I have enabled everything except HTTP, HTTP_BIG and one I called 'THE_REST' because when I enabled these no one could access various web sites, such as http://www.adobe.com http://www.sybase.com and a host of others. It was always the same web sites and lots of them, until I disabled those three rules then it works fine, I am not sure if the other traffic like ACK or DNS is having a problem but no one has complained and it has been up a couple of days like this now.
I assume this is because those disabled rules are stopping the traffic flow passing to the dynamic rule set that appeared after I configured the PPPoE TPG fibre gateway. I have added those two dynamic rules in at the end of this post.
should just marking traffic cause it to stop going out the normal route? or have I done something wrong that I cant see here?
my mangle rules:
0 ;;; VOIP - Voip traffic FROM PBX (5060-5061, 10000-20000 udp)
chain=forward action=mark-connection new-connection-mark=VOIP passthrough=yes connection-state=new protocol=udp
src-address=10.10.20.5 port=5060-5061,10000-20000
1 chain=forward action=mark-packet new-packet-mark=VOIP passthrough=no connection-mark=VOIP
2 ;;; VOIP - Voip traffic TO PBX (5060-5061, 10000-20000 udp)
chain=output action=mark-connection new-connection-mark=VOIP passthrough=yes connection-state=new protocol=udp
dst-address=10.10.20.5 port=5060-5061,10000-20000
3 chain=output action=mark-packet new-packet-mark=VOIP passthrough=no connection-mark=VOIP
4 ;;; V_GENERAL - other traffic FROM voice network
chain=forward action=mark-connection new-connection-mark=V_GENERAL passthrough=yes src-address-list=VoIP_Network
connection-mark=no-mark
5 chain=forward action=mark-packet new-packet-mark=V_GENERAL passthrough=no connection-mark=V_GENERAL
6 ;;; V_GENERAL - other traffic TO voice network
chain=output action=mark-connection new-connection-mark=V_GENERAL passthrough=yes dst-address-list=VoIP_Network
connection-mark=no-mark
7 chain=output action=mark-packet new-packet-mark=V_GENERAL passthrough=no connection-mark=V_GENERAL
8 ;;; DNS
chain=forward action=mark-connection new-connection-mark=DNS passthrough=yes connection-state=new protocol=udp port=53
9 chain=forward action=mark-packet new-packet-mark=DNS passthrough=no connection-mark=DNS
10 chain=output action=mark-connection new-connection-mark=DNS passthrough=yes connection-state=new protocol=udp port=53
11 chain=output action=mark-packet new-packet-mark=DNS passthrough=no connection-mark=DNS
12 ;;; UDP
chain=forward action=mark-connection new-connection-mark=UDP passthrough=yes connection-state=new protocol=udp
13 chain=forward action=mark-packet new-packet-mark=UDP passthrough=no connection-mark=UDP
14 ;;; ICMP
chain=forward action=mark-connection new-connection-mark=ICMP passthrough=yes connection-state=new protocol=icmp
15 chain=forward action=mark-packet new-packet-mark=ICMP passthrough=no connection-mark=ICMP
16 chain=output action=mark-connection new-connection-mark=ICMP passthrough=yes connection-state=new protocol=icmp
17 chain=output action=mark-packet new-packet-mark=ICMP passthrough=no connection-mark=ICMP
18 ;;; ACK
chain=output action=mark-packet new-packet-mark=ACK passthrough=no tcp-flags=ack protocol=tcp packet-size=0-123
19 chain=forward action=mark-packet new-packet-mark=ACK passthrough=no tcp-flags=ack protocol=tcp packet-size=0-123
20 X ;;; HTTP
chain=forward action=mark-connection new-connection-mark=HTTP passthrough=yes connection-state=new protocol=tcp
port=80,443 connection-mark=!HTTP_BIG
21 X chain=forward action=mark-connection new-connection-mark=HTTP_BIG passthrough=yes protocol=tcp connection-mark=HTTP
connection-bytes=500000-0 connection-rate=200k-100M
22 X chain=forward action=mark-packet new-packet-mark=HTTP_BIG passthrough=no connection-mark=HTTP_BIG
23 X chain=forward action=mark-packet new-packet-mark=HTTP passthrough=no connection-mark=HTTP
24 X ;;; THE_REST
chain=forward action=mark-connection new-connection-mark=THE_REST passthrough=yes connection-mark=no-mark
25 X chain=forward action=mark-packet new-packet-mark=THE_REST passthrough=no connection-mark=THE_REST
Below are the dynamic rules in place from the PPPoE gateway , they are the last two rules in my mangle list but dont show when doing a print from command line.
chain=forward
protocol= tcp
in interface = all ppp
TCP MSS = 1441-65535
TCP Flags = syn
action = change MSS
new TCP MSS = 1440
(no traffic through this as yet)
chain=forward
protocol = tcp
out.interface = all ppp
TCP MSS = 1441-65535
TCP Flags = syn
action = change MSS
new TCP MSS = 1440
passthrough= ticked
(quite a lot of traffic has passed through this rule)