Trouble with policy routing and mangle.

Tomii · November 5, 2005, 9:44pm

Help
I have 2 ISP conections ADSL (2Mb/256Kb and 1Mb/256Kb) and I wanna to use one DSL 2Mb to

spesific ports (HTTP, FTP,POP3,SMTP,ICMP..ect) and all other trafic put on DSL 1Mb.
That is problem for me.
I try do LB but dropping the established connections.

I’m having difficilties getting the mangle rules to work.

That is ip route>
0 ADC 83.17.yy.yy/30 83.17.yy.yy DSL 1Mb
1 ADC 83.19.xx.xx/29 83.19.xx.xx DSL 2Mb
2 ADC 192.168.0.0/24 192.168.0.2 ether1
3 A S 0.0.0.0/0 r 83.17.yy.yy DSL 1Mb
4 A S 0.0.0.0/0 r 83.19.xx.xx DSL 2Mb

Best it will be step by step exemple. I try to show how its look`s like in MT 2.9.6:
I will be glad if any one help me.
Thanks for all.[/b]

andrewluck · November 7, 2005, 9:21pm

Can you post your mangle rules here?

Regards

Andrew

Tomii · November 8, 2005, 11:02am

Hi Andrew
That is my Mangle Table:

[admin@Server] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; HTTP na druga brame
chain=prerouting protocol=tcp dst-port=80 action=mark-routing new-routing-mark=net2 passthrough=yes

1 X ;;; FTP
chain=prerouting protocol=tcp dst-port=20-21 action=mark-routing new-routing-mark=net2
passthrough=yes

2 X ;;; SSL
chain=prerouting protocol=tcp dst-port=443 action=mark-routing new-routing-mark=net2 passthrough=yes

3 X ;;; GG
chain=prerouting protocol=tcp dst-port=8074 action=mark-routing new-routing-mark=net2 passthrough=yes

4 X ;;; SMTP
chain=prerouting protocol=tcp dst-port=25 action=mark-routing new-routing-mark=net2 passthrough=yes

5 X ;;; DNS
chain=prerouting protocol=udp dst-port=53 action=mark-routing new-routing-mark=net2 passthrough=yes
[admin@Server] ip firewall mangle>

Thank’s

Tomii · November 8, 2005, 11:06am

And that is Masquerade:

[admin@Server] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Maskarada DSL1
chain=srcnat out-interface=DSL 1Mb action=masquerade

1 ;;; Maskarada DSL2
chain=srcnat out-interface=DSL 2Mb action=masquerade
[admin@Server] ip firewall nat>

andrewluck · November 8, 2005, 5:12pm

From your route table I see you have the two gateways defined with route marks. I only see one route mark defined in the mangle table though. Are you applying a default route mark for all traffic not on your specific list anywhere?

All your mangle rules are currently disabled as well.

Using masquerade on the two DSL interfaces may cause problems. You could try using Source NAT instead.

Regards

Andrew

Tomii · November 9, 2005, 3:41pm

Hi.
Thank’s for all.
That is working fine:)
I have trouble witk masquarede, when I change on NAT evething starting work.
Bye

blue · November 13, 2005, 1:59pm

Hello, I still have trouble with masquerade and two internet links. I tried to change masq to nat and i mess somethin up. Can U please explain exactly what to do… Thanx…

Tomii · November 13, 2005, 3:51pm

Hi
You must use NAT.
That is my code:
[admin@Server] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; NAT DSL 1Mb
chain=srcnat out-interface=DSL 1Mb action=src-nat to-addresses=83.17.xx.xxx to-ports=0-65535

1 ;;; NAT DSL 2Mb
chain=srcnat out-interface=DSL 2Mb action=src-nat to-addresses=83.19.yyy.yyy to-ports=0-65535
[admin@Server] ip firewall nat>

And MAngle table for another services:

[admin@Server] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; FTP
chain=prerouting in-interface=ether1 protocol=tcp dst-port=20-21 action=mark-routing
new-routing-mark=DSL1 passthrough=yes

1 ;;; SSL
chain=prerouting in-interface=ether1 protocol=tcp dst-port=443 action=mark-routing
new-routing-mark=DSL1 passthrough=yes

2 ;;; GG
chain=prerouting in-interface=ether1 protocol=tcp dst-port=8074 action=mark-routing
new-routing-mark=DSL1 passthrough=yes

3 ;;; SMTP
chain=prerouting in-interface=ether1 protocol=tcp dst-port=25 action=mark-routing
new-routing-mark=DSL1 passthrough=yes

4 ;;; DNS
chain=prerouting in-interface=ether1 protocol=udp dst-port=53 action=mark-routing
new-routing-mark=DSL1 passthrough=yes

I thing that is helpless for you.

Bye

sarenos · November 15, 2005, 6:59pm

I have trying a similar thing.

I have two ISP connections and I want to redirect some traffic by one ISP and P2P traffic by the other.

I'm using 2.9.1 version and I have configured the router as a hotspot.

The problem is that I have get to redirect all the traffic except the http (port 80).

The counters increase when you surf internet but it continues going by the default route.

Could be the problem the hotspot configuration?

this is my configuration:

ip route>

1 ADC 10.5.50.0/24 10.5.50.1 hotspot_users
2 S 80.58.61.250/32 u 192.168.125.1
3 S 80.58.61.254/32 u 192.168.125.1
4 S 192.168.1.0/24 u 10.0.104.1
5 ADC 192.168.1.0/24 192.168.1.252 ISP2
6 ADC 192.168.50.0/24 192.168.50.100 ISP1
7 A S 0.0.0.0/0 r 192.168.50.1 ISP1
8 S 0.0.0.0/0 r 192.168.1.1 ISP2
9 A S 0.0.0.0/0 r 192.168.1.1 ISP2
10 A S 0.0.0.0/0 r 192.168.1.1 ISP2
11 S 0.0.0.0/0 r 192.168.1.1 ISP2
12 A S 0.0.0.0/0 r 192.168.1.1 ISP2
13 A S 0.0.0.0/0 r 192.168.1.1 ISP2
14 A S 0.0.0.0/0 r 192.168.1.1 ISP2
15 A S 0.0.0.0/0 r 192.168.1.1 ISP2
16 A S 0.0.0.0/0 r 192.168.1.1 ISP2
17 A S 0.0.0.0/0 r 192.168.1.1 ISP2
18 A S 0.0.0.0/0 r 192.168.1.1 ISP2
19 A S 0.0.0.0/0 r 192.168.1.1 ISP2
20 A S 0.0.0.0/0 r 192.168.1.1 ISP2
21 A S 0.0.0.0/0 r 192.168.1.1 ISP2
22 A S 0.0.0.0/0 r 192.168.1.1 ISP2
23 A S 0.0.0.0/0 r 192.168.1.1 ISP2
24 A S 0.0.0.0/0 r 192.168.1.1 ISP2
25 S 0.0.0.0/0 r 192.168.1.1 ISP2
26 S 0.0.0.0/0 r 192.168.1.1 ISP2
27 S 0.0.0.0/0 r 192.168.1.1

[admin@Pruebas] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting in-interface=hotspot_users protocol=tcp dst-port=0-1024
action=mark-routing new-routing-mark=ConocidosTCP

1 chain=prerouting in-interface=hotspot_users protocol=udp dst-port=0-1024
action=mark-routing new-routing-mark=conocidosUDP

2 chain=prerouting in-interface=hotspot_users protocol=tcp dst-port=1863
action=mark-routing new-routing-mark=MSNmessengertcp

3 chain=prerouting in-interface=hotspot_users protocol=tcp dst-port=5190
action=mark-routing new-routing-mark=icq

4 chain=prerouting in-interface=hotspot_users protocol=udp dst-port=5190
action=mark-routing new-routing-mark=mIRCchatudp

5 chain=prerouting in-interface=hotspot_users protocol=tcp
dst-port=6660-6669 action=mark-routing new-routing-mark=mIRCchat

6 chain=prerouting in-interface=hotspot_users protocol=tcp dst-port=6667
action=mark-routing new-routing-mark=MSNgamezonetcp1

7 chain=prerouting in-interface=hotspot_users protocol=udp dst-port=6667
action=mark-routing new-routing-mark=MSNgamezoneudp1

8 chain=prerouting in-interface=hotspot_users protocol=udp
dst-port=28800-29000 action=mark-routing

Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 ;;; hotspot network
10.5.50.1/24 10.5.50.0 10.5.50.255 hotspot_users
1 10.4.0.51/16 10.4.0.0 10.4.255.255 hotspot_users
2 192.168.1.252/24 192.168.1.0 192.168.1.255 ISP2
3 192.168.50.100/24 192.168.50.0 192.168.50.255 ISP1

interface

1 R ISP1 ether 0 0 1500
2 R ISP2 ether 0 0 1500
3 R hotspot_users wlan 0 0 1500
4 X wlan2 wlan 0 0 1500