It works fine when mwan3 is disabled and the seemingly same configuration works well in 17.01.5. I used the OpenVPN server setup guide from the wiki in both setups. I would very much appreciate if anyone has any suggestions about how to fix it.
When I try to connect I get this in the client log (Parts of the external IPs have replaced by 1 in all the logs)
Sat Jul 21 11:29:31 2018 OpenVPN 2.4.4 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Sat Jul 21 11:29:31 2018 Windows version 6.2 (Windows 8 or greater) 32bit
Sat Jul 21 11:29:31 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Sat Jul 21 11:29:31 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Sat Jul 21 11:29:31 2018 Need hold release from management interface, waiting...
Sat Jul 21 11:29:32 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Sat Jul 21 11:29:32 2018 MANAGEMENT: CMD 'state on'
Sat Jul 21 11:29:32 2018 MANAGEMENT: CMD 'log all on'
Sat Jul 21 11:29:32 2018 MANAGEMENT: CMD 'echo all on'
Sat Jul 21 11:29:32 2018 MANAGEMENT: CMD 'hold off'
Sat Jul 21 11:29:32 2018 MANAGEMENT: CMD 'hold release'
Sat Jul 21 11:29:32 2018 NOTE: --fast-io is disabled since we are running on Windows
Sat Jul 21 11:29:32 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 21 11:29:32 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 21 11:29:32 2018 MANAGEMENT: >STATE:1532165372,RESOLVE,,,,,,
Sat Jul 21 11:29:33 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]1.1.1.1:1194
Sat Jul 21 11:29:33 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Jul 21 11:29:33 2018 UDP link local: (not bound)
Sat Jul 21 11:29:33 2018 UDP link remote: [AF_INET]1.1.1.1:1194
Sat Jul 21 11:29:33 2018 MANAGEMENT: >STATE:1532165373,WAIT,,,,,,
Sat Jul 21 11:30:03 2018 SIGTERM[hard,] received, process exiting
Sat Jul 21 11:30:03 2018 MANAGEMENT: >STATE:1532165403,EXITING,SIGTERM,,,,,
On the server side it says
Sat Jul 21 09:30:33 2018 47.60.41.55:61617 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jul 21 09:30:33 2018 47.60.41.55:61617 TLS Error: TLS handshake failed
Diagnostics from mwan with it is disabled (works):
MWAN Status - Troubleshooting
INFO: MWAN not running
Software-Version
-------------------------------------------------
OpenWrt - OpenWrt 18.06.0-rc2 r7141-e4d0ee5af5
LuCI - git-18.196.56128-9112198
Output of "ip a show"
-------------------------------------------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether bc:ee:7b:56:58:55 brd ff:ff:ff:ff:ff:ff
inet6 1::beee:7bff:fe56:5855/64 scope link
valid_lft forever preferred_lft forever
3: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
link/ether 32:1c:61:cd:58:9b brd ff:ff:ff:ff:ff:ff
4: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
link/ether da:62:b1:76:5a:b1 brd ff:ff:ff:ff:ff:ff
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether be:ee:7b:56:58:55 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 1:1:17f:f900::1/60 scope global dynamic noprefixroute
valid_lft 1207735sec preferred_lft 602935sec
inet6 fdcb:b0a8:536c::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 1::bcee:7bff:fe56:5855/64 scope link
valid_lft forever preferred_lft forever
8: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether be:ee:7b:56:58:55 brd ff:ff:ff:ff:ff:ff
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether bc:ee:7b:56:58:54 brd ff:ff:ff:ff:ff:ff
inet 1.1.1.1/20 brd 1.1.239.255 scope global eth0.2
valid_lft forever preferred_lft forever
inet6 1:0:c000:4:9087:f85a:83a8:b4fb/128 scope global dynamic noprefixroute
valid_lft 1207735sec preferred_lft 602935sec
inet6 1::beee:7bff:fe56:5854/64 scope link
valid_lft forever preferred_lft forever
10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
link/ether bc:ee:7b:56:58:55 brd ff:ff:ff:ff:ff:ff
inet6 1::beee:7bff:fe56:5855/64 scope link
valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
link/ether bc:ee:7b:56:58:54 brd ff:ff:ff:ff:ff:ff
inet6 1::beee:7bff:fe56:5854/64 scope link
valid_lft forever preferred_lft forever
12: ovpns0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 192.168.200.1/24 brd 192.168.200.255 scope global ovpns0
valid_lft forever preferred_lft forever
inet6 1::b57b:45a2:85bd:6991/64 scope link stable-privacy
valid_lft forever preferred_lft forever
Output of "ip route show"
-------------------------------------------------
default via 1.1.224.1 dev eth0.2 proto static src 1.1.1.1 metric 10
1.1.224.0/20 dev eth0.2 proto static scope link metric 10
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.200.0/24 dev ovpns0 proto kernel scope link src 192.168.200.1
Output of "ip rule show"
-------------------------------------------------
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Output of "ip route list table 1-250"
-------------------------------------------------
Output of "iptables -L -t mangle -v -n"
-------------------------------------------------
Chain PREROUTING (policy ACCEPT 408 packets, 212K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 164 packets, 29441 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 244 packets, 183K bytes)
pkts bytes target prot opt in out source destination
472 24552 TCPMSS tcp -- * eth0.2 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
0 0 TCPMSS tcp -- * usb0 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 124 packets, 89088 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 368 packets, 272K bytes)
pkts bytes target prot opt in out source destination
Chain qos_Default (0 references)
pkts bytes target prot opt in out source destination
0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore mask 0xf
0 0 qos_Default_ct all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf
0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf0 length 0:500 MARK xset 0x22/0xff
0 0 MARK icmp -- * * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x11/0xff
0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf0 tcp spts:1024:65535 dpts:1024:65535 MARK xset 0x44/0xff
0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf0 udp spts:1024:65535 dpts:1024:65535 MARK xset 0x44/0xff
0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save mask 0xff
Chain qos_Default_ct (1 references)
pkts bytes target prot opt in out source destination
0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf tcp multiport ports 22,53 /* ssh, dns */ MARK xset 0x11/0xff
0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf udp multiport ports 22,53 /* ssh, dns */ MARK xset 0x11/0xff
0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf tcp multiport ports 20,21,25,80,110,443,993,995 /* ftp, smtp, http(s), imap */ MARK xset 0x33/0xff
0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf tcp multiport ports 5190 /* AOL, iChat, ICQ */ MARK xset 0x22/0xff
0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf udp multiport ports 5190 /* AOL, iChat, ICQ */ MARK xset 0x22/0xff
0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save mask 0xff
Diagnostics with mwan3 enabled (doesn't work):
MWAN Status - Troubleshooting
Software-Version
-------------------------------------------------
OpenWrt - OpenWrt 18.06.0-rc2 r7141-e4d0ee5af5
LuCI - git-18.196.56128-9112198
Output of "ip a show"
-------------------------------------------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 192.168.1.1/32 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether bc:ee:7b:56:58:55 brd ff:ff:ff:ff:ff:ff
inet6 1::beee:7bff:fe56:5855/64 scope link
valid_lft forever preferred_lft forever
3: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
link/ether 32:1c:61:cd:58:9b brd ff:ff:ff:ff:ff:ff
4: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
link/ether da:62:b1:76:5a:b1 brd ff:ff:ff:ff:ff:ff
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether be:ee:7b:56:58:55 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 1:11:17f:f900::1/60 scope global dynamic noprefixroute
valid_lft 1207845sec preferred_lft 603045sec
inet6 fdcb:b0a8:536c::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 1::bcee:7bff:fe56:5855/64 scope link
valid_lft forever preferred_lft forever
8: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether be:ee:7b:56:58:55 brd ff:ff:ff:ff:ff:ff
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether bc:ee:7b:56:58:54 brd ff:ff:ff:ff:ff:ff
inet 1.1.1.1/20 brd 1.1.239.255 scope global eth0.2
valid_lft forever preferred_lft forever
inet6 1:10:c000:4:9087:f85a:83a8:b4fb/128 scope global dynamic noprefixroute
valid_lft 1207845sec preferred_lft 603045sec
inet6 1::beee:7bff:fe56:5854/64 scope link
valid_lft forever preferred_lft forever
10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
link/ether bc:ee:7b:56:58:55 brd ff:ff:ff:ff:ff:ff
inet6 1::beee:7bff:fe56:5855/64 scope link
valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
link/ether bc:ee:7b:56:58:54 brd ff:ff:ff:ff:ff:ff
inet6 1::beee:7bff:fe56:5854/64 scope link
valid_lft forever preferred_lft forever
12: ovpns0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 192.168.200.1/24 brd 192.168.200.255 scope global ovpns0
valid_lft forever preferred_lft forever
inet6 1::b57b:45a2:85bd:6991/64 scope link stable-privacy
valid_lft forever preferred_lft forever
Output of "ip route show"
-------------------------------------------------
default via 192.168.1.1 dev lo
default via 1.1.224.1 dev eth0.2 proto static src 1.1.1.1 metric 10
1.1.224.0/20 dev eth0.2 proto static scope link metric 10
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.200.0/24 dev ovpns0 proto kernel scope link src 192.168.200.1
Output of "ip rule show"
-------------------------------------------------
0: from all lookup local
1001: from all iif eth0.2 lookup main
2001: from all fwmark 0x100/0x3f00 lookup 1
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
Output of "ip route list table 1-250"
-------------------------------------------------
Table 1: default via 1.1.224.1 dev eth0.2
Output of "iptables -L -t mangle -v -n"
-------------------------------------------------
Chain PREROUTING (policy ACCEPT 78416 packets, 62M bytes)
pkts bytes target prot opt in out source destination
78774 62M mwan3_hook all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 14402 packets, 2604K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 63818 packets, 59M bytes)
pkts bytes target prot opt in out source destination
462 24032 TCPMSS tcp -- * eth0.2 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
0 0 TCPMSS tcp -- * usb0 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 9615 packets, 3534K bytes)
pkts bytes target prot opt in out source destination
9674 3538K mwan3_hook all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 73433 packets, 63M bytes)
pkts bytes target prot opt in out source destination
Chain mwan3_connected (2 references)
pkts bytes target prot opt in out source destination
38512 57M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_connected dst MARK or 0x3f00
Chain mwan3_hook (2 references)
pkts bytes target prot opt in out source destination
88448 66M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore mask 0x3f00
3043 220K mwan3_ifaces_in all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
2868 213K mwan3_connected all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
2177 160K mwan3_ifaces_out all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
887 51917 mwan3_rules all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
88448 66M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save mask 0x3f00
67839 60M mwan3_connected all -- * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0x3f00/0x3f00
Chain mwan3_iface_in_wan (1 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 match-set mwan3_connected src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
175 7739 MARK all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wan */ MARK xset 0x100/0x3f00
Chain mwan3_iface_out_wan (1 references)
pkts bytes target prot opt in out source destination
1290 108K MARK all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wan */ MARK xset 0x100/0x3f00
Chain mwan3_ifaces_in (1 references)
pkts bytes target prot opt in out source destination
3042 220K mwan3_iface_in_wan all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
Chain mwan3_ifaces_out (1 references)
pkts bytes target prot opt in out source destination
2177 160K mwan3_iface_out_wan all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
Chain mwan3_policy_balanced (0 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wan 3 3 */ MARK xset 0x100/0x3f00
Chain mwan3_policy_wan2_wan (0 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wan 3 3 */ MARK xset 0x100/0x3f00
Chain mwan3_policy_wan_only (1 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wan 3 3 */ MARK xset 0x100/0x3f00
Chain mwan3_policy_wan_wan2 (2 references)
pkts bytes target prot opt in out source destination
442 28388 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wan 3 3 */ MARK xset 0x100/0x3f00
Chain mwan3_policy_wan_wanb (0 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wan 3 3 */ MARK xset 0x100/0x3f00
Chain mwan3_policy_wanb_wan (0 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* wan 3 3 */ MARK xset 0x100/0x3f00
Chain mwan3_rule_https (1 references)
pkts bytes target prot opt in out source destination
430 22415 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 MARK xset 0x100/0x3f00
2 92 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x100/0x3f00 ! match-set mwan3_sticky_https src,src MARK and 0xffffc0ff
2 92 mwan3_policy_wan_wan2 all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00
430 22415 SET all -- * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0xfc00/0xfc00 del-set mwan3_sticky_https src,src
430 22415 SET all -- * * 0.0.0.0/0 0.0.0.0/0 mark match ! 0xfc00/0xfc00 add-set mwan3_sticky_https src,src
Chain mwan3_rules (1 references)
pkts bytes target prot opt in out source destination
0 0 mwan3_policy_wan_only tcp -- * * 192.168.1.3 0.0.0.0/0 multiport sports 0:65535 multiport dports 119,563 mark match 0x0/0x3f00 /* nntp */
430 22415 mwan3_rule_https tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 0:65535 multiport dports 443 mark match 0x0/0x3f00 /* https */
440 28296 mwan3_policy_wan_wan2 all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0x3f00 /* default_rule */
Chain qos_Default (0 references)
pkts bytes target prot opt in out source destination
0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore mask 0xf
0 0 qos_Default_ct all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf
0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf0 length 0:500 MARK xset 0x22/0xff
0 0 MARK icmp -- * * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x11/0xff
0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf0 tcp spts:1024:65535 dpts:1024:65535 MARK xset 0x44/0xff
0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf0 udp spts:1024:65535 dpts:1024:65535 MARK xset 0x44/0xff
0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save mask 0xff
Chain qos_Default_ct (1 references)
pkts bytes target prot opt in out source destination
0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf tcp multiport ports 22,53 /* ssh, dns */ MARK xset 0x11/0xff
0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf udp multiport ports 22,53 /* ssh, dns */ MARK xset 0x11/0xff
0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf tcp multiport ports 20,21,25,80,110,443,993,995 /* ftp, smtp, http(s), imap */ MARK xset 0x33/0xff
0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf tcp multiport ports 5190 /* AOL, iChat, ICQ */ MARK xset 0x22/0xff
0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xf udp multiport ports 5190 /* AOL, iChat, ICQ */ MARK xset 0x22/0xff
0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save mask 0xff