Welcome, Guest. Please login or register.
Did you miss your activation email?
Wednesday 25 December 2024, 06:19:39 pm

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14262 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Can't specify '! [IP/CIDR]' in policy routes to only route traffic NOT matching
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Can't specify '! [IP/CIDR]' in policy routes to only route traffic NOT matching  (Read 14887 times)
jvaughn
Jr. Member
*
Offline Offline

Posts: 8


« on: Friday 16 August 2013, 10:09:30 am »

In theory, with vanilla iptables, I can specify the destination or source to be anything NOT matching by prepending the IP/CIDR address with '!'. However, Endian won't let me do this. Does endian have another way of specifying it? This is very difficult to google for, being that "not" and "!" are pretty useless search terms ...

We have 3 WANs with static blocks, and need to be able to access those WAN IPs from inside the LAN. For everything else, we want to route office desktop LAN traffic (but not server traffic) via 3rd uplink. We can set rules that say to send all traffic matching destination X to uplink Y, but we can't set all traffic to default to uplink Y if from source Z, because then we can't reach our public IPs from inside the LAN (not even through the internet - it appears something strange happens in iptables and the packets just fall into the void). We try putting in rules that are more specific, so that if destination is WANn IP range, send to corresponding uplink, which we already have to do to make this work at all, but with that uplink3 rule in place it will override (no matter policy route order - we've discovered the order has little to no bearing on what routing occurs)

If we could in theory have rules:
if src LAN and dest WAN1 route via WAN1
if src LAN and dest WAN2 route via WAN2
if src LAN and dest WAN3 route via WAN3
if src LAN-DHCP-clients-range and dest not WAN1 or WAN2 route via WAN3

That is what we want to do. In theory we could specify every possibly CIDR combination except for WAN1/2 ... but that is.. less than desirable.

Currently we just manually set up specific routes for things (i.e. youtube, google, pandora, spotify, etc) to force traffic for those sites to WAN3... but it is less than ideal.

I may have to just resetup everything from scratch to change "main uplink" to what is currently uplink3 and so forth, so that they go there by default ... but it would be nice if there was a proper way to do this via routing.
Logged
juddyjacob
Full Member
***
Offline Offline

Posts: 64


« Reply #1 on: Thursday 29 August 2013, 05:50:29 pm »

try to set the source as ** and make the rule last, dunno if this will work but might
Logged
juddyjacob
Full Member
***
Offline Offline

Posts: 64


« Reply #2 on: Thursday 29 August 2013, 06:14:16 pm »

however changing the main uplink is the correct solution. This is the default route.  So in practice its doing exactly what you want it to. You probally just need to redo your policy routes after you choose  your default uplink.  Then everything that does NOT match your policy route rules will use the main uplink.
Logged
juddyjacob
Full Member
***
Offline Offline

Posts: 64


« Reply #3 on: Friday 30 August 2013, 04:52:40 am »

try setting the source and destination as 0.0.0.0/0 and make rule last?
Logged
jvaughn
Jr. Member
*
Offline Offline

Posts: 8


« Reply #4 on: Saturday 07 September 2013, 09:23:55 am »

We ended up changing the default uplink and rearranging rules as necessary (on the up side, it meant we didn't need most of the rules... )
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.078 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com