I'm jumping on one leg! Forgive me if I don't sound serious right now. Yeah... no service on the firewall, right? :-) That's absolutely not the case of this particular firewall. Not like I have a networking lab in the firewall... but there's squid and VPN (at least). I want to make sure I got it right: Suppose I have three internet connections. I will load-balance two of them and leave one out just for VPN connections and other services. According to what you are saying, I could mark the packets in mangle-output that come from the VPN service and then force them to go out with a rule that uses that firewall mark.... right? Thank you very much for your feedback! Note: It's not like I'm freaky and I just want to load balance two of them leaving one out. I COUDLN'T get to load balance all three. After some experimentation I noticed that two of the interfaces didn't get along very well to make a multipath routing. I think it's because they're both on the same network. Maybe you know of some multipath guru that could help me with this so I can load-balance all of them. On 7/21/05, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > On Thu, 21 Jul 2005, Jan Engelhardt wrote: > > > >local process -> routing -> OUTPUT chain -> routing -> POSTROUTING chain > > > > > >No problem with policy routing for the locally generated traffic. > > > > This sounds like a total overhead calculating the route twice. > > The first one is required to fill out output device for the packet. The > second one is there to give chance to play with routing in OUTPUT. > > This is traffic, generated locally, on the firewall. > You should run nothing on your firewall ;-) > > Best regards, > Jozsef > - > E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address : KFKI Research Institute for Particle and Nuclear Physics > H-1525 Budapest 114, POB. 49, Hungary > >
