Hi John E. Peterson, Yes. My stupid typo. On Wed, 6 Apr 2005 10:08:20 -0400, "John E. Peterson" <jpeterson@xxxxxxxx> wrote: > Did you mean POSTROUTING to PREROUTING? That looked wierd. > > ----- Original Message ----- > From: "Wang Jian" <lark@xxxxxxxxxxxx> > To: "Remus" <rmocius@xxxxxxxxxxxxxx> > Cc: <lartc@xxxxxxxxxxxxxxx>; <openvpn-users@xxxxxxxxxxxxxxxxxxxxx> > Sent: Wednesday, April 06, 2005 10:03 AM > Subject: [Openvpn-users] Re: UDP port 1194 marking/routing problem > > > > Hi Remus, > > > > > > On Wed, 6 Apr 2005 14:48:03 +0100, "Remus" <rmocius@xxxxxxxxxxxxxx> wrote: > > > >> Wang, > >> > >> That solution does not suite me: > >> >ip route add default via $DEFAULTGW dev eth1 > >> >ip route add xxx.xxx.xxx.xxx/32 via $ANOTHERGW dev eth0 > >> Because only UPD 1194 has to be routed via eth0 to OpenVPN server IP, > >> everything else > >> to same Ip has to go via eth1. > > > > I see. So you need policy routing. Change your netfilter rule from > > POSTROUTING to POSTROUTING. > > > > > >> > >> > >> ----- Original Message ----- > >> From: "Wang Jian" <lark@xxxxxxxxxxxx> > >> To: "Remus" <rmocius@xxxxxxxxxxxxxx> > >> Cc: <lartc@xxxxxxxxxxxxxxx>; <openvpn-users@xxxxxxxxxxxxxxxxxxxxx> > >> Sent: Wednesday, April 06, 2005 1:38 PM > >> Subject: Re: [Openvpn-users] Re: UDP port 1194 marking/routing > >> problem > >> > >> > >> > Hi Remus, > >> > > >> > I means: don't use policy routing, because you can use much simpler > >> > solution. > >> > > >> > Example: > >> > > >> > ip route add default via $DEFAULTGW dev eth1 > >> > ip route add xxx.xxx.xxx.xxx/32 via $ANOTHERGW dev eth0 > >> > > >> > The second, send all your traffic to IP xxx.xxx.xxx.xxx via eth0. When > >> > your box acts as your intranet's gateway, you can SNAT or MASQUERADE on > >> > eth0, like > >> > > >> > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE. > >> > > >> > > >> > For you openvpn configuration, you can either bind openvpn to eth0's > >> > ip, > >> > or let system chooose the IP, in most case the output interface. > >> > > >> > > >> > On Wed, 6 Apr 2005 12:54:53 +0100, "Remus" <rmocius@xxxxxxxxxxxxxx> > >> > wrote: > >> > > >> >> Hi Wang, > >> >> > >> >> We specialy got two Internet connections, one is only for the OpenVPN > >> >> (it > >> >> is > >> >> heavily used) and second for everthing else. > >> >> I will give a try to PREROUTING stuff right away. > >> >> > >> >> What do mean : But I don't think you need to use MARK to do policy > >> >> routing. > >> >> It's a little overkill. > >> >> > >> >> Do you another suggestion than iptables/MARK? > >> >> > >> >> Regards > >> >> > >> >> Remus > >> >> > >> >> > >> >> ----- Original Message ----- > >> >> From: "Wang Jian" <lark@xxxxxxxxxxxx> > >> >> To: <lartc@xxxxxxxxxxxxxxx> > >> >> Cc: "Remus" <rmocius@xxxxxxxxxxxxxx>; > >> >> <openvpn-users@xxxxxxxxxxxxxxxxxxxxx> > >> >> Sent: Wednesday, April 06, 2005 12:23 PM > >> >> Subject: [Openvpn-users] Re: UDP port 1194 marking/routing > >> >> problem > >> >> > >> >> > >> >> > Hi Remus, > >> >> > > >> >> > It seems that > >> >> > > >> >> > iptables -t mangle -A POSTROUTING -o eth0 -p udp --dport 1194 -j > >> >> > MARK \ > >> >> > --set-mark 0x990 > >> >> > > >> >> > will not take effect. (didn't you typo -A as -D?) > >> >> > > >> >> > POSTROUTING is looked up after routing decision is made. Because the > >> >> > default route is dev eth1, the output device is eth1, -o eth0 will > >> >> > not > >> >> > match. > >> >> > > >> >> > You should use > >> >> > > >> >> > iptables -t mangle -A PREROUTING -p udp --destination <your openvpn > >> >> > \ > >> >> > peer> --dport 1194 -j MARK .... > >> >> > > >> >> > But I don't think you need to use MARK to do policy routing. It's a > >> >> > little overkill. > >> >> > > >> >> > Why not simply route all traffic to your openvpn peer via device > >> >> > eth0? > >> >> > > >> >> > > >> >> > On Wed, 6 Apr 2005 11:51:16 +0100, "Remus" <rmocius@xxxxxxxxxxxxxx> > >> >> > wrote: > >> >> > > >> >> >> > >> >> >> Hi folks, > >> >> >> > >> >> >> I have OpenVPN (respect for it developers) running on my FW. > >> >> >> Is has two external NICs and on internal everything is fine, except > >> >> >> I want OpenVPN (UDP port 1194) going not via default route/network > >> >> >> interface. > >> >> >> > >> >> >> I use such commands: > >> >> >> > >> >> >> iptables -t mangle -D POSTROUTING -o eth0 -p udp --dport 1194 -j > >> >> >> MARK --set-mark 0x990 > >> >> >> ip rule add fwmark 0x990 table openvpn1 > >> >> >> ip route add default via $P2 dev eth0 table openvpn1 > >> >> >> > >> >> >> eth0 is FW's not default external NIC. > >> >> >> > >> >> >> I have in use very similar iptables rules for my email server (TCP > >> >> >> ports) > >> >> >> and etc. > >> >> >> Everything works fine. > >> >> >> What I'm doing wrong with marking/routing the UDP port? > >> >> >> > >> >> >> Regards > >> >> >> > >> >> >> Remus > >> >> >> > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > lark > >> >> > > >> >> > > >> >> > > >> >> > ------------------------------------------------------- > >> >> > SF email is sponsored by - The IT Product Guide > >> >> > Read honest & candid reviews on hundreds of IT Products from real > >> >> > users. > >> >> > Discover which products truly live up to the hype. Start reading > >> >> > now. > >> >> > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > >> >> > _______________________________________________ > >> >> > Openvpn-users mailing list > >> >> > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx > >> >> > https://lists.sourceforge.net/lists/listinfo/openvpn-users > >> >> > > >> >> > > >> >> > >> >> > >> >> _______________________________________________ > >> >> LARTC mailing list > >> >> LARTC@xxxxxxxxxxxxxxx > >> >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > >> > > >> > > >> > > >> > -- > >> > lark > >> > > >> > > >> > > >> > ------------------------------------------------------- > >> > SF email is sponsored by - The IT Product Guide > >> > Read honest & candid reviews on hundreds of IT Products from real > >> > users. > >> > Discover which products truly live up to the hype. Start reading now. > >> > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > >> > _______________________________________________ > >> > Openvpn-users mailing list > >> > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx > >> > https://lists.sourceforge.net/lists/listinfo/openvpn-users > >> > > >> > > >> > > > > > > > > -- > > lark > > > > > > > > ------------------------------------------------------- > > SF email is sponsored by - The IT Product Guide > > Read honest & candid reviews on hundreds of IT Products from real users. > > Discover which products truly live up to the hype. Start reading now. > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > > _______________________________________________ > > Openvpn-users mailing list > > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx > > https://lists.sourceforge.net/lists/listinfo/openvpn-users > > -- lark _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
