hello, first thx for your answer. i have also tried with others marks under 10 to avoid confusion between decimal and hexa => same result. i confirm that no default route are present in my main table, only routes for the LAN and DMZ networks. and the reason why i want the http(s) and ftp traffic not to be balanced is for "political reason", i install several firewall for differents client and each one have their proper wish ;) i really dont understand where the problem is. if i use the ip filter capabilities (from, to, iif), the traffic is correctly routed, but with the netfilter mark it dont works... i checked packets stats with iptables to see if traffic going through the mangle rules and it seems to be ok, and with the realms mark i check if the routing rule is read and it seems to be ok too... > -----Message d'origine----- > De : Nguyen Dinh Nam [mailto:64vn@xxxxxxxxxx] > Envoyà : jeudi 7 avril 2005 02:55 > à : Laurent LAVAUD > Cc : lartc@xxxxxxxxxxxxxxx > Objet : Re: [LARTC] Multipath routing + traffic separation problem. > > > Your settings seem to be correct, I just don't know why you don't want to balance http, https and ftp > traffic between both connections? > > About the bug, I haven't used linux 2.4 for a long time, for 2.6, fwmark is in hexa, so be careful with 10 vs. 0xa, you'd better use values less than 0xa to avoid confusing. > > Also make sure that no default route is added to your main table. > > >> On Wed, 2005-04-06 at 12:09 +0200, Laurent LAVAUD wrote: >> Hello, >> >> I have set up a multipath gateway. >> System is a linux 2.4.29 kernel, iproute 20010824, iptables 1.2.11. >> >> here is the setup: >> >> >> firewall:/# ip rule >> 0: from all lookup local >> 100: from all lookup main >> 152: from all fwmark 10 lookup wan1 >> 153: from all fwmark 20 lookup wan2 >> 201: from 213.223.96.121 lookup wan1 >> 202: from 82.236.230.217 lookup wan2 >> 1000: from all lookup away >> >> Fw-cgarp:/etc/firegate# ip route ls table wan1 >> default via 213.223.96.122 dev eth0 src 213.223.96.121 >> prohibit default metric 1 >> >> Fw-cgarp:/etc/firegate# ip route ls table wan2 >> default via 82.236.230.254 dev eth3 src 82.236.230.217 >> prohibit default metric 1 >> >> Fw-cgarp:/etc/firegate# ip route ls table away >> default >> nexthop via 82.236.230.254 dev eth3 weight 1 >> nexthop via 213.223.96.122 dev eth0 weight 1 >> >> Fw-cgarp:/etc/firegate# iptables-save -t mangle >> # Generated by iptables-save v1.2.11 on Wed Apr 6 11:57:06 2005 >> *mangle >> :PREROUTING ACCEPT [3281:1066576] >> :INPUT ACCEPT [411:32992] >> :FORWARD ACCEPT [2870:1033584] >> :OUTPUT ACCEPT [339:63745] >> :POSTROUTING ACCEPT [3195:1096657] >> -A PREROUTING -p tcp -m tcp --dport 25 -j MARK --set-mark 0xa >> -A PREROUTING -p tcp -m mport --dports 80,443,21 -j MARK --set-mark 0x14 >> COMMIT >> # Completed on Wed Apr 6 11:57:06 2005 >> >> >> >> So with this configuration all the http,https and ftp traffic must be routed by the 'wan2' connection. >> I have done severals tests and it dont work, i have also had a realms mark to my routing rule and with > the "rtacct" command i saw that traffic going through the correct rule, but http traffic continues to > be balanced between the two connections... >> >> If someone see the problem ? >> Thx in advance. >> _______________________________________________ >> LARTC mailing list >> LARTC@xxxxxxxxxxxxxxx >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
