Over the last few days I have tried to set up policy-based routing with a dual WAN setup. I used mangle rules to direct traffic to either one or the other WAN. Everything outbound appeared to work fine; mark routing worked and packets were leaving the right WAN interface. However, I could never get inbound packets to route back to my LAN from the secondary WAN interface. I could see the inbound packets in the prerouting chain, but not beyond that.
It turned out that my rp-filter IP setting was set to Strict. As per the documentation:
strict - Strict mode as defined in RFC3704 Strict Reverse Path. Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
All I had to do was change the setting to Loose:
loose - Loose mode as defined in RFC3704 Loose Reverse Path. Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.
...and all is well. This is on OS 7.14.1. It took me a day to track this down so thought I'd share it with the community; perhaps it might help someone else as well.
Thanks.
It turned out that my rp-filter IP setting was set to Strict. As per the documentation:
strict - Strict mode as defined in RFC3704 Strict Reverse Path. Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
All I had to do was change the setting to Loose:
loose - Loose mode as defined in RFC3704 Loose Reverse Path. Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.
...and all is well. This is on OS 7.14.1. It took me a day to track this down so thought I'd share it with the community; perhaps it might help someone else as well.
Thanks.
Statistics: Posted by xtal — Sun Mar 24, 2024 5:26 pm