Posted: Sun Jul 17, 2011 4:56 Post subject: Help with routing traffic on vlan with ebtables/iptables
Hello Everyone.
I have a linksys E3000 running build 14929 big.
This router is setup to connect to my main ADSL linksys WAG200G router(192.168.1.1) via WLAN on repeater mode(not bridged).
I have a VAP on this E3000 router - wl0.1 - secure1
I have vlan3, vlan4, vlan5 running on 192.168.3.x, 4.x, 5.x seperately.DHCP servers's are all running OK.I have not put in any additonal iptable rules to allow / isolate traffic etc. just as is.
I have a strong pptp vpn setup in PPTP client,and what i am trying to achieve is to selectively route the traffic over vpn by using ebtables and iptables over the wlan and vlan3 and vlan5 only.I have pasted the below in my firewall script --> commands tab:
Code:
echo "sleep 40" > /tmp/firewall_script.sh
echo "for i in ebtables ebt_mark ebtable_filter ebtable_nat; do insmod \$i; done" >> /tmp/firewall_script.sh
echo "ebtables -t nat -F" >> /tmp/firewall_script.sh
echo "ip rule del from 0/0 fwmark 4 lookup 4" >> /tmp/firewall_script.sh
echo "ip route flush table 4" >> /tmp/firewall_script.sh
echo "iptables -t mangle -F" >> /tmp/firewall_script.sh
echo "ebtables -t nat -A PREROUTING -i wl0.1 -j mark --set-mark 4" >> /tmp/firewall_script.sh
echo "ebtables -t nat -A PREROUTING -i vlan3 -j mark --set-mark 4" >> /tmp/firewall_script.sh
echo "ip route show table main | grep -Ev ^default | while read ROUTE; do ip route add table 4 \$ROUTE; done" >> /tmp/firewall_script.sh
echo "ip route add table 4 default dev ppp0" >> /tmp/firewall_script.sh
echo "ip rule add fwmark 4 table 4" >> /tmp/firewall_script.sh
echo "ip route flush cache" >> /tmp/firewall_script.sh
echo "ebtables -t nat -A PREROUTING -i vlan3 -j mark --set-mark 4" >> /tmp/firewall_script.sh
chmod +x /tmp/firewall_script.sh
sh /tmp/firewall_script.sh &
however the vpn tunnel is routed on wlan but not through any of the vlans3,4 or 5.
Is this because of the fact that the default bridge br0 is not bridging or having these interfaces viz. vlan3, vlan4 or vlan5 ?
Using ebtables really complicates things... As long as you're not trying to do anything crazy like bridging two interfaces and only routing one of them over the VPN, then you should just use simple source based policy routing instead of marking it with ebtables. ie. just set some source subnets to route over the tunnel. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Thanks phuzi0n, if policy based routing works then thats how it'd be,
i know for ex i can do the below:
add pppo as gw for one internal adress:
********
ip rule add from 192.168.1.111 table 200
ip route add default via 173.195.10.129 dev ppp0 table 200
ip route flush cache
*******
if 1.111 is one of my internal address, and 173 is the ppp0 address.
But how to add a whole subnet? is it like this?
ip rule add from 192.168.2.0 table 200? instead of the ip listed in the above?
on a side note, can policy based routing be used for multiple subnets? viz if i have 3 vlans not bridged running independent dhcp servers on 2.x, 3.x, 4.x etc.
ip rule add from 192.168.2.0 table 200? instead of the ip listed in the above?
No, an address is not a subnet without a netmask. Add a CIDR style netmask onto it.
ip rule add from 192.168.2.0/24 table 200
paranoid87 wrote:
on a side note, can policy based routing be used for multiple subnets? viz if i have 3 vlans not bridged running independent dhcp servers on 2.x, 3.x, 4.x etc.
Yes or course, you can have multiple rules to make different source addresses use whichever routing table you want them to. To make all your extra VLAN's go over the tunnel just create a rule for each subnet to use the alternate routing table. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
You don't need to know the IP of the next hop for a route on a point to point link, you can just specify the interface.
ip route add default dev ppp0 table 200
If you need the IP for some other reason then it's probably in an nvram variable and you can find out by grepping for the IP from nvram show.
nvram show | grep [tunnel gateway IP] _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Use the command I gave and find what nvram variable has your PPTP gateway, then try adding it to the route command.
ip route add default via `nvram get pptp_gateway_variable_name` dev ppp0 table 200 _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Use command substitution like I showed. Either `command` or $(command) inside of the ip route command.
ip route add default via `ifconfig ppp0|grep 'inet addr'|grep -v '127.0.0.1'|cut -d: -f2|cut -d' ' -f1` dev ppp0 table 200 _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
ip rule add from 192.168.6.0/24 table 200
ip route add default via `ifconfig ppp0|grep 'inet addr'|grep -v '127.0.0.1'|cut -d: -f2|cut -d' ' -f1` dev ppp0 table 200
ip route flush cache
--except for some reason the route table 200 goes, where do i add this to? command/firewall or startup or custom script?no matter what when i telnet and run
ip route show table 200 - nada zip no results, although ip rule shows that 6.0 lookup 200
any help? i want this to be static in the sense that it should STICK,