LARTC
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[LARTC] Problem with packet mangling over 2 links

from [Michael Magua] [Permanent Link][Original]
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Problem with packet mangling over 2 links
From: "Michael Magua" <m.magua@gmail.com>
Date: Thu, 9 Aug 2007 15:05:08 +0200
Delivered-to: sp-com-lists@consult.net
Delivered-to: lartc-list@securepoint.com
Delivered-to: lartc@outpost.ds9a.nl
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=C0z0JDHmYcBdcqJdmQ/MViSipuDJmd6hN7p1NCNxGbz2O7GCQyF/V5VFsgyTm/1yADyMqmL6ROYaqjSOijRFRVRVbW+H9irQlRp+hNz5mLhFcN2Ig8QrkeUHY6/sxnT+K1nhKV+EGqwnVBRmt94Vua5Rdnp1CnnJ34OAcTxnbkw=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=d0nbuTzG6mz+bDnRkaNaU97nh1BmCxWkpJ7Yvbf7CY/ANo3jJ/ncaJYzz8vioMjxmG5dHa2qr4OPpMz9lAdhKg8F8FsV4vTXBnhDm+6kx2Ax097olHZSMG4tIIcIOE6jAOcqv+FMmRLnaV0QKSmgxAxmbSQkyOBVvq4x9RTrJe4=
List-archive: <http://mailman.ds9a.nl/pipermail/lartc>
List-help: <mailto:lartc-request@mailman.ds9a.nl?subject=help>
List-id: "Mailinglist of the Linux Advanced Routing &amp; Traffic Control project" <lartc.mailman.ds9a.nl>
List-post: <mailto:lartc@mailman.ds9a.nl>
List-subscribe: <http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=subscribe>
List-unsubscribe: <http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=unsubscribe>
Sender: lartc-bounces@mailman.ds9a.nl 
Hi

I have a strange problem. I have a firewall with 3 nics.

1 - lan
2 - leased line or diginet
3 - connected to adsl modem

I have 2 tables in defined in /etc/iproute2/rt_tables:

200 diginet
201 adsl

The ADSL modem has an IP of 192.168.0.1 and is configured to initiate
the PPPOE connection. I can mark packets within the network destined
for port 80 successfully:

ip ro add default via x.x.x.x table diginet #where x.x.x.x is the ip
of the cisco router
ip route add default via 192.168.0.1 dev eth2 table adsl
ip ru add fwmark 2 table adsl
ip ro fl ca

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80
-j MARK --set-mark 2
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT

That all works and if i do a tcpdump on eth2 I can see packets for web
traffic going out via ADSL.

The problem:

If I configure the ADSL modem to no longer make the PPPOE connection
but let the firewall do it i.e pppoe-setup / pppoe then it doesn't
work. Here's the relevant netfilter and iproute2 steps I did.

ip ro add default via x.x.x.x table diginet #where x.x.x.x is the ip
of the cisco router
ip ro add dev ppp0 table adsl
ip ro add default via x.x.x.x table adsl #where x.x.x.x is the p-t-p
addr from the output of ifconfig ppp0
ip ru add fwmark 2 table adsl
ip ro fl ca

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80
-j MARK --set-mark 2
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT

I have also set DEFROUTE=no and PEERDNS=no in /etc/ppp/pppoe.conf as
the diginet is still the default route but I only want web traffic out
on ADSL.

Some output from tcpdump showing this doesn't work:

[root@firewall ~]# tcpdump -i eth0 port 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
07:43:59.501397 IP 192.168.1.222.2867 > 66.249.93.104.80: S
2326997538:2326997538(0) win 5840 <mss 1460,sackOK,timestamp 6219115
0,nop,wscale 0>
07:44:02.495748 IP 192.168.1.222.2867 > 66.249.93.104.80: S
2326997538:2326997538(0) win 5840 <mss 1460,sackOK,timestamp 6219415
0,nop,wscale 0>
07:44:08.496618 IP 192.168.1.222.2867 > 66.249.93.104.80: S
2326997538:2326997538(0) win 5840 <mss 1460,sackOK,timestamp 6220015
0,nop,wscale 0>
07:44:20.498324 IP 192.168.1.222.2867 > 66.249.93.104.80: S
2326997538:2326997538(0) win 5840 <mss 1460,sackOK,timestamp 6221215
0,nop,wscale 0>

If anyone can shed some light on what I'm doing wrong or missing I'd
really appreciate it.

Michael
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [LARTC] Problem with packet mangling over 2 links, Michael Magua <=
Previous by Date:  Re: [LARTC] Allocating 64 kbits/s out of 256 kbits/s for one LAN behingfirewall, Indunil Jayasooriya
Next by Date:  RE: [LARTC] Marking and remarking of incoming traffic, Flechsenhaar, Jon J
Previous by Thread:  [LARTC] Classful queues, Jonathan Gazeley
Next by Thread:  Re: [LARTC] Allocating 64 kbits/s out of 256 kbits/s for one LAN behingfirewall (SOLVED), Indunil Jayasooriya
Indexes:  [Date] [Thread] [Top] [All Lists]