Mark incoming packets to use a secondary routing table

I have a router with 3 interfaces: lan, wan and int.

Client's are connected to the lan interface and can access Internet through the router's wan interface (forwarding wan <-> lan).

However, when wan connection to the Internet is down, I want to redirect the clien'ts traffic from lan interface to the int interface (Internet can also be accessed through int) but at the same time be able to perform a ping in the router from the wan interface to 8.8.8.8, to monitor when the connection is back up.

First of all, the network addresses:

  • client's network: 192.168.10.0/24
  • int next-hop: 172.16.1.20

I started by creating a new routing table...

  1. echo "1 mytable" >> /etc/iproute2/rt_tables
  2. ip rule add from 192.168.10.0/24 table mytable
  3. ip route add default via 172.16.1.20 dev eth2 table mytable

and without altering the main routing table's default gateway, the client's traffic uses "mytable" and is sent through "int" interface. I can also ping 8.8.8.8 from the wan at the same time. All good.

But, although this solution works, I was trying another one I consider more elegant. It consists on marking incoming packets from lan (new configuration next):

  1. echo "1 mytable" >> /etc/iproute2/rt_tables
  2. ip route add default via 172.16.1.20 dev eth2 table mytable
  3. ip rule add fwmark 0xFF lookup mytable
  4. add in /etc/config/firewall:
config rule
        option name 'marking-client-traffic'
        option mark '0xFF'
        option proto 'all'
        option src 'lan'
        option target 'ACCEPT'
        option enabled '1'

With this solution, I was expecting that all traffic from the client lan was marked with 0xFF and would then use "mytable".

Afterwards, if I wanted to stop the marking of packets, I would just:

uci set firewall.@rule[0].enabled=0
fw3 reload

However, this solution is not working. It only starts working if I add the "ip rule add from..." rule, but that is not what I want.

I also read online that the marking of packets should be done in the mangle table, but I don't understand how it is possible to configure the mangle using the uci.

What would be the right way to mark the packets, using the uci? Do I have to use iptables commands instead?

Yes, you need to use iptables commands in /etc/firewall.user. I'm doing that for a VPN connection.

1 Like

If you want to automate the way that clients are routed to the internet you could also check mwan3.

I found the right way to mark the packets using the uci:

  1. echo "1 mytable" >> /etc/iproute2/rt_tables
  2. ip route add default via 172.16.1.20 dev eth2 table mytable
  3. ip route add 192.168.10.0/24 dev eth3 scope link src 192.168.10.1 table mytable
  4. ip rule add fwmark 0xFF lookup mytable
  1. In /etc/config/firewall:
config rule
         option name 'mark_lan_int'
         option src 'lan'
         option target 'MARK'
         option proto 'all'
         option set_mark '0xFF'
         option enabled '0'

  config rule
          option name 'mark_int_lan'
          option src 'int'
          option target 'MARK'
          option proto 'all'
          option set_mark '0xFF'
          option enabled '0'

Then, when I want to enable the rule to mark client's traffic:
6. uci set firewall.@rule[0].enabled=1
7. uci set firewall.@rule[1].enabled=1
8. uci commit firewall
9. fw3 restart

And everything works like I wanted it to.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.