Hi, I am trying to route any tcp openvpn connection from localhost via a particular network which is on eth1, and have all other traffic go via the default gateway on eth0. Just wondering if anyone knows if this is possible or why the below is not working for me? I've tried using the technique specified in [1]. The diagram in [2] also seems to support that this should work. The technique is basically: 1) Add a mark to the packet # iptables -t mangle -A PREROUTING -p tcp --dport 1194 -j MARK --set-mark 0x4aa 2) Verify the PREROUTING table has the mark # iptables t mangle -L PREROUTING -v Chain PREROUTING (policy ACCEPT 126K packets, 87M bytes) pkts bytes target prot opt in out source destination 0 0 MARK tcp - any any anywhere anywhere tcp dpt:openvpn MARK set 0x4aa 3) Add a routing rule that tells a packet with that mark to use a specific routing table. # ip rule add from all fwmark 0x4aa lookup vlan156 4) Verify the rule has higher priority than the other rules # ip rule show 0: from all lookup local 32764: from all fwmark 0x4aa lookup vlan156 32765: from 172.26.10.0/24 lookup vlan156 32766: from all lookup main 32767: from all lookup default 5) Add the above routing table (already added to /etc/iproute2/rt_tables) # ip route add default via 172.26.10.1 dev eth1 table vlan156 6) Verify the routing table exists # ip route show table vlan156 default via 172.26.10.1 dev eth1 So to my mind, any packet with destination port of tcp 1194, should get the 0x4aa mark and then be routed using the routing table vlan156 which tells it to use the default gateway of 172.26.10.1. However this is not happening, all traffic is still being routed using the default gateway in the main routing table (ip route show). Any suggestions as to why it's not working? Regards, Marcus. [1] http://lartc.org/howto/lartc.netfilter.html [2] http://inai.de/images/nf-packet-flow.png -- Marcus Furlong