[Openvpn-users] Re: [LARTC] UDP port 1194 marking/routing problem

Remus rmocius at auste.elnet.lt
Wed Apr 6 13:54:53 CEST 2005 

Hi Wang,

We specialy got two Internet connections, one is only for the OpenVPN (it is 
heavily used) and second for everthing else.
I will give a try to PREROUTING stuff  right away.

What do mean : But I don't think you need to use MARK to do policy routing. 
It's a little overkill.

Do you another suggestion than iptables/MARK?

Regards

Remus


----- Original Message ----- 
From: "Wang Jian" <lark at linux.net.cn>
To: <lartc at mailman.ds9a.nl>
Cc: "Remus" <rmocius at auste.elnet.lt>; <openvpn-users at lists.sourceforge.net>
Sent: Wednesday, April 06, 2005 12:23 PM
Subject: [Openvpn-users] Re: [LARTC] UDP port 1194 marking/routing problem


> Hi Remus,
>
> It seems that
>
> iptables -t mangle -A POSTROUTING -o eth0 -p udp --dport 1194 -j MARK \
>    --set-mark 0x990
>
> will not take effect. (didn't you typo -A as -D?)
>
> POSTROUTING is looked up after routing decision is made. Because the
> default route is dev eth1, the output device is eth1, -o eth0 will not
> match.
>
> You should use
>
> iptables -t mangle -A PREROUTING -p udp --destination <your openvpn \
>    peer> --dport 1194 -j MARK ....
>
> But I don't think you need to use MARK to do policy routing. It's a
> little overkill.
>
> Why not simply route all traffic to your openvpn peer via device eth0?
>
>
> On Wed, 6 Apr 2005 11:51:16 +0100, "Remus" <rmocius at auste.elnet.lt> wrote:
>
>>
>> Hi folks,
>>
>> I have OpenVPN (respect for it developers) running on my FW.
>> Is has two external NICs and on internal everything is fine, except
>> I want OpenVPN (UDP port 1194) going not via default route/network 
>> interface.
>>
>> I use such commands:
>>
>> iptables -t mangle -D POSTROUTING -o eth0 -p udp --dport 1194 -j 
>> MARK --set-mark 0x990
>> ip rule add fwmark 0x990 table openvpn1
>> ip route add default via $P2 dev eth0 table openvpn1
>>
>> eth0 is FW's not default external NIC.
>>
>> I have in use very similar iptables rules for my email server (TCP ports) 
>> and etc.
>> Everything works fine.
>> What I'm doing wrong with marking/routing the UDP port?
>>
>> Regards
>>
>> Remus
>>
>
>
>
> -- 
>  lark
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>

More information about the LARTC mailing list