I have multiple ISP’s and typically put in mangle rules for input and output so that packets leave on the same interface they came in on. I am trying to do that with a VPN tunnel that has been named. The idea is that I have a nat rule on a remote router so when a connection to a certain port on it’s wan port actually forwards across the VPN to the other router. This part actually works. The problem is on the return. Logging actually show the packet coming in and forwarding to the correct address but the return goes out the default route and not back in the VPN. I’ve tried the standard mangle rules but they don’t work. I’ve tried them in ALL chains and nothing works. Any help?
What type of VPN is it?
And is it a traditional VPN in the sense that it connects one closed network to another (e.g. between company branches)
or is it the new hype of VPN that in reality is a tunnel to some different exit point to internet?
Just a standard l2tp-(server/client) connection. Routing between 192.168.1.X and 192.168.2.X
MT2 is a NAT from the ISP, not externally addressable. I want to use the public on MT1 to access Server1.
The port forward to Server1 is straightforward and does hit MT2 just fine, the debug log even shows that it’s IN: is the named VPN, but nothing I do to tag that traffic and send it back out the same interface is working. I would normally just mark the connection on everything over the named interface then route it back out on the OUTPUT chain. Doesn’t work with the VPN interface.
I DO have a workaround… but it seems nasty, involving dynamically created address lists.
Public 1 (Non-nat) Public 1 (nat’d by isp)
| |
MT1 (.1.X) ---------------------MT2 (.2.X)
|
Server1 (.2.X)
This diagram looks good in the preview but not the post. But I think you get it.
In this case you can mark the traffic by its address, as the endpoints of the VPN both are small networks.
On the L2TP server side, it is also possible to use a dedicated PPP profile (copy the default profile) and
set the “interface list” option in that profile to an interface list you have created. That will add the VPN
interface to an interface list at the time it is established, and that list membership can be used to match
the traffic.
I understood where you were going with that.. but that’s the problem. Traffic DOESN’T match on the the VPN interface name. I’ve tried every path, input, prerouting, etc, but nothing is matching on the vpn interface name. Matches on a “real” interface just fine.
Please clarify what you mean with “match the interface name”.