Hi,

I noticed that my WAN IP became unreachable from within the LAN when I had a default route in a secondary routing table with dhcp-interface, e.g.

set protocols static table 10 route 0.0.0.0 dhcp-interface eth0

I managed to narrow it down to vyatta-cfg-quagga/scripts/vyatta-static-dhcp.pl:

if (($oip ne $nip) && ($table ne "main") && ($route eq "0.0.0.0/0")) {
    my $mark = 0x7fffffff + $table;
    if ($oip ne "") {
        system("sudo /sbin/iptables -t mangle -D OUTPUT -s $oip/32 -j MARK --set-mark $mark");
    }
    if (($nip ne "") && ($nip ne "127.0.0.1")) {
        system("sudo /sbin/iptables -t mangle -D OUTPUT -s $nip/32 -j MARK --set-mark $mark");
        system("sudo /sbin/iptables -t mangle -I OUTPUT -s $nip/32 -j MARK --set-mark $mark");
    }
}

Marking the WAN IP here does not seem to scale well, if the same rule is used across multiple table only the first rule will be matched in iptables. Which could result in blackholed reply packets.

And, logically, why is packets originating from the router being marked and using secondary tables? That should only apply to forwarded packets, no?