[7.460][BUG][NOTABUG] Policy based routing

I have to internet connections here, now using Gateway routes i configure the following.

gw1 10.254.20.1
gw2 10.254.20.2 (default)

i would setup certain dns hosts to connect via gw1 instead of default.

ill setup a rule as follows:

src int: any
src net: any (catch the proxy http traffic as well since its transparent)
service: any
dst net: www.somewebsite.com (i wish to use dns group because of multihomed sites but cannot [:@] )
gw: gw2

ok.. this works 100%

if i go further add a few more rules to the bottom of that and end with
src int: internal
src net: myworkstation
service: any
dst net: any (i want my torrent downloads via gw1 because gw2's network blocks torrent traffic)
gw: gw1

then this bottom rule will override all rules above and just move all myworkstation traffic to gw1.
Im not sure if it is supposed to work this way, but i believed that the rules can be moved up and down and routes should be selected in the priority order?

I just reset my configuration, ill try it again. Please comment

Parents

0 BAlfson over 16 years ago

Like most things in the Astaro, once a packet qualifies for a traffic selector, no further rules of that type apply.

So, if you want to make a different rule for your workstation, that rule must appear before one that selects the same traffic for the subnet you're in.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 wratholix over 16 years ago in reply to BAlfson

Like most things in the Astaro, once a packet qualifies for a traffic selector, no further rules of that type apply.

So, if you want to make a different rule for your workstation, that rule must appear before one that selects the same traffic for the subnet you're in.

Cheers - Bob

yes that is how i set it up, the any any rule is above the myworkstation rule..
anyway, ill try again tonight after i finish setting everything up again [:D]
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 Astaro Beta Bot over 16 years ago in reply to wratholix

Astaro Beta Report
--------------------------------
Version: 7.460
Type: BUG
State: NOTABUG
Reporter: wratholix
Contributor: 
MantisID: 
--------------------------------

Reply

0 Astaro Beta Bot over 16 years ago in reply to wratholix

Astaro Beta Report
--------------------------------
Version: 7.460
Type: BUG
State: NOTABUG
Reporter: wratholix
Contributor: 
MantisID: 
--------------------------------

Children

0 ee-tra over 16 years ago in reply to Astaro Beta Bot

You should check the Position numbers. The rules are order by them.
This can be verified via command line. Packets are marked in the
netfilter mangle table and then routed via the marked table.
$ iptables -t mangle -vnL POLICY_ROUTING_PRE
and
$ iptables -t mangle -vnL POLICY_ROUTING_OUT
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BAlfson over 16 years ago in reply to ee-tra

In the rule list, the Astaro starts with "1" which is at the top of the list; your workstation rule should be above the Any rule, not the other way around.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel