Custom routing config. Need advice

[BANsOnLn]

Sorry... What is CTF? Not sure if I have it enabled or not. I will try and remove '--src 10.2.50.110' from the iptables commands.

New nat-start:

#!/bin/sh

sleep 10

ip rule del fwmark 0x7000/0x7000 2> /dev/null

ip rule add fwmark 0x7000/0x7000 table 254 prio 9990

ip route flush cache



iptables -t mangle -D PREROUTING -i br0 -p udp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null

iptables -t mangle -D PREROUTING -i br0 -p tcp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null

iptables -t mangle -A PREROUTING -i br0 -p udp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000

iptables -t mangle -D PREROUTING -i br0 -p udp -m multiport --dport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null

iptables -t mangle -D PREROUTING -i br0 -p tcp -m multiport --dport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null

iptables -t mangle -A PREROUTING -i br0 -p udp -m multiport --dport 32400 -j MARK --set-mark 0x7000/0x7000

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 32400 -j MARK --set-mark 0x7000/0x7000

 

[BANsOnLn]

I think it is working! Thanks so much for all your help. I am going to monitor it and i will let you know how it goes! This is awesome!

Here is the output:

# ip rule

0: from all lookup local

9990: from all fwmark 0x7000/0x7000 lookup main

10101: from 10.2.50.110 lookup ovpnc1

32766: from all lookup main

32767: from all lookup default

# iptables -nvL PREROUTING --line -t mangle

Chain PREROUTING (policy ACCEPT 77216 packets, 17M bytes)

num pkts bytes target prot opt in out source destination

1 724 321K MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7

2 0 0 MARK udp -- br0 * 0.0.0.0/0 0.0.0.0/0 multiport sports 32400 MARK or 0x7000

3 51 19988 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 multiport sports 32400 MARK or 0x7000

4 0 0 MARK udp -- br0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 32400 MARK or 0x7000

5 16 2286 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 32400 MARK or 0x7000

6 1426 457K BWDPI_FILTER udp -- eth0 * 0.0.0.0/0 0.0.0.0/0

 

[Martineau]

Sorry... What is CTF? Not sure if I have it enabled or not.

Tools->Sysinfo tab; 'Hardware acceleration'

 

[Martineau]

I think it is working! Thanks so much for all your help. I am going to monitor it and i will let you know how it goes! This is awesome!

Chain PREROUTING (policy ACCEPT 71536 packets, 19M bytes)
num pkts bytes target      prot opt in      out     source     destination
1      724  321K MARK       all  -- tun11   *       0.0.0.0/0  0.0.0.0/0      MARK xset 0x1/0x7
2        0     0 MARK       udp  -- br0     *       0.0.0.0/0  0.0.0.0/0      multiport sports 32400 MARK or 0x7000
3       51 19988 MARK       tcp  -- br0     *       0.0.0.0/0  0.0.0.0/0      multiport sports 32400 MARK or 0x7000
4        0     0 MARK       udp  -- br0     *       0.0.0.0/0  0.0.0.0/0      multiport dports 32400 MARK or 0x7000
5       16  2286 MARK       tcp  -- br0     *       0.0.0.0/0  0.0.0.0/0      multiport dports 32400 MARK or 0x7000

Phew!

So all we have done is use a 'safer' fwmark '0x7000' to tag src/dst Port 32400 traffic via the WAN, and avoided using the system reserved fwmark '0x1' (and system reserved RPDB table 100) and eliminated the execution of the dangerous script.

So, the question is, if the Mac Mini running Plex isn't 10.2.50.110 then what is it?

Anyway glad it's finally working.

 

[BANsOnLn]

Yeah the Mac Mini is 10.2.50.110. It is very strange that using the '--src 10.2.50.110' was causing it issues.