Hi Remus, On Wed, 6 Apr 2005 14:48:03 +0100, "Remus" <rmocius@xxxxxxxxxxxxxx> wrote: > Wang, > > That solution does not suite me: > >ip route add default via $DEFAULTGW dev eth1 > >ip route add xxx.xxx.xxx.xxx/32 via $ANOTHERGW dev eth0 > Because only UPD 1194 has to be routed via eth0 to OpenVPN server IP, > everything else > to same Ip has to go via eth1. I see. So you need policy routing. Change your netfilter rule from POSTROUTING to POSTROUTING. > > > ----- Original Message ----- > From: "Wang Jian" <lark@xxxxxxxxxxxx> > To: "Remus" <rmocius@xxxxxxxxxxxxxx> > Cc: <lartc@xxxxxxxxxxxxxxx>; <openvpn-users@xxxxxxxxxxxxxxxxxxxxx> > Sent: Wednesday, April 06, 2005 1:38 PM > Subject: Re: [Openvpn-users] Re: UDP port 1194 marking/routing > problem > > > > Hi Remus, > > > > I means: don't use policy routing, because you can use much simpler > > solution. > > > > Example: > > > > ip route add default via $DEFAULTGW dev eth1 > > ip route add xxx.xxx.xxx.xxx/32 via $ANOTHERGW dev eth0 > > > > The second, send all your traffic to IP xxx.xxx.xxx.xxx via eth0. When > > your box acts as your intranet's gateway, you can SNAT or MASQUERADE on > > eth0, like > > > > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE. > > > > > > For you openvpn configuration, you can either bind openvpn to eth0's ip, > > or let system chooose the IP, in most case the output interface. > > > > > > On Wed, 6 Apr 2005 12:54:53 +0100, "Remus" <rmocius@xxxxxxxxxxxxxx> wrote: > > > >> Hi Wang, > >> > >> We specialy got two Internet connections, one is only for the OpenVPN (it > >> is > >> heavily used) and second for everthing else. > >> I will give a try to PREROUTING stuff right away. > >> > >> What do mean : But I don't think you need to use MARK to do policy > >> routing. > >> It's a little overkill. > >> > >> Do you another suggestion than iptables/MARK? > >> > >> Regards > >> > >> Remus > >> > >> > >> ----- Original Message ----- > >> From: "Wang Jian" <lark@xxxxxxxxxxxx> > >> To: <lartc@xxxxxxxxxxxxxxx> > >> Cc: "Remus" <rmocius@xxxxxxxxxxxxxx>; > >> <openvpn-users@xxxxxxxxxxxxxxxxxxxxx> > >> Sent: Wednesday, April 06, 2005 12:23 PM > >> Subject: [Openvpn-users] Re: UDP port 1194 marking/routing > >> problem > >> > >> > >> > Hi Remus, > >> > > >> > It seems that > >> > > >> > iptables -t mangle -A POSTROUTING -o eth0 -p udp --dport 1194 -j MARK \ > >> > --set-mark 0x990 > >> > > >> > will not take effect. (didn't you typo -A as -D?) > >> > > >> > POSTROUTING is looked up after routing decision is made. Because the > >> > default route is dev eth1, the output device is eth1, -o eth0 will not > >> > match. > >> > > >> > You should use > >> > > >> > iptables -t mangle -A PREROUTING -p udp --destination <your openvpn \ > >> > peer> --dport 1194 -j MARK .... > >> > > >> > But I don't think you need to use MARK to do policy routing. It's a > >> > little overkill. > >> > > >> > Why not simply route all traffic to your openvpn peer via device eth0? > >> > > >> > > >> > On Wed, 6 Apr 2005 11:51:16 +0100, "Remus" <rmocius@xxxxxxxxxxxxxx> > >> > wrote: > >> > > >> >> > >> >> Hi folks, > >> >> > >> >> I have OpenVPN (respect for it developers) running on my FW. > >> >> Is has two external NICs and on internal everything is fine, except > >> >> I want OpenVPN (UDP port 1194) going not via default route/network > >> >> interface. > >> >> > >> >> I use such commands: > >> >> > >> >> iptables -t mangle -D POSTROUTING -o eth0 -p udp --dport 1194 -j > >> >> MARK --set-mark 0x990 > >> >> ip rule add fwmark 0x990 table openvpn1 > >> >> ip route add default via $P2 dev eth0 table openvpn1 > >> >> > >> >> eth0 is FW's not default external NIC. > >> >> > >> >> I have in use very similar iptables rules for my email server (TCP > >> >> ports) > >> >> and etc. > >> >> Everything works fine. > >> >> What I'm doing wrong with marking/routing the UDP port? > >> >> > >> >> Regards > >> >> > >> >> Remus > >> >> > >> > > >> > > >> > > >> > -- > >> > lark > >> > > >> > > >> > > >> > ------------------------------------------------------- > >> > SF email is sponsored by - The IT Product Guide > >> > Read honest & candid reviews on hundreds of IT Products from real > >> > users. > >> > Discover which products truly live up to the hype. Start reading now. > >> > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > >> > _______________________________________________ > >> > Openvpn-users mailing list > >> > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx > >> > https://lists.sourceforge.net/lists/listinfo/openvpn-users > >> > > >> > > >> > >> > >> _______________________________________________ > >> LARTC mailing list > >> LARTC@xxxxxxxxxxxxxxx > >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > -- > > lark > > > > > > > > ------------------------------------------------------- > > SF email is sponsored by - The IT Product Guide > > Read honest & candid reviews on hundreds of IT Products from real users. > > Discover which products truly live up to the hype. Start reading now. > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > > _______________________________________________ > > Openvpn-users mailing list > > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx > > https://lists.sourceforge.net/lists/listinfo/openvpn-users > > > > > -- lark _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc