Try to use multiple tables with CONNMARK
This commit is contained in:
parent
fe7f6b62a0
commit
fad8652bac
@ -114,8 +114,41 @@
|
|||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
#################
|
||||||
|
# ROUTING RULES #
|
||||||
|
#################
|
||||||
|
|
||||||
|
# 0: from all lookup local
|
||||||
|
# 60: from all iif lo dport 25 lookup vpn
|
||||||
|
# 4000: from all fwmark 0x1 lookup fiber
|
||||||
|
# 5000: from all fwmark 0x2 lookup lte
|
||||||
|
# 6000: from all fwmark 0x3 lookup vpn
|
||||||
|
# 32766: from all lookup main
|
||||||
|
# 32767: from all lookup default
|
||||||
|
# 40000: from all lookup fiber
|
||||||
|
# 50000: from all lookup lte
|
||||||
|
|
||||||
|
# TODO
|
||||||
|
|
||||||
|
##################
|
||||||
|
# iptables rules #
|
||||||
|
##################
|
||||||
|
|
||||||
|
# # Restore the packet's CONNMARK to the MARK.
|
||||||
|
# iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark
|
||||||
|
# # If packet MARK is set, then it means that there is already a connection mark
|
||||||
|
# iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
|
||||||
|
# # Else, we need to mark the packet. If the packet is incoming on bouygues then set MARK to 1
|
||||||
|
# iptables -A PREROUTING -t mangle -i bouygues -j MARK --set-mark 1
|
||||||
|
# iptables -A PREROUTING -t mangle -i enp0s21u1 -j MARK --set-mark 2
|
||||||
|
# iptables -A PREROUTING -t mangle -i wg0 -j MARK --set-mark 3
|
||||||
|
# # Save MARK to CONNMARK.
|
||||||
|
# iptables -A PREROUTING -t mangle -j CONNMARK --save-mark
|
||||||
|
|
||||||
systemd.network = let
|
systemd.network = let
|
||||||
routeTables = {
|
routeTables = {
|
||||||
|
fiber = 1;
|
||||||
|
lte = 2;
|
||||||
vpn = 3;
|
vpn = 3;
|
||||||
};
|
};
|
||||||
in {
|
in {
|
||||||
@ -164,14 +197,17 @@
|
|||||||
# Set route metric to highest priority
|
# Set route metric to highest priority
|
||||||
# Set DHCP client magic settings for Bouygues
|
# Set DHCP client magic settings for Bouygues
|
||||||
"40-bouygues" = {
|
"40-bouygues" = {
|
||||||
dhcpV4Config.RouteMetric = 1;
|
dhcpV4Config.RouteTable = routeTables.fiber;
|
||||||
|
|
||||||
dhcpV6Config = {
|
dhcpV6Config = {
|
||||||
DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68";
|
DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68";
|
||||||
WithoutRA = "solicit";
|
WithoutRA = "solicit";
|
||||||
};
|
};
|
||||||
|
|
||||||
ipv6AcceptRAConfig.DHCPv6Client = true;
|
ipv6AcceptRAConfig = {
|
||||||
|
DHCPv6Client = true;
|
||||||
|
RouteTable = routeTables.fiber;
|
||||||
|
};
|
||||||
|
|
||||||
networkConfig = {
|
networkConfig = {
|
||||||
KeepConfiguration = "dhcp-on-stop";
|
KeepConfiguration = "dhcp-on-stop";
|
||||||
@ -181,6 +217,25 @@
|
|||||||
|
|
||||||
# Static attribution of first IPv6 subnet
|
# Static attribution of first IPv6 subnet
|
||||||
dhcpPrefixDelegationConfig.SubnetId = "0";
|
dhcpPrefixDelegationConfig.SubnetId = "0";
|
||||||
|
|
||||||
|
# Route everything to fiber link with a priority of 40000
|
||||||
|
routingPolicyRules = [
|
||||||
|
{
|
||||||
|
routingPolicyRuleConfig = {
|
||||||
|
FirewallMark = 1;
|
||||||
|
Table = routeTables.fiber;
|
||||||
|
Priority = 4000;
|
||||||
|
Family = "both";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
routingPolicyRuleConfig = {
|
||||||
|
Table = routeTables.fiber;
|
||||||
|
Priority = 40000;
|
||||||
|
Family = "both";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Don't check VLAN physical interface as it is not directly used
|
# Don't check VLAN physical interface as it is not directly used
|
||||||
@ -191,7 +246,28 @@
|
|||||||
#######
|
#######
|
||||||
|
|
||||||
# Set LTE route to lower priority
|
# Set LTE route to lower priority
|
||||||
"40-enp0s21u1".dhcpV4Config.RouteMetric = 1024;
|
"40-enp0s21u1" = {
|
||||||
|
dhcpV4Config.RouteTable = routeTables.lte;
|
||||||
|
|
||||||
|
# Route all to lte link with a priority of 50000
|
||||||
|
routingPolicyRules = [
|
||||||
|
{
|
||||||
|
routingPolicyRuleConfig = {
|
||||||
|
FirewallMark = 2;
|
||||||
|
Table = routeTables.lte;
|
||||||
|
Priority = 5000;
|
||||||
|
Family = "both";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
routingPolicyRuleConfig = {
|
||||||
|
Table = routeTables.lte;
|
||||||
|
Priority = 50000;
|
||||||
|
Family = "both";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
#######
|
#######
|
||||||
# VPN #
|
# VPN #
|
||||||
@ -214,7 +290,7 @@
|
|||||||
IncomingInterface = "lo";
|
IncomingInterface = "lo";
|
||||||
DestinationPort = "25";
|
DestinationPort = "25";
|
||||||
Table = routeTables.vpn;
|
Table = routeTables.vpn;
|
||||||
Priority = 50;
|
Priority = 60;
|
||||||
Family = "both";
|
Family = "both";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
@ -222,16 +298,10 @@
|
|||||||
# Allow server to respond on the wg0 interface requests
|
# Allow server to respond on the wg0 interface requests
|
||||||
{
|
{
|
||||||
routingPolicyRuleConfig = {
|
routingPolicyRuleConfig = {
|
||||||
From = vpnIPv4;
|
FirewallMark = 3;
|
||||||
Table = routeTables.vpn;
|
Table = routeTables.vpn;
|
||||||
Priority = 49;
|
Priority = 6000;
|
||||||
};
|
Family = "both";
|
||||||
}
|
|
||||||
{
|
|
||||||
routingPolicyRuleConfig = {
|
|
||||||
From = vpnIPv6;
|
|
||||||
Table = routeTables.vpn;
|
|
||||||
Priority = 49;
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user