# Advanced Routing with FWMARK problem

## fratotec

Hello Guys, 

I have 2 ADSL lines and wish do balance some traffic between them ( mainly: web traffic via line 2, the rest of services via line 1 )

I tried with shorewall without sucess. Then I stripped down to manual configuration with the bare minimum and it turns out to be a 

problem with FWMARK.

My actual configuration is :

```
mail ~ # ip route list

10.2.1.0 dev eth2  scope link  src 10.2.1.2

10.1.1.0 dev eth1  scope link  src 10.1.1.2

10.2.1.0/24 dev eth2  proto kernel  scope link  src 10.2.1.2

192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.2

10.1.1.0/24 dev eth1  proto kernel  scope link  src 10.1.1.2

192.168.0.0/22 via 192.168.1.1 dev eth0

127.0.0.0/8 dev lo  scope link

default via 10.1.1.1 dev eth1
```

```
mail ~ # ip rule list

0:      from all lookup local

20000:  from 192.168.1.79 lookup G25

20001:  from 10.1.1.2 lookup T14

20002:  from 10.2.1.2 lookup G25

32766:  from all lookup main

32767:  from all lookup default

```

in this configuration all forward traffic is going out via eth1, correctly "SNATed" ...

and all forwarded traffic from the host 192.168.1.79 is going out via eth2 ( the second line ).... also ok...

then I try to use 

```
iptables -t mangle -A PREROUTING -p tcp --dport 80 -s 192.168.1.0/24 -j MARK --set-mark 2

ip rule add fwmark 2 table G25
```

( from http://linux-ip.net/html/adv-multi-internet.html )

and run tcpdump on eth0 ( internal interface ) ... 

```
23:08:43.121028 IP 192.168.1.79.4106 > 64.233.179.104.80: S 1751042198:1751042198(0) win 65535 <mss 1460,nop,nop,sackOK>

23:08:46.136975 IP 192.168.1.79.4106 > 64.233.179.104.80: S 1751042198:1751042198(0) win 65535 <mss 1460,nop,nop,sackOK>

```

and tcpdump on eth2 

```
23:08:43.121075 IP 10.2.1.2.4106 > 64.233.179.104.80: S 1751042198:1751042198(0) win 65535 <mss 1460,nop,nop,sackOK>

23:08:43.291946 IP 64.233.179.104.80 > 10.2.1.2.4106: S 4259116517:4259116517(0) ack 1751042199 win 8190 <mss 1452>

```

the routing follows the fwmark rule, directing the traffic to eth2, the packets are correctly SNATed, going to the net and are returning, 

but not reaching the workstation....

what could I beeing missing ??

 *Quote:*   

> Chain INPUT (policy ACCEPT)
> 
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> ...

 

```
Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

MARK       tcp  --  anywhere             anywhere            tcp dpt:http MARK set 0x2

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

MARK       tcp  --  anywhere             anywhere            tcp dpt:http MARK set 0x2

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

```

Any help will be apreciated...

Franz

----------

## fratotec

I missed to include:

Kernel Version 2.6.15-gentoo-r1

iptables-1.3.4

iproute2-2.6.15.20060110

----------

## RAPHEAD

Hi,

were you successful in the end?

I have a somewhat similar situation:

I want all http traffic which hits a machine to be sent via

a special GW and all other traffic through another one.

Both GWs are on my local net. I also tried with shorewall but did not get it to work.

I always end up with duplicate file messages thrown by netfilter.

----------

## mariourk

You need to disable rp_filter. It took me some time to figure this out

```

echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter 

```

----------

