have a different address, you could do it this way:

/ip firewall nat
add chain=srcnat protocol=tcp action=src-nat to-address=[TCP connection address] out-interface=[TCP interface]
add chain=srcnat protocol=udp action=src-nat to-address=[UDP connection address] out-interface=[UDP interface]
pilsetnieks
  • 286
  • 2
  • 13
  • src-nat, not dst-nat – Dessa Simpson Mar 30 '17 at 05:05
  • No, not really. You want to change the destination depending on the packet, not the source. – pilsetnieks Mar 30 '17 at 09:22
  • I think you're misunderstanding it. Dst-nat is kind of like port forwarding. It changes the destination IP of the packet. What you want to do here is change the out interface of the packet, and as part of that change the source IP as in standard NAT. I'm now realizing that NAT doesn't work at all as a solution. – Dessa Simpson Mar 30 '17 at 13:29
  • No, this isn't about changing the out-interface, this is about changing the destination IP address to the IP address assigned to the respective interface. – pilsetnieks Mar 30 '17 at 13:31
  • If you change the destination IP to that of the respective interface, that makes the packet become destined for the router rather than somewhere on the outside Internet. – Dessa Simpson Mar 30 '17 at 13:33
  • Keep in mind, a destination is not a nexthop. Once the packet hits its destination IP, it ends there unless it is dst-natted further. – Dessa Simpson Mar 30 '17 at 13:38
  • I get that, I may have misunderstood the question but I amended the answer to clarify it. – pilsetnieks Mar 30 '17 at 13:43
  • Okay, I see. That was the problem - we were trying to do 2 different things. – Dessa Simpson Mar 30 '17 at 13:49
0

You can use /ip route rule and routing-mark in /ip firewall mangle to force routing path. It works pretty much the same as ip rule under Linux.

  1. Mark one group of packets with eg. routing-mark: R1
  2. Mark another group of packets with eg. routing-mark: R2
  3. Add default gateway for any of them with no routing-mark set.
  4. Add second gateway for second group with param routing-mark set.
  5. Add rule under /ip route rule that will force using routing table R2 or R1 for chosen group of packets.

Here is my example config used for routing packets addressed from router via one gateway and forwarded ones via another one:

[lapsio@CCR1009SWAG] > /ip firewall mangle export 
/ip firewall mangle
add action=jump chain=prerouting jump-target=check-standard
add action=accept chain=check-standard in-interface=ether1-gateway #<- all incoming packets need to use "main" table in order to "see" local links
add action=accept chain=check-standard src-address-list=networkSERVICE #<-this is just example match
...
#some matching criteria of packets to NOT mark here with action=accept
...
add action=jump chain=check-standard jump-target=mark-standard
add action=mark-routing chain=mark-standard new-routing-mark=standard passthrough=no

[lapsio@CCR1009SWAG] > /ip route export 
/ip route
add distance=1 gateway=192.168.0.6 routing-mark=standard
add distance=1 gateway=192.168.10.1

/ip route rule
add routing-mark=standard src-address=0.0.0.0/0 table=standard

Here I only used "R2" equivalent which is "standard" - packets forwarded through .0.6. Packets without any mark will be forwarded through .10.1.

Lapsio
  • 363
  • 3
  • 14
0

While both other answers are correct, I should point out that this will all but certainly not work. Games and streaming use TCP as well as UDP, and will probably not work if it gets the TCP packets from one address and UDP from another. What I would suggest is to identify which hosts are gaming and streaming and define separate src-nat rules for each.

The better question is, why? What benefit is there to this model?

Dessa Simpson
  • 491
  • 7
  • 25