Hi Vieri, Here are all of my files (I think) relevant to routing, with any
real addresses changed:
providers:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
uni01 1 - - usb0 192.168.1.1 fallback=50
uni02 2 - - usb1 192.168.0.1 fallback=50
tvc01 3 - - vlan5 111.222.333.444
track,balance=1,persistent
aot01 4 - - ppp0 -
track,balance=1,persistent
cem50tun 5 - - tun1 10.20.0.145
fallback=150,persistent
cem50 6 - - vlan4 10.1.15.1 fallback=100
cem09 7 - - tun3 10.20.0.129 track
:qcem0509tvc 8 - - tun6 10.20.0.149 loose
cem0509uni 9 - - tun7 10.20.0.153 loose
mangle:
#ACTION SOURCE DEST PROTO DEST SOURCE
USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY
DSCP
# PORT(S) PORT(S)
MARK(25) 10.0.69.2 - tcp smtp
MARK(25) - 10.0.69.2 tcp smtp
MARK(25) fwall 77.88.99.0/29 tcp smtp
MARK(53) - - udp 53
MARK(53) fwall - udp 53
MARK(16) 10.0.69.20 - udp
sip,iax,1068,10000:12000
MARK(16) - 10.0.69.20 udp
sip,iax,1068,10000:12000
MARK(16) 10.1.0.0/24 10.20.0.129 udp sip,iax,10000:12000
MARK(16) 10.20.0.129 10.1.0.0/24 udp sip,iax,10000:12000
MARK(16) 10.1.0.0/24 77.88.99.82 udp sip,iax,10000:12000
MARK(16) 77.88.99.82 10.1.0.0/24 udp sip,iax,10000:12000
MARK(16) fwall - udp sip,iax,10000:12000
MARK(16) - fwall udp sip,iax,10000:12000
MARK(80) 10.0.69.2 - tcp http,https
MARK(80) 10.0.69.2 - udp http,https
MARK(80) 10.0.69.20 - tcp http,https
MARK(80) 10.0.69.20 - udp http,https
MARK(200) 10.1.10.248 - udp openvpn,5000,5001
MARK(200) fwall 77.88.99.0/29 udp openvpn,5000,5001
MARK(200) fwall 222.111.444.0/29 udp openvpn,5000,5001
TOS(16) - - udp iax
TOS(16) - - udp - iax
TOS(16) - - udp sip
TOS(16) - - udp - sip
TOS(16) 10.0.69.20 - udp - - - 16
TOS(16) - 10.0.69.20 udp - - - 16
DSCP(EF) - - udp iax
DSCP(EF) - - udp - iax
DSCP(EF) - - udp sip
DSCP(EF) - - udp - sip
DSCP(EF) 10.0.69.20 - udp - - - 16
DSCP(EF) - 10.0.69.20 udp - - - 16
rtrules:
#SOURCE DEST PROVIDER PRIORITY MARK
- 10.20.200.0/25 cem09 1000
- 10.20.200.0/24 main 1001
- 10.20.0.0/23 main 1002
- 10.0.68.0/22 cem50 1012
- 10.1.8.0/21 cem50 1014
- 192.168.0.0/16 cem50 1018
- 192.168.33.0/24 cem50 1019
- 10.0.68.0/22 cem01maf 1022
- 10.1.10.0/24 cem01maf 1024
10.1.10.40 - tvc01 1201
10.1.10.65 - tvc01 1202
10.1.13.93 - tvc01 1203
10.1.15.20 - tvc01 1204
10.1.15.21 - tvc01 1205
10.1.10.40 - aot01 1211
10.1.10.65 - aot01 1212
10.1.13.93 - aot01 1213
10.1.15.20 - aot01 1214
10.1.15.21 - aot01 1215
10.1.10.248 - aot01 1263 200
10.1.10.248 - tvc01 1264 200
$FW - uni01 1271 200
$FW - uni02 1272 200
$FW - aot01 1273 200
$FW - tvc01 1274 200
#NH#20170228# Following rule is not catching "all" traffic in a TCP
connection. Therefore...
10.0.69.2 - cem09 1280 25
#NH#20170228# for now, directing all 10.0.69.2 packets via tun3.
10.0.69.2 - cem09 1281
10.0.0.0/8 - cem09 1290 16
10.1.0.0/24 - uni01 21005
10.1.0.0/24 - uni02 21006
10.1.8.0/21 - aot01 21901
10.1.8.0/21 - tvc01 21902
10.1.8.0/21 - uni01 21903
10.1.8.0/21 - uni02 21904
192.168.0.0/16 - tvc01 21911
192.168.0.0/16 - aot01 21912
192.168.0.0/16 - uni01 21913
192.168.0.0/16 - uni02 21914
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
shorewall.conf: lots of stuff including:
DELETE_THEN_ADD=Yes
FORWARD_CLEAR_MARK= #default Yes - is this perhaps causing a problem?
KEEP_RT_TABLES=No
MANGLE_ENABLED=Yes
MARK_IN_FORWARD_CHAIN=No
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
ROUTE_FILTER=No
TRACK_PROVIDERS=No
TRACK_RULES=Yes
USE_DEFAULT_RT=Yes
USE_RT_NAMES=No
TC_BITS=
PROVIDER_BITS=
PROVIDER_OFFSET=
MASK_BITS=
ZONE_BITS=0
Best regards, Norman
On Fri, Sep 29, 2017 at 3:56 PM, Vieri Di Paola via Shorewall-users <
shorewall-users@lists.sourceforge.net> wrote:
>
> ________________________________
> From: Norman Henderson <norm.aud...@gmail.com>
> >
> > MARK(25) 10.0.69.2 - tcp smtp
> > MARK(25) - 10.0.69.2 tcp smtp
>
> >
>
> > 10.0.69.2 - cem09 1280 25
>
> Could you please share the relevant part of your providers file?
>
> > rtrules 10.0.69.2 - cem09 1281
>
> In my specific example I could very well use policy based routing in
> rtrules without marks.
> However, there are other cases where I require to use MARK.
>
> Vieri
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
