Hello!

I have little problem which i don't know how to solve.
I have created OPENVPN and client connection and that part is working fine.
When mangle rule to route traffic over cable modem is enabled vpn client can't see NAS.
Router ip: 192.168.32.1, NAS 192.168.32.3 port 6541
Client over VPN 192.168.32.44
DDNS is noip...

There are two WAN connections: pppoe VDSL, and DHCP cable.

Routes
dst. address 0.0.0.0/0, gateway VDSL, distance 1, routing mark to_vdsl
dst. address 0.0.0.0/0, gateway VDSL, distance 2
dst. address 0.0.0.0/0, gateway cable, distance 1, routing mark to_cable
dst. address 0.0.0.0/0, gateway cable, distance 1

NAT
srcnat, src. address 192.168.32.44, dst. address !192.168.32.44, action: masquerade
srcnat, src. address 192.168.32.3,out. interface cable modem, action: masquerade

MANGLE
chain: prerouting, src. address 192.168.32.3, in. interface:lan bridge, action: mark routing, new routing mark to_cable

When mangle rule is disabled everything is working fine, when is enabled NAS is no longer available over VPN. Where is the problem?

Thx in advance

MANGLE
chain: prerouting, src. address 192.168.32.3, in. interface:lan bridge, action: mark routing, new routing mark to_cable

When mangle rule is disabled everything is working fine, when is enabled NAS is no longer available over VPN. Where is the problem?

As you have guessed, on that mangling: you're forcing all routed replies from the NAS to egress via cable modem.

Mangle and routing manipulation needs careful settings, considering all possible scenarios; otherwise (as you experienced) routing breaks on unpredictable ways.

You cannot just blindly force outgoing traffic to go towards an arbitrary WAN on a dual WAN scenario; internal outgoing connections are not the same as replies to previously ingress traffic. You need to make sure instead that traffic entering by a given WAN gets any replies through the same one.

In your specific scenario, traffic enters via VPN towards the NAS, but its replies are forced through cable WAN, whereas it should be left alone so that it returns via VPN. If cable WAN goes offline, NAS initiated traffic towards internet will also break.

Have a look at Tomas Kirnak's Load Balance / Mangle Deep Dive presentation to get a good understanding.

As pukkita pointed out, that presentation is very good for your problem.

You need to isolate the traffic from lan to vpn and not pass it through your mangle rules.
Easiest way: mangle - prerouting src lan class - dst vpn class, set to accept.

check this video this will be solve your problem.https://www.youtube.com/watch?v=AZePBBbp_5w

THNX !!!

Problem solved!!!

Hi Madox

What did you do to resolve the problem?
I have the same problem at present that I am trying to resolve.

Many Thanks
Freddy

Hi,

I have a similar problem I created a vpn connection for privacy which works great after creating the mangle rule but now when I connect to my remote access vpn clients that use the privacy vpn cannot be reached from the remote access vpn. Any suggestions to restore? It works fine if I disable the mangle rule.