* Re: [LARTC] UDP port 1194 marking/routing problem
2005-04-06 10:51 [LARTC] UDP port 1194 marking/routing problem Remus
@ 2005-04-06 11:23 ` Wang Jian
2005-04-06 13:48 ` Remus
2005-04-06 14:03 ` Wang Jian
2 siblings, 0 replies; 4+ messages in thread
From: Wang Jian @ 2005-04-06 11:23 UTC (permalink / raw)
To: lartc
Hi Remus,
It seems that
iptables -t mangle -A POSTROUTING -o eth0 -p udp --dport 1194 -j MARK \
--set-mark 0x990
will not take effect. (didn't you typo -A as -D?)
POSTROUTING is looked up after routing decision is made. Because the
default route is dev eth1, the output device is eth1, -o eth0 will not
match.
You should use
iptables -t mangle -A PREROUTING -p udp --destination <your openvpn \
peer> --dport 1194 -j MARK ....
But I don't think you need to use MARK to do policy routing. It's a
little overkill.
Why not simply route all traffic to your openvpn peer via device eth0?
On Wed, 6 Apr 2005 11:51:16 +0100, "Remus" <rmocius@auste.elnet.lt> wrote:
>
> Hi folks,
>
> I have OpenVPN (respect for it developers) running on my FW.
> Is has two external NICs and on internal everything is fine, except
> I want OpenVPN (UDP port 1194) going not via default route/network interface.
>
> I use such commands:
>
> iptables -t mangle -D POSTROUTING -o eth0 -p udp --dport 1194 -j MARK --set-mark 0x990
> ip rule add fwmark 0x990 table openvpn1
> ip route add default via $P2 dev eth0 table openvpn1
>
> eth0 is FW's not default external NIC.
>
> I have in use very similar iptables rules for my email server (TCP ports) and etc.
> Everything works fine.
> What I'm doing wrong with marking/routing the UDP port?
>
> Regards
>
> Remus
>
--
lark
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [LARTC] UDP port 1194 marking/routing problem
2005-04-06 10:51 [LARTC] UDP port 1194 marking/routing problem Remus
2005-04-06 11:23 ` Wang Jian
@ 2005-04-06 13:48 ` Remus
2005-04-06 14:03 ` Wang Jian
2 siblings, 0 replies; 4+ messages in thread
From: Remus @ 2005-04-06 13:48 UTC (permalink / raw)
To: lartc
Wang,
That solution does not suite me:
>ip route add default via $DEFAULTGW dev eth1
>ip route add xxx.xxx.xxx.xxx/32 via $ANOTHERGW dev eth0
Because only UPD 1194 has to be routed via eth0 to OpenVPN server IP,
everything else
to same Ip has to go via eth1.
Any ideas?
Regards
Remus
----- Original Message -----
From: "Wang Jian" <lark@linux.net.cn>
To: "Remus" <rmocius@auste.elnet.lt>
Cc: <lartc@mailman.ds9a.nl>; <openvpn-users@lists.sourceforge.net>
Sent: Wednesday, April 06, 2005 1:38 PM
Subject: Re: [Openvpn-users] Re: [LARTC] UDP port 1194 marking/routing
problem
> Hi Remus,
>
> I means: don't use policy routing, because you can use much simpler
> solution.
>
> Example:
>
> ip route add default via $DEFAULTGW dev eth1
> ip route add xxx.xxx.xxx.xxx/32 via $ANOTHERGW dev eth0
>
> The second, send all your traffic to IP xxx.xxx.xxx.xxx via eth0. When
> your box acts as your intranet's gateway, you can SNAT or MASQUERADE on
> eth0, like
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE.
>
>
> For you openvpn configuration, you can either bind openvpn to eth0's ip,
> or let system chooose the IP, in most case the output interface.
>
>
> On Wed, 6 Apr 2005 12:54:53 +0100, "Remus" <rmocius@auste.elnet.lt> wrote:
>
>> Hi Wang,
>>
>> We specialy got two Internet connections, one is only for the OpenVPN (it
>> is
>> heavily used) and second for everthing else.
>> I will give a try to PREROUTING stuff right away.
>>
>> What do mean : But I don't think you need to use MARK to do policy
>> routing.
>> It's a little overkill.
>>
>> Do you another suggestion than iptables/MARK?
>>
>> Regards
>>
>> Remus
>>
>>
>> ----- Original Message -----
>> From: "Wang Jian" <lark@linux.net.cn>
>> To: <lartc@mailman.ds9a.nl>
>> Cc: "Remus" <rmocius@auste.elnet.lt>;
>> <openvpn-users@lists.sourceforge.net>
>> Sent: Wednesday, April 06, 2005 12:23 PM
>> Subject: [Openvpn-users] Re: [LARTC] UDP port 1194 marking/routing
>> problem
>>
>>
>> > Hi Remus,
>> >
>> > It seems that
>> >
>> > iptables -t mangle -A POSTROUTING -o eth0 -p udp --dport 1194 -j MARK \
>> > --set-mark 0x990
>> >
>> > will not take effect. (didn't you typo -A as -D?)
>> >
>> > POSTROUTING is looked up after routing decision is made. Because the
>> > default route is dev eth1, the output device is eth1, -o eth0 will not
>> > match.
>> >
>> > You should use
>> >
>> > iptables -t mangle -A PREROUTING -p udp --destination <your openvpn \
>> > peer> --dport 1194 -j MARK ....
>> >
>> > But I don't think you need to use MARK to do policy routing. It's a
>> > little overkill.
>> >
>> > Why not simply route all traffic to your openvpn peer via device eth0?
>> >
>> >
>> > On Wed, 6 Apr 2005 11:51:16 +0100, "Remus" <rmocius@auste.elnet.lt>
>> > wrote:
>> >
>> >>
>> >> Hi folks,
>> >>
>> >> I have OpenVPN (respect for it developers) running on my FW.
>> >> Is has two external NICs and on internal everything is fine, except
>> >> I want OpenVPN (UDP port 1194) going not via default route/network
>> >> interface.
>> >>
>> >> I use such commands:
>> >>
>> >> iptables -t mangle -D POSTROUTING -o eth0 -p udp --dport 1194 -j
>> >> MARK --set-mark 0x990
>> >> ip rule add fwmark 0x990 table openvpn1
>> >> ip route add default via $P2 dev eth0 table openvpn1
>> >>
>> >> eth0 is FW's not default external NIC.
>> >>
>> >> I have in use very similar iptables rules for my email server (TCP
>> >> ports)
>> >> and etc.
>> >> Everything works fine.
>> >> What I'm doing wrong with marking/routing the UDP port?
>> >>
>> >> Regards
>> >>
>> >> Remus
>> >>
>> >
>> >
>> >
>> > --
>> > lark
>> >
>> >
>> >
>> > -------------------------------------------------------
>> > SF email is sponsored by - The IT Product Guide
>> > Read honest & candid reviews on hundreds of IT Products from real
>> > users.
>> > Discover which products truly live up to the hype. Start reading now.
>> > http://ads.osdn.com/?ad_ide95&alloc_id\x14396&op=click
>> > _______________________________________________
>> > Openvpn-users mailing list
>> > Openvpn-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/openvpn-users
>> >
>> >
>>
>>
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
>
> --
> lark
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_ide95&alloc_id\x14396&op=click
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] UDP port 1194 marking/routing problem
2005-04-06 10:51 [LARTC] UDP port 1194 marking/routing problem Remus
2005-04-06 11:23 ` Wang Jian
2005-04-06 13:48 ` Remus
@ 2005-04-06 14:03 ` Wang Jian
2 siblings, 0 replies; 4+ messages in thread
From: Wang Jian @ 2005-04-06 14:03 UTC (permalink / raw)
To: lartc
Hi Remus,
On Wed, 6 Apr 2005 14:48:03 +0100, "Remus" <rmocius@auste.elnet.lt> wrote:
> Wang,
>
> That solution does not suite me:
> >ip route add default via $DEFAULTGW dev eth1
> >ip route add xxx.xxx.xxx.xxx/32 via $ANOTHERGW dev eth0
> Because only UPD 1194 has to be routed via eth0 to OpenVPN server IP,
> everything else
> to same Ip has to go via eth1.
I see. So you need policy routing. Change your netfilter rule from
POSTROUTING to POSTROUTING.
>
>
> ----- Original Message -----
> From: "Wang Jian" <lark@linux.net.cn>
> To: "Remus" <rmocius@auste.elnet.lt>
> Cc: <lartc@mailman.ds9a.nl>; <openvpn-users@lists.sourceforge.net>
> Sent: Wednesday, April 06, 2005 1:38 PM
> Subject: Re: [Openvpn-users] Re: [LARTC] UDP port 1194 marking/routing
> problem
>
>
> > Hi Remus,
> >
> > I means: don't use policy routing, because you can use much simpler
> > solution.
> >
> > Example:
> >
> > ip route add default via $DEFAULTGW dev eth1
> > ip route add xxx.xxx.xxx.xxx/32 via $ANOTHERGW dev eth0
> >
> > The second, send all your traffic to IP xxx.xxx.xxx.xxx via eth0. When
> > your box acts as your intranet's gateway, you can SNAT or MASQUERADE on
> > eth0, like
> >
> > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE.
> >
> >
> > For you openvpn configuration, you can either bind openvpn to eth0's ip,
> > or let system chooose the IP, in most case the output interface.
> >
> >
> > On Wed, 6 Apr 2005 12:54:53 +0100, "Remus" <rmocius@auste.elnet.lt> wrote:
> >
> >> Hi Wang,
> >>
> >> We specialy got two Internet connections, one is only for the OpenVPN (it
> >> is
> >> heavily used) and second for everthing else.
> >> I will give a try to PREROUTING stuff right away.
> >>
> >> What do mean : But I don't think you need to use MARK to do policy
> >> routing.
> >> It's a little overkill.
> >>
> >> Do you another suggestion than iptables/MARK?
> >>
> >> Regards
> >>
> >> Remus
> >>
> >>
> >> ----- Original Message -----
> >> From: "Wang Jian" <lark@linux.net.cn>
> >> To: <lartc@mailman.ds9a.nl>
> >> Cc: "Remus" <rmocius@auste.elnet.lt>;
> >> <openvpn-users@lists.sourceforge.net>
> >> Sent: Wednesday, April 06, 2005 12:23 PM
> >> Subject: [Openvpn-users] Re: [LARTC] UDP port 1194 marking/routing
> >> problem
> >>
> >>
> >> > Hi Remus,
> >> >
> >> > It seems that
> >> >
> >> > iptables -t mangle -A POSTROUTING -o eth0 -p udp --dport 1194 -j MARK \
> >> > --set-mark 0x990
> >> >
> >> > will not take effect. (didn't you typo -A as -D?)
> >> >
> >> > POSTROUTING is looked up after routing decision is made. Because the
> >> > default route is dev eth1, the output device is eth1, -o eth0 will not
> >> > match.
> >> >
> >> > You should use
> >> >
> >> > iptables -t mangle -A PREROUTING -p udp --destination <your openvpn \
> >> > peer> --dport 1194 -j MARK ....
> >> >
> >> > But I don't think you need to use MARK to do policy routing. It's a
> >> > little overkill.
> >> >
> >> > Why not simply route all traffic to your openvpn peer via device eth0?
> >> >
> >> >
> >> > On Wed, 6 Apr 2005 11:51:16 +0100, "Remus" <rmocius@auste.elnet.lt>
> >> > wrote:
> >> >
> >> >>
> >> >> Hi folks,
> >> >>
> >> >> I have OpenVPN (respect for it developers) running on my FW.
> >> >> Is has two external NICs and on internal everything is fine, except
> >> >> I want OpenVPN (UDP port 1194) going not via default route/network
> >> >> interface.
> >> >>
> >> >> I use such commands:
> >> >>
> >> >> iptables -t mangle -D POSTROUTING -o eth0 -p udp --dport 1194 -j
> >> >> MARK --set-mark 0x990
> >> >> ip rule add fwmark 0x990 table openvpn1
> >> >> ip route add default via $P2 dev eth0 table openvpn1
> >> >>
> >> >> eth0 is FW's not default external NIC.
> >> >>
> >> >> I have in use very similar iptables rules for my email server (TCP
> >> >> ports)
> >> >> and etc.
> >> >> Everything works fine.
> >> >> What I'm doing wrong with marking/routing the UDP port?
> >> >>
> >> >> Regards
> >> >>
> >> >> Remus
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > lark
> >> >
> >> >
> >> >
> >> > -------------------------------------------------------
> >> > SF email is sponsored by - The IT Product Guide
> >> > Read honest & candid reviews on hundreds of IT Products from real
> >> > users.
> >> > Discover which products truly live up to the hype. Start reading now.
> >> > http://ads.osdn.com/?ad_ide95&alloc_id\x14396&op=click
> >> > _______________________________________________
> >> > Openvpn-users mailing list
> >> > Openvpn-users@lists.sourceforge.net
> >> > https://lists.sourceforge.net/lists/listinfo/openvpn-users
> >> >
> >> >
> >>
> >>
> >> _______________________________________________
> >> LARTC mailing list
> >> LARTC@mailman.ds9a.nl
> >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> >
> >
> > --
> > lark
> >
> >
> >
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT Products from real users.
> > Discover which products truly live up to the hype. Start reading now.
> > http://ads.osdn.com/?ad_ide95&alloc_id\x14396&op=click
> > _______________________________________________
> > Openvpn-users mailing list
> > Openvpn-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/openvpn-users
> >
> >
>
--
lark
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread