(1) In the second example of failover using mangle (WAN Connection), the presenter marks the input chain for connections and then further use that in a mark-routing for an output chain.
Very confusing to me as most traffic is being forwarded (not in or out to the router??) - but nortusing forward chain??
I am bamboozled by this mangling as if I had just downed 10 beers, okay two beers.
Q1. Can someone break down what is going on her and how its providing fail over or load balancing??
The first example using pre-routing was much easier for me to follow. The presenter takes the first 128 IPs from the DHCP LAN and mark routes it to one ISP and then takes the next 128 IPs and mark routes it to ISP2 (via source address). What is not clear to me is the failover aspect. I note he skillfully crafts a third IP route that includes BOTH previous Gateway IPs, but no mention of routing mark.
Q2. Can I assume that the router will route the traffic according to the mangle rule and if that ISP becomes unavailable the router will uitiliize the third rule to find the available route through the other ISP??
A1: for the purpose of multi-WAN setup, connection marking in chain input can be replaced by connection marking in chain prerouting because prerouting handles both packets to be forwarded and packets to be received locally (rules in chain input of mangle are used after rules in chain prerouting of mangle).
For connections initiated by the 'Tik itself or by clients on its LAN side, you are free to use your own rules to choose the WAN (and note the choice down to the connection context using the connection-mark); however, for connections initiated by clients in the internet, the choice of WAN has already been done by the client (by sending the packet to that WAN’s IP address) and you have to follow it if you want the connection to work. So in this case you assign the connection-mark depending on the in-interface, in chain prerouting (or chain input if there is a reason).
For all packets to be forwarded to the internet from LAN, you translate the connection-mark, no matter based on what it has been assigned, to routing-mark in chain postrouting of mangle; for all packets sent by the 'Tik itself, you do the same in chain output of mangle. The routing-mark is another way to say “routing table name”.
A2: what I can see in the presentation is that there is no dynamic load balancing - the text says “Some IPs will be marked for ISP1 and some IPs will be marked for ISP2”, which is a kind of static load balancing, we can assume that the amount of traffic generated by the two groups of devices is approximately equal. And for that purpose, the two user routing tables (isp1 and isp2) are used. The default routing table sends packets which have somehow escaped any marking (locally originated, forwarded from a subnet other than 192.168.1.0/24) randomly via one of the two gateways configured on the same default route), so if there is a NAT (and it would be there in most real life deployments), the connections would be with a lot of packet drops.