Thanks for the advice, Alex. I've been able to add both default routes - I
hadn't considered using the metric to avoid using the VPN link.
I guess I wasn't very clear with my use of 64.233.183.103, which was meant to
be a random internet address coming in over the VPN link, not the default
internet link.
what exactly does the " prohibit default proto static metric 100 " in your
routing table do? Haven't you already had a default route which would trigger
before reaching this rule?
I still seem to have much the same problem. I no longer get ICMP unreachable
errors, but the packet just seems to disappear - I can't see it being
forwarded on any interface, nor can I find any kind of reply - icmp or
otherwise.
ip route get <random internet address> to 192.168.12.5 gives
192.168.12.5 dev eth3 src 192.168.12.1
cache mtu 1500 advmss 1460 metric 10 64
ip route get <random internet address> to 192.168.12.5 iif eth1 gives
RTNETLINK answers: Invalid argument
Am I not understanding how "ip route get" works? The man pages are fairly
succinct in their explanation.
Thanks for your help,
Paul Viney
On Tuesday 13 February 2007 21:40, Alex Samad wrote:
> On Tue, Feb 13, 2007 at 02:50:13PM +0100, Paul Viney wrote:
> > Hi all,
> >
> > I'm trying to set up a computer with 2 routes to the internet, much as
> > described at http://lartc.org/howto/lartc.rpdb.multiple-links.html .One
> > of my interfaces (eth5, 192.168.2.2) is only used for traffic originating
> > inside the network. The other (eth1, 192.168.1.2) is only used for a VPN,
> > where all (udp) traffic originates from outside our network. I have
> > created a second routing table for eth1, with its own default gateway,
> > and selected it with ip rule from 192.168.1.2 iif lo lookup 4. All this
> > works fine.
> > My problem is that one of the udp ports is forwarded to another server
> > using iptables:
> > /sbin/iptables -t nat -A PREROUTING -i eth1 -p udp -d 192.168.1.2 --dport
> > 4902 -j DNAT --to 192.168.12.5:4902
> >
> > using tcpdump on eth1, I can see that the incoming packets receive an
> > icmp rejection, and when I try something like
> >
> > ip route get 192.168.12.5 from 64.233.183.103 iif eth1
> > I get "RTNETLINK answers: Invalid argument"
> >
> > If I try
> > ip route get 192.168.12.5 from 64.233.183.103 iif eth5
> > I get
> > 192.168.12.5 from 64.233.183.103 dev eth3 src 192.168.2.2
> > cache mtu 1500 advmss 1460 metric 10 64 iif eth5
> >
> > which leads me to conclude that the difference has something to do with
> > the default route.
> > I've tried things like
> > ip rule add iif eth1 lookup 4 (4 being my custom routing table)
> > ip rule add from 192.168.1.2 lookup 4
> >
> > and even
> > iptables -t nat -I PREROUTING -i eth1 -p udp -j MARK --set-mark 1
> > ip rule from all fwmark 0x1 lookup 4
> > ip route flush cache
> >
> > I'm using linux 2.6.19.2 + grsecurity patches, every option I could find
> > compiled in, on an up to date gentoo system.
> >
> > Can anyone see what I'm missing?
> >
> > Thanks,
> >
> > Paul Viney
> >
> >
> > ip route show
> > 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2
> > 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2
> > 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1
> > 127.0.0.0/8 dev lo scope link
> > default via 192.168.2.1 dev eth5
> >
> > ip route show table 4
> > 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2
> > 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2
> > 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1
> > 127.0.0.0/8 dev lo scope link
> > default via 192.168.1.1 dev eth1
> >
> > ip rule show
> > 0: from all lookup local
> > 9999: from all fwmark 0x1 lookup 4
> > 10000: from 192.168.1.2 iif lo lookup 4
>
> if the ip address on eth1 is 64.233.183.103 then you need a rule
> 10001: from 64.233.183.103 lookup 4
>
> I don't think the fwmark rule will work with ip route get.
>
> Plus your routing information in table 4, you are saying that the default
> address is available via 192.168.1.1 ???? that doesn't match up with
> 64.233.183.103
>
>
>
> this is my ip ru
> 0: from all lookup local
> 200: from 144.132.147.156 lookup cable
> 201: from 60.241.248.86 lookup adsl
> 32766: from all lookup main
> 32767: from all lookup default
>
>
> 144.132.147.156 is one isp, 60.241.248.86 is the other one
>
> ip r sh tab cable
> 192.168.8.248/29 dev tap0 scope link src 192.168.8.249
> 192.168.11.0/24 dev vlan0 scope link src 192.168.11.1
> 192.168.10.0/24 dev eth1 scope link src 192.168.10.1
> default via 144.132.144.1 dev vlan2 proto static src 144.132.147.156
> metric 50
> prohibit default proto static metric 100
>
>
> ip r sh tab adsl
> 192.168.8.248/29 dev tap0 scope link src 192.168.8.249
> 192.168.11.0/24 dev vlan0 scope link src 192.168.11.1
> 192.168.10.0/24 dev eth1 scope link src 192.168.10.1
> default via 10.20.20.168 dev ppp0 proto static src 60.241.248.86 metric
> 20 prohibit default proto static metric 100
>
> ip r sh tab default
> default proto static metric 5
> nexthop via 144.132.144.1 dev vlan2 weight 1
> nexthop via 10.20.20.168 dev ppp0 weight 20
> default via 10.20.20.168 dev ppp0 src 60.241.248.86 metric 20
> default via 144.132.144.1 dev vlan2 src 144.132.147.156 metric 30
>
>
> The difference for you should be in the default table, you will not need
> default proto static metric 5
> nexthop via 144.132.144.1 dev vlan2 weight 1
> nexthop via 10.20.20.168 dev ppp0 weight 20
>
>
> cause you want all your traffic to go out 1 link.
>
> alex
>
> > 30000: from all lookup main
> > 30000: from all lookup default
> > _______________________________________________
> > LARTC mailing list
> > LARTC@xxxxxxxxxxxxxxx
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
