We have a MikroTik router with 2 WANs, main (good and expensive bandwidth) and backup. main is for our day-to-day use, and backup has slow bandwidth.
We have a Synology NAS handling the downloads, I would like to force torrent downloads to be done via the backup interface on the gateway. Here is my current config:
/ip firewall filter add action=accept chain=forward comment="H2G2: Allow forward to DSM" dst-address=192.168.1.3 dst-port=22,80,139,443,445,5001,32400 protocol=tcp
/ip firewall filter add action=accept chain=forward comment="H2G2: Allow forward established, related replies to H2G2" connection-state=established,related dst-address=192.168.1.3 protocol=tcp
/ip firewall filter add action=accept chain=forward comment="H2G2: Allow established and related replies from H2G2" connection-state=established,related protocol=tcp src-address=192.168.1.3
/ip firewall filter add action=drop chain=forward comment="H2G2: Drop everything else not coming from backup" dst-address=192.168.1.3 in-interface=!ether2-backup
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1-main
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether2-backup
/ip firewall nat add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1-main protocol=tcp to-addresses=192.168.1.3 to-ports=22
/ip firewall nat add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-main protocol=tcp to-addresses=192.168.1.3 to-ports=80
/ip firewall nat add action=dst-nat chain=dstnat dst-port=139 in-interface=ether1-main protocol=tcp to-addresses=192.168.1.3 to-ports=139
/ip firewall nat add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1-main protocol=tcp to-addresses=192.168.1.3 to-ports=443
/ip firewall nat add action=dst-nat chain=dstnat dst-port=445 in-interface=ether1-main protocol=tcp to-addresses=192.168.1.3 to-ports=445
/ip firewall nat add action=dst-nat chain=dstnat dst-port=5001 in-interface=ether1-main protocol=tcp to-addresses=192.168.1.3 to-ports=5001
/ip firewall nat add action=dst-nat chain=dstnat dst-port=32400 in-interface=ether1-main protocol=tcp to-addresses=192.168.1.3 to-ports=32400
/ip firewall nat add action=dst-nat chain=dstnat dst-port=6881 in-interface=ether2-backup protocol=tcp to-addresses=192.168.1.3 to-ports=6881
/ip firewall nat add action=dst-nat chain=dstnat dst-port=6881 in-interface=ether2-backup protocol=udp to-addresses=192.168.1.3 to-ports=6881
/ip firewall mangle add action=mark-routing chain=prerouting dst-address=!192.168.1.0/24 new-routing-mark=toBackup passthrough=yes src-address=192.168.1.3
; Then route 0.0.0.0/0 toBackup routing mark to ether2-backup
So basically, I allow forwarding packets for these ports (22,80,139,443,445,5001,32400) to the NAS (192.168.1.3) and drop everything else not coming from the backup interface. I NAT these ports. And I mark the connection from 1.3 not for the local network, with the routing-mark toBackup. Obviously, I route 0.0.0.0/0 marked toBackup to ether2-backup and it works. If I access the NAS to one of the forwarded ports, it's fine. Everything else goes though the backup.
Now, the problem is, EVERYTHING goes to backup. I don't exactly know torrents, PEX, DHT protocols, I'm not sure when the server and its files are advertised. I know that torrent's and magnet's trackers have embedded trackers that can be reached even via HTTP, so it depends on when the files are advertised. If they are advertised when the client announces itself to the tracker, then I might keep everything to backup. If they are announced only when contacted from outside (currently, my listening ports are 6881 UDP and TCP), then it's better to block 6881 from ether1-main, but again I'm afraid the client will announce itself to the tracker via HTTP (so via ether1-main and will obviously advertise itself on the same IP and not ether2-backup)...
Do you guys have an idea on how I can achieve it?
