From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marco Gaiarin Date: Wed, 03 Feb 2021 18:15:30 +0000 Subject: Multiple link, policy routing and link not in defaut route... Message-Id: <20210203181530.GO3370@lilliput.linux.it> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Sorry for my prevu=ECious post, i've done some extensive tests and now i have more info, i hope at least. Situation: multiple link firewall, with 4 link to the internet, 'balanced' via route base balancing and policy routing (AKA, iptables mark). Situation: root@tank:~# ip route show default=20 nexthop via 81.174.0.21 dev ppp0 weight 30 nexthop via 88.37.116.137 dev vlan192 weight 7 nexthop via 10.5.248.253 dev vlan193 weight 100 there's a fourth link, but i want to 'reserve' it for some specific traffic. I've excluded from the default route pool, so. But the specific table routing is here: root@tank:~# ip rule show 0: from all lookup local=20 32758: from all fwmark 0x40/0xf0 lookup FWFibra=20 32759: from 37.186.212.162 lookup FWFibra=20 32760: from all fwmark 0x30/0xf0 lookup FWFTTC=20 32761: from 10.5.248.254 lookup FWFTTC=20 32762: from all fwmark 0x20/0xf0 lookup EOLO=20 32763: from 88.147.114.200 lookup EOLO=20 32764: from all fwmark 0x10/0xf0 lookup TI7=20 32765: from 88.37.116.142 lookup TI7=20 32766: from all lookup main=20 32767: from all lookup default=20 root@tank:~# ip route show table FWFibra default via 37.186.212.161 dev vlan249=20 10.5.0.0/21 dev eth0 scope link=20 10.5.8.0/22 dev eth0.3 scope link=20 37.186.212.160/30 dev vlan249 scope link src 37.186.212.162=20 127.0.0.0/8 dev lo scope link=20 I've added a policy routing test: /sbin/iptables -t mangle -A PREROUTING -i eth0 -s 10.5.0.0/21 -d 173.194.7= 9.109 -p icmp -m mark --mark 0x0/0xf0 -j MARK --set-mark 64/0x00f0 i can see the rule match, the ping from an internal host go ouside, come back but nothing arrived on internal host. I've double checked forward chains and NAT tables, and all seems OK. After a bit of fiddling, i've tried to add the fourth line to the 'default route' pool, eg: root@tank:~# ip route show default=20 nexthop via 81.174.0.21 dev ppp0 weight 30 nexthop via 88.37.116.137 dev vlan192 weight 7 nexthop via 10.5.248.253 dev vlan193 weight 100 nexthop via 37.186.212.161 dev vlan249 weight 10 and now the policy routing works as expected. Why the interface need to be in 'default route'? Thanks. --=20 dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.= it/ Polo FVG - Via della Bont=E0, 7 - 33078 - San Vito al Tagliamento= (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842= 797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)