Routing Marks in Output Chain for IPSEC
Posted: Mon Feb 07, 2011 7:07 pm
Hi, I'm just after a little bit of help regarding a routing problem I have.
I have two connections to the internet via gateways 1.1.1.1 (on interface I-A) and 2.2.2.2 (on interface I-B) and I have two IP routes as follows
0.0.0.0/0 to 1.1.1.1 bound to routing-mark="R-A"
0.0.0.0/0 to 2.2.2.2 bound to routing-mark="R-B"
Using mangle rules in the INPUT chain I mark all incoming connections on interface "I-A" with connection-mark="C-A" and all incoming connections on interface "I-B" with connection-mark="C-B".
I then have mangle rules in the OUTPUT chain that mark connections with connection-mark="C-A" with routing-mark="R-A" and connections with connection-mark="C-B" with routing-mark="R-B".
If I ping the IP address of the router associated with interface "I-A" from an external point then this responds correctly and I get a reply and if I disable the OUTPUT chain rule marking "C-A" connections with routing-mark="R-A" then the ping is dropped so the OUTPUT chain is correctly marking the packets and the routing-mark is having an effect and routing correctly by picking up the correct route.
What I don't understand is that incoming L2TP connections from my remote router do not have the same results.
I can only get these to work if I have the default route on the router (without any connection mark binding) pointing to the gateway the L2TP/IPSEC packets are arriving on. i.e. they appear to be skipping the OUTPUT chain routing-mark logic and defaulting to the default gateway.
Would anyone be able to try and explain this problem for me. I assume it's something weird with the L2TP connections.
Many thanks, Dominic.
I have two connections to the internet via gateways 1.1.1.1 (on interface I-A) and 2.2.2.2 (on interface I-B) and I have two IP routes as follows
0.0.0.0/0 to 1.1.1.1 bound to routing-mark="R-A"
0.0.0.0/0 to 2.2.2.2 bound to routing-mark="R-B"
Using mangle rules in the INPUT chain I mark all incoming connections on interface "I-A" with connection-mark="C-A" and all incoming connections on interface "I-B" with connection-mark="C-B".
I then have mangle rules in the OUTPUT chain that mark connections with connection-mark="C-A" with routing-mark="R-A" and connections with connection-mark="C-B" with routing-mark="R-B".
If I ping the IP address of the router associated with interface "I-A" from an external point then this responds correctly and I get a reply and if I disable the OUTPUT chain rule marking "C-A" connections with routing-mark="R-A" then the ping is dropped so the OUTPUT chain is correctly marking the packets and the routing-mark is having an effect and routing correctly by picking up the correct route.
What I don't understand is that incoming L2TP connections from my remote router do not have the same results.
I can only get these to work if I have the default route on the router (without any connection mark binding) pointing to the gateway the L2TP/IPSEC packets are arriving on. i.e. they appear to be skipping the OUTPUT chain routing-mark logic and defaulting to the default gateway.
Would anyone be able to try and explain this problem for me. I assume it's something weird with the L2TP connections.
Many thanks, Dominic.