Title: Can't specify '! [IP/CIDR]' in policy routes to only route traffic NOT matching Post by: jvaughn on Friday 16 August 2013, 10:09:30 am In theory, with vanilla iptables, I can specify the destination or source to be anything NOT matching by prepending the IP/CIDR address with '!'. However, Endian won't let me do this. Does endian have another way of specifying it? This is very difficult to google for, being that "not" and "!" are pretty useless search terms ...
We have 3 WANs with static blocks, and need to be able to access those WAN IPs from inside the LAN. For everything else, we want to route office desktop LAN traffic (but not server traffic) via 3rd uplink. We can set rules that say to send all traffic matching destination X to uplink Y, but we can't set all traffic to default to uplink Y if from source Z, because then we can't reach our public IPs from inside the LAN (not even through the internet - it appears something strange happens in iptables and the packets just fall into the void). We try putting in rules that are more specific, so that if destination is WANn IP range, send to corresponding uplink, which we already have to do to make this work at all, but with that uplink3 rule in place it will override (no matter policy route order - we've discovered the order has little to no bearing on what routing occurs) If we could in theory have rules: if src LAN and dest WAN1 route via WAN1 if src LAN and dest WAN2 route via WAN2 if src LAN and dest WAN3 route via WAN3 if src LAN-DHCP-clients-range and dest not WAN1 or WAN2 route via WAN3 That is what we want to do. In theory we could specify every possibly CIDR combination except for WAN1/2 ... but that is.. less than desirable. Currently we just manually set up specific routes for things (i.e. youtube, google, pandora, spotify, etc) to force traffic for those sites to WAN3... but it is less than ideal. I may have to just resetup everything from scratch to change "main uplink" to what is currently uplink3 and so forth, so that they go there by default ... but it would be nice if there was a proper way to do this via routing. Title: Re: Can't specify '! [IP/CIDR]' in policy routes to only route traffic NOT matching Post by: juddyjacob on Thursday 29 August 2013, 05:50:29 pm try to set the source as ** and make the rule last, dunno if this will work but might
Title: Re: Can't specify '! [IP/CIDR]' in policy routes to only route traffic NOT matching Post by: juddyjacob on Thursday 29 August 2013, 06:14:16 pm however changing the main uplink is the correct solution. This is the default route. So in practice its doing exactly what you want it to. You probally just need to redo your policy routes after you choose your default uplink. Then everything that does NOT match your policy route rules will use the main uplink.
Title: Re: Can't specify '! [IP/CIDR]' in policy routes to only route traffic NOT matching Post by: juddyjacob on Friday 30 August 2013, 04:52:40 am try setting the source and destination as 0.0.0.0/0 and make rule last?
Title: Re: Can't specify '! [IP/CIDR]' in policy routes to only route traffic NOT matching Post by: jvaughn on Saturday 07 September 2013, 09:23:55 am We ended up changing the default uplink and rearranging rules as necessary (on the up side, it meant we didn't need most of the rules... )
|