On 21.06.2025 10:54, Pavel Penaz wrote:
Hi,
to route the return packets accordingly, can you try adding the
following two rules with "ip rule add ..." and check if this helps?
to ip1 lookup table1
to ip2 lookup table2
Quite expectedly this changed nothing. For a return packet, it is
sent from an IP on local network (target of the dnat rule) to the
external IP, so neither ip1 nor ip2 is mentioned in the packet.
So such rules don't apply.
After adding these rules with prio 32785 & 32786, the return packet
is still routed through eth1 (per rule 32790).
We need to exchange the order of operations (dnat vs routing), not
order of rules within these two. Such reordering will automatically
and correctly solve both my problems, and a few similar problems
people reported over the years.
Checking result of NAT for martians makes no sense. Ditto for
applying routing rules before de-NAT-ification of return packets.
Thanks,
/mjt
Best regards
Pavel
On Sat, Jun 21, 2025 at 9:26 AM Michael Tokarev <mjt@xxxxxxxxxx> wrote:
On 21.06.2025 03:48, Sunny73Cr wrote:
Hi,
from hostINT back to extIP, gets routed to gw1 through eth1
Looks like the default route for 'any' source has too much priority; without looking at the code, it seems that the assumption is that there's no point checking the other routes, if there is an 'any' route. I suggest removing the 'any' route and relying on SNAT for 'hidden' clients. Add more routing rules if neccessary.
Unfortunately there's no way to remove the "any" route
or make its priority lower:
# ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
32770: from ip1 lookup table1 proto static
32780: from ip2 lookup table2 proto static
32790: from all lookup table1 proto static
# ip route list table table1
default via gw1 dev eth1 proto static
# ip route list table table2
default via gw2 dev eth2 proto static
It is the rule 32790 which kicks in *before*
reverse-DNAT (for replies, SNAT), while it should
be consulted after SNAT.
(There's no "default" route in main table. It
has regular local routing information for locally
connected and inter-connected networks, there's
nothing relevant in it for the packets in question).
The problem is that I can't change order of snat vs
order of routing, no matter how I change priorities
of the rules. Or I don't see a way to do this.
Thanks,
/mjt
