# 2 WAN connections / route traffic based on l7-filter

## meekamoo

So I've spent a few days googling around trying to find solutions to this but I don't know enough about the workings of iptables/iptools etc to build a complete solution for my problem.

My setup:

Gentoo gateway

 - eth0 : lan interface 192.168.1.1

 - ppp0 : adsl to ISPA (4mb/512k)

 - ppp1 : adsl to ISPB (512k/256k)

Both connections are NAT'd and work fine.

What I would like to do is route the traffic according to content over a specific interface.

ppp0 is the fastest account but I am capped at about 8gb/m. ppp1 is a slower but uncapped 512k account.

This is what I have so far... maybe someone can point me in the right direction if I'm going awol...

```

# mark all nat traffic

iptables -t mangle -A POSTROUTING -m mark --mark 3

# create  a route through ppp1

ip route add dev ppp1 table 666

# send dc++ (p2p) thru ppp1

ip rule add fwmark 3 table 666

```

I'm using l7 userspace and the daemon is running with a basic configuration file giving DC++ traffic an fwmark of 3 

I am reluctant to use port numbers as obviously port numbers change quite variably for p2p and this l7-filter is apparently not that bad.

Has anyone done this kind of thing before?[/code][/quote]

----------

## manaka

You can't do that with l7-filter. It generally cannot identify the protocol one connection is using with only the first packets. When l7-filter is able to identify the protocol, you've already routed and natted the connection through one particular interface. And you cannot change that afterwards. Kind of chicken and egg problem.

See the FAQ (http://l7-filter.sourceforge.net/FAQ) for all the details.

----------

## meekamoo

Ahhh ok thanks for the explanation.

I'm using upnpd for my DC++ connections so I'll try playing with that - maybe I can get the daemon to set routes as soon as the connection is made?

Do you think that could work?

----------

## manaka

It would't. upnpd only creates nat entries in the router/firewall. From the Linux upnpd docs (http://linux-igd.sourceforge.net/documentation.php)

 *Quote:*   

> 
> 
> NOTE: This program only creates DNAT (portmap) entries in you firewall on the external interface (public ip).
> 
> 

 

Besides, you would have to make the l7-filter daemon upnp aware, which AFAIK it isn't.

For p2p traffic isolation, you should use bandwidth management policies (AKA QoS or traffic control). IIRC, there are some examples of this on the l7-filter web site.

----------

## meekamoo

 *manaka wrote:*   

> It would't. upnpd only creates nat entries in the router/firewall. From the Linux upnpd docs (http://linux-igd.sourceforge.net/documentation.php)
> 
>  *Quote:*   
> 
> NOTE: This program only creates DNAT (portmap) entries in you firewall on the external interface (public ip).
> ...

 

Aahh damn I had a look last night and thought upnpd had a section to enable custom commands to be run when a new connection is made.

I've meddled with QoS and TC for a while but haven't properly gotten to grips with it. I currently run the wondershaper on my connection and am able to understand it mostly. Can TC decide which interface to send traffic through? I was under the impression it's main use is to shape the traffic going through a single connection? I would like to be able to send certain traffic over a specific interface.

So I've been fiddling all day trying to get this working. 

```
iptables -t mangle -A PREROUTING -p tcp --dport 8888 -j MARK --set-mark 5
```

That correctly marks the packets. As soon as I load a page using that proxy port on my network I get firewall logs (I added a 2nd -log entry for that same rule)

```
mordor bin # ip rule list

0:   from all lookup local 

32764:   from all fwmark 0x5 lookup axxess 

32766:   from all lookup main 

32767:   from all lookup default 

```

```
/etc/iproute/rt_tables:

(snip)

202 axxess

```

```
# ip route sh table axxess

default dev ppp1  scope link 

```

It looks like everything should work?

1. Firewall is correctly marking packets (I could be wrong?)

2. I have the ip route table created and is set to default through ppp1

3. I have the ip rule created to send all fwmark 5 packets through axxess (which is ppp1)

----------

## manaka

 *Quote:*   

> 
> 
> I've meddled with QoS and TC for a while but haven't properly gotten to grips with it. I currently run the wondershaper on my connection and am able to understand it mostly. Can TC decide which interface to send traffic through? I was under the impression it's main use is to shape the traffic going through a single connection? I would like to be able to send certain traffic over a specific interface. 
> 
> 

 

It can't. The purpose of tc is managing traffic sent through one interface (tc policies are per interface). Deciding which interface to use is a mission of the routing subsystem.

 *Quote:*   

> 
> 
> It looks like everything should work?
> 
> 1. Firewall is correctly marking packets (I could be wrong?)
> ...

 

These are the 3 things you need. I have some doubts about the routing entries for table axxess, though. I don't have any box with ppp interfaces at hand. But IIRC, routing entries for table axxess should look like this:

```

ip route show table axxess

$PPP1_GW dev ppp1

default via $PPP1_GW dev ppp1

# PPP1_GW is the address of the gateway for ppp1 connection

```

One comment about packet marking too. The mangle PREROUTING rule marks packets entering the machine, but not packets generated by the machine itself. If the latter is what you want, you should add the appropiate mangle OUTPUT rule.

----------

## meekamoo

I think I'm about to pull all of my hair out. I would imagine that I would be able to accomplish something like this but cannot.

So this is the set up:

ppp0 - isp "telkom"

ppp1 - isp "axxess"

they both have the same gateway IP though (probably same tier 2 isp?) - Would that be a problem? I'm sure it can ignore gateway IP and just use interface name?

I have this firewall rule:

```
iptables -t mangle -A PREROUTING -p tcp --dport 8888 -j MARK --set-mark 5

iptables -t mangle -A PREROUTING -p tcp --dport 8888 -j LOG --log-level DEBUG --log-prefix "fwmark 5: "
```

IPtables appears to be correctly marking the packets evident in these logs:

```
Dec  6 20:34:38 anubis kernel: fwmark 5: IN=eth0 OUT= MAC=00:50:8d:bf:cf:e3:00:1d:60:5a:c2:91:08:00 SRC=192.168.1.2 DST=192.168.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=51013 DF PROTO=TCP SPT=39724 DPT=8888 WINDOW=46 RES=0x00 ACK FIN URGP=0 MARK=0x5 
```

So thats step 1 - done.

Then the routing:

/etc/iproute2/rt_tables contains:

```
#

# reserved values

#

255   local

254   main

253   default

0   unspec

#

# local

#

#1   inr.ruhep

1 telkom

2 axxess
```

```
ip route add dev ppp1 table axxess
```

Step 2 - Complete?

Now last step:

```
ip rule add from all fwmark 5 table axxess
```

I don't know what I'm missing out here?

----------

