So I'm trying to understand how to route traffic to different interfaces but somehow I cannot get it to work.
Currently I have a Mochabin (mvbu), and I get two vlans from wan, 5 and 6 I have configurated them statically with the gateway filled in could this be a issue?
my aria docker (172.17.0.2) instance i want over the interface aria using vlan 6.
my steamcache docker ip (172.19.0.2) instance i want over the interface steamcache using vlan 5.
If you have general data traffic you want to route then putting the interfaces in the same firewall zone with Forward=accept is probably the easy solution.
If one interface have for example a server with specific IP that you want to connect to from the other interface for different services. Then a two zone solution with a firewall rule to allow traffic from client to server seems more meaningful.
well I cannot get it to work I'm trying to follow this guide:
but I get everytime strange results.
I added in ip4table 800 for interface aria and in aria_docker ip4table 799.
Then I made a route rule with src interface aria_docker which lookups 800.
but when I restart the network service it fails working, if I restart the router then it works but the route is still over the default wan.
if I check ip rule I see this:
root@Mochabin:~# ip rule
0: from all ip: database tables is corrupted at line 13
lookup local
10000: from 192.168.99.2 lookup 800
20000: from all to 192.168.99.2/24 lookup 800
32766: from all lookup main
32767: from all lookup default
90012: from all iif lo lookup 800
network config:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '<snip>'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'br-wan'
option type 'bridge'
list ports 'eth0'
list ports 'eth2'
config interface 'wan'
option device 'br-wan'
option proto 'dhcp'
config interface 'steamcache'
option proto 'static'
option device 'eth2.5'
option ipaddr '192.168.98.2'
option netmask '255.255.255.0'
option gateway '192.168.98.1'
option defaultroute '0'
option delegate '0'
config interface 'aria'
option proto 'static'
option device 'eth2.6'
option ipaddr '192.168.99.2'
option netmask '255.255.255.0'
option gateway '192.168.99.1'
option broadcast '192.168.99.255'
option defaultroute '0'
option ip4table '800'
option delegate '0'
config interface 'docker'
option device 'docker0'
option proto 'none'
option auto '0'
option defaultroute '0'
option ip4table '5670'
config device
option type 'bridge'
option name 'docker0'
config interface 'aria_docker'
option proto 'dhcp'
option device 'br-d88f1ca484a6'
option ip4table '799'
option defaultroute '0'
option delegate '0'
config device
option type 'bridge'
option name 'br-d88f1ca484a6'
option bridge_empty '1'
config rule
option in 'aria_docker'
option lookup '800'
option priority '30000'
could it be that the issue lays in how I configurated the interface aria with a static ip?
aria_docker is the interface from my local docker instance and the interface aria is basicly the wan side vlan for aria.
maybe its also a good idea from me to add the firmware version I'm using in case this mathers:
option gateway in a config interface section sets up a 0.0.0.0 default route to the Internet. It should only be used on wan-type networks. The gateway IP is the next router (outside this one) on the path to the Internet. Remove all the other option gateway.
Routing among lan-type networks is inherent as when you declare an IP on an interface, it is included into the default single routing table. The firewall must also be configured to allow such traffic. The routing table(s) define where the kernel will attempt to send a packet, then the firewall determines if it will actually be sent or blocked. A setup with multiple LANs usually does not call for multiple tables or PBR.
ah I think I understand, so to get a idea I should put eth2.6 in a bridge with the docker veth host and from there I can route dockers ip 172.18.0.2 as a static route through gateway 192.168.99.1 which comes from eth2.6 (eth2 is wan) because the bridge then has two dhcp routes ?
I did noticed when experimenting with this that it does show the routing properly in ip route now so this clears things up , though I think I would keep it on the package pbr because its still hard to get it to work properly , also the veth interface disappears after reloading the docker bridge so it's extra fragile with testing.
theres another router upstream which does the vpn and splitting through the vlans, but I wanted the mochabin to split between the vlans from wan steamcache(172.19.0.2->eth2.5) and aria(172.18.0.2->aria_wan(eth2.6)).
but I think the pbr package would be easier to use which I used previously.
Thank you for clearing some things up still learned something new
, also the veth interface disappears after reloading the docker bridge so it's extra fragile with testing.