policy based routing

policy based routing

Post by Thomas Na » Thu, 08 Feb 2001 18:48:55

assuming that two nodes are connected via two different types of pipes
we need to make sure that bulk traffic like NFS, FTP and others take line 1
and the other traffic gets routed trough 2 depending on the protocol type.

Any hints on how to make this work wih Solaris 8/SPARC?


====== PGP fingerprint B1 EE D2 39 2C 82 26 DA  A5 4D E0 50 35 75 9E ED ======

        Thought you got rid of all year 2k bugs and problems?
        Here's a new one: Windows 2000


1. advanced routing question (squid/policy based routing)


while setting up a second link to another ISP, I came up with the idea to
perform policy based routing.
All of the web traffic should go via a flatrate DSL link, whereas all the
rest is routed via a 2Mbit/s CISCO

The configuration is as follows: we have a network with public IP adresses

        | 2Mbit/s link to ISP
        | 194.x.y.z
        | default-route
  INTERNET via DSL  ---------- DSL HW ------------------ LINUX FIREWALL
                                NAT    |
        | a.b.c.x/27
        Internal Network (20 hosts)

What I try to achieve is that all outgoing traffic from a.b.c.x/27 port 80
is routed via
the HW-DSL-Router. So I installed a SQUID in transparent mode on the
firewall and entered
the following rule:

iptables -t nat -A PREROUTING -i eth1 -p tcp -s
a.b.c.x& --dport 80 -j REDIRECT --to-port 3128

If I do not modify any routing I have a perfect transparent webserver.

Now I add something more sophisticated: I configure squid to use
as the outbound
interface with the squid configure option tcp_outgoing_adress and add the
following policy based

iptables -t mangle -A OUTPUT -s -p tcp --dport 80 -j
MARK --set-mark 5

Now the packets become marked. I add the rule:

ip rule add fwmark 5 table dsl_out


ip route add default via dev eth4 table dsl_out

Now what happens now ? I make a TCP-dump on an external webserver and on the
link between firewall
and HW-DSL-ROUTER. I open a http-connection from a.b.c.d. It gets redirected
to the squid, which in turn
opens a TCP-connection via the DSL-router. On the external Webserver I see
SYN-packets arriving from the
external address of the DSL-router and the webserver answers with a SYN/ACK.
The SYN/ACK is natted again
and is inbound on the link between DSL-router and firewall.

But it never arrives at the SQUID. Half a second later SQUID retransmitts
the SYN and the link is never established.
Before I forget: beforehand I cleared all firewalling rules on eth4 :
iptables -I INPUT -i eth4 -j ACCEPT

What am I doing wrong ? Any idea ?

TCP-dumps of all links are available.

Thanks for your help...

Marc Peter Althoff

2. Modules and Debian 2.1 -- why doesn't it work??

3. policy based routing

4. upgrading 1.01 -> 1.03 (SLS)

5. policy-based routing and NAT with iptables

6. problems with libgdbm.so.2

7. Policy Based Routing

8. bootmagic-mbr-odd error i dont know what to do about...

9. Policy based routing over serial links

10. Policy based routing

11. Traffic shaper and policy based routing

12. policy routing (routing based on source IP)

13. Policy routing based on interface is not working?