Mark all incoming packets on connection
 

Hi All,

I have found a few articles and tutorials which seem to do what I need but can't seem to get them to work.

My Setup :

I have a router which makes two ppp connections. PPP0 is my default route and is an uncapped ADSL. PPP1 is a Local Only (South Africa) account which has DNS resolving to its IP. PPP1 allows certain connections in. I want all packets coming in on PPP1 to be marked so that after they have been routed through our local servers they can go back out over PPP1.

Both connections use dynamically assigned ip addresses. I want to use PPP0 to make a connection to one of our stores, but when our stores connect to us they will be using PPP1. All packets from these incoming connections will need to be routed back over PPP1.

Hope that makes sense. If anything is unclear please ask.

Your assistance would be greatly appreciated.

Regards

Andrew Higgs

That's quite a set up! Have you looked at the LARTC site (Linux Advanced Routing and Traffic Control) It has something similar there that you could probably adapt.

Hi Bakdong,

I have looked at these examples and similar ones. But they all seem to be doing Load Balancing and not quite what I am doing (trying to do).

I need to mark all incoming packets. These packets are then redirected to a local machine. When they come back to the router they need to go back out on the original incoming interface (and not the default route). Not sure if I am missing something but I can't seem to get it to work.

I will experiment a little more and maybe post a script later for people to look at. Perhaps this will help.

Regards

It's definitely there. You will need a combination of ip rule tables, iptables to mark the packets, and conntrack. The load balancing part swaps the default route periodically with an optional weighting scheme. You don't have to incorporate that if you don't want it.

Hi Bakdong,

Thanks for the reply.

My ASCII art sucks but here goes. This is a diagram of the network:

I want user1 and user2 to be able to make a connection to store1 and store2 using ppp0. In other words if the connection is initiated from the local network it should be routed over the default gateway (ppp0). This is easy to do.

The problem comes in when store1 or store2 make a connection to the mail server. They connect via ppp1 (their is a dns resolvable name on this connection which I can't have on ppp0). The packets from this connection are then redirected to mail. When mail routes back to the store, the default gateway is used and the connection is broken. The solution to this is add a route to allow traffic to store1 and store2 to go via ppp1, but then all connections from inside the local network are also affected.

So I am thinking I need to mark all new incoming connections on ppp1 so that they can be routed back to ppp1 later. What I have tried so far is this :
The file firewall.rules referred above includes the following in it's mangle section :
What am I doing wrong? How does all of this affect the main routing table?

Regards

Andrew Higgs

If the stores trying to connect to the mail server and from there back to them over ppp1 why not just have all the packets coming from the mail server go through ppp1?

You've got no pref numbers in your ip rule statements. Not sure that's the problem though. What's the output of :

ip rule
ip route show table Uncapped/Localonly

I must truly be missing something simple here. Or I really don't understand something. I have simplified the solution as above. Thanks it is a very good suggestion.

Here are my scripts to hopefully achieve the above :

mangle has been stripped to the following:
Store1 (196.210.xxx.xxx) and Store2 (196.215.xxx.xxx) are both able to make their connections as expected while the main routing table has their routes set to ppp1. To test I thought I would activate the mangling in the firewall and remove Store2's (route del -net 196.215.0.0/16) main routing entry. When I do this Store1 remains connected but Store2 loses it's connection.

What am I missing? If my hair was longer I would be pulling it out. :-)

Regards

Andrew Higgs

What exactly is the pref number? Is it not 1 for Uncapped and 2 for LocalOnly?

The output of ip rule :
The output of ip route show table LocalOnly:
The output of ip route show table Uncapped:
Thanks.

Regards

Andrew Higgs

Ok, so it's nothing to do with the pref number (32764-7 in your case) I can't see why it's not working. Sorry.

Thanks for the assistance. I appreciate the effort you put into trying to help me out.

Maybe something like this will settle the dust.

This would prevent you from marking. If this does not suite I guess we best start from scratch?

Stabbing in the dark now.... do you have specific routes defined in the main table? If you have, wouldn't these take priority over the default routes?

Thanks zhjim.

I have no problem with not needing to mark packets. In fact the simpler the solution the better. :-)

I have reset my firewall to remove all marking etc. I have flushed all rules relating to marking. This is what ip rule puts out now :
My main routing table still contains routes which send packets destined for 196.210.0.0 and 196.215.0.0 to ppp1. I assume these should be removed. If I do this routing to those ip addresses goes through the default gateway. :-(

What should be in ip route show table LocalOnly? This is what it currently has in it :
Should there be anything else? If I can have a purely routing solution (i.e. no change to the firewall) all the better.

Thanks again.

Regards

Andrew

Thanks bakdong,

Yes. The main routing table routes all packets destined for 196.210.0.0 and 196.215.0.0 to ppp1. The end goal is to have these removed so that connections initiated from our internal network (i.e. user1 and user2) are routed via ppp0.

Regards

Andrew