Menu
What's new
By:
Filters Better Search

Selective Routing with Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Martineau said:
Well clearly if you are not using OpenVPN then why would you expect PPTP to trigger the execution of the openvpn-event script?

The following post shows how to start the PPTP client from wan-start (In leiu of the missing 'Start with WAN' GUI toggle for the PPTP client)

http://forums.smallnetbuilder.com/showpost.php?p=106381&postcount=1
Click to expand...

Just to be clear, I didn't expect the openvpn script to be useful, I was referring to the fact that I couldn't use it and there didn't appear to be an equivalent for other VPNs. If I read through that thread the initial re-edited post doesn't say when to use the route commands. Later in the thread there is a post about wan-start but it appears to use another method to setup and start PPTP rather than the gui. I wasn't sure how to put the two pieces together, which is why I was asking.

Thanks.
 
Hey Folks-

The VPN selective routing config from Martineau's post using route-nopull works well on my setup. My issue is when I reboot the router, the VPN_Select.sh script runs without any error (that I can tell), but the VPN routing does not occur for any of my IP ranges (when check against geoiptool.com). Only when I toggle the OpenVPN Client Settings page Service State switch from On to Off to On does everything correct itself and the VPN routing works properly. Not really sure why this is happening.

I was thinking I would just add some code to the VPN_Select.sh script that would mimic the Service State on/off/on action upon start up or on a timer or something, but something tells me that probably not the best approach. I feel I am missing something simple.

Any help for this issue would be awesome. Thanks!!!
 
yoyoma said:
Hey Folks-

The VPN selective routing config from Martineau's post using route-nopull works well on my setup. My issue is when I reboot the router, the VPN_Select.sh script runs without any error (that I can tell), but the VPN routing does not occur for any of my IP ranges (when check against geoiptool.com). Only when I toggle the OpenVPN Client Settings page Service State switch from On to Off to On does everything correct itself and the VPN routing works properly. Not really sure why this is happening.

I was thinking I would just add some code to the VPN_Select.sh script that would mimic the Service State on/off/on action upon start up or on a timer or something, but something tells me that probably not the best approach. I feel I am missing something simple.

Any help for this issue would be awesome. Thanks!!!
Click to expand...

It does sound like a process timing issue.

I suggest you check the tables when the selective routing appears to be broken, then issue the commands again after you have manually restarted the VPN client

Code: 
ip rule

iptables -t mangle -L -nv --line

RMerlin has confirmed the mangle table can get flushed by the DPI engine so now recommends using the nat-start script to ensure that the custom tagging rules entries are applied.

If the issue only occurs at the boot of the router, then perhaps rather than have the VPN client automatically start with the WAN, you could have say init-start issue

Code: 
service start_vpnclient1

after say a Sleep 150

Perhaps it may be useful to have a cron job check the status of the tables (only when the VPN client is UP?) and if it finds a broken table, then it could automatically reinstate the missing selective routing rule?

Regards,
 
Hi everyone. I was hoping to get some help on some routing I've been trying to set up with up with OpenVPN on my router.

I'm trying to achieve the following;
  • Route all traffic through the VPN except for one IP (10.0.2.53)
  • Block all WAN traffic if the VPN goes down with the exception of the one IP.
I've been messing around with different options and settings for a few days now and can't seem to get this to work. Sometimes everything looks ok, and then I'll suddenly get a DNS leak issue until I reconnect the VPN. The more I try to fix the problem, the worse I seem to make it. Right now, I have a DNS leak the entire time (unless I remove 'route-nopull' from the OpenVPN custom configurations) and there is no traffic to 10.0.2.53 unless the VPN is disconnected.

All the PCs are on DHCP with 10.0.2.53 getting its IP through a DHCP reservation.

My settings are as follows;

The 'OpenVPN Clients' tab: https://i.imgur.com/1A3rpFL.jpg

route-up.sh said:
#!/bin/sh

sleep 2

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

ip route flush table 10
ip rule del table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip rule del table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.0.2.53 -j MARK --set-mark 12

exit
Click to expand...

firewall-start said:
#!/bin/sh

sleep 4

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD ! -o tun11 -m iprange --src-range 10.0.2.1-10.0.2.52 -j DROP
iptables -I FORWARD ! -o tun11 -m iprange --src-range 10.0.2.54-10.0.2.254 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE
Click to expand...

I would greatly appreciate any help I can get!!
 
Gosh. If you can wait a couple more weeks, the optimal solution is coming from RMerlin!

378.53 (xx-xxx-2015)
- NEW: OpenVPN selective routing. You can now select which client IPs
you want to route through your OpenVPN client connection.
You can optionally block WAN access to these as well when the
tunnel goes down.


http://www.snbforums.com/threads/new-features-in-378-53.23880/


Kuro said:
Hi everyone. I was hoping to get some help on some routing I've been trying to set up with up with OpenVPN on my router.

I'm trying to achieve the following;
  • Route all traffic through the VPN except for one IP (10.0.2.53)
  • Block all WAN traffic if the VPN goes down with the exception of the one IP.
I've been messing around with different options and settings for a few days now and can't seem to get this to work. Sometimes everything looks ok, and then I'll suddenly get a DNS leak issue until I reconnect the VPN. The more I try to fix the problem, the worse I seem to make it. Right now, I have a DNS leak the entire time (unless I remove 'route-nopull' from the OpenVPN custom configurations) and there is no traffic to 10.0.2.53 unless the VPN is disconnected.

All the PCs are on DHCP with 10.0.2.53 getting its IP through a DHCP reservation.

My settings are as follows;

The 'OpenVPN Clients' tab: https://i.imgur.com/1A3rpFL.jpg





I would greatly appreciate any help I can get!!
Click to expand...
 
Kuro said:
Hi everyone. I was hoping to get some help on some routing I've been trying to set up with up with OpenVPN on my router.

I'm trying to achieve the following;
  • Route all traffic through the VPN except for one IP (10.0.2.53)
  • Block all WAN traffic if the VPN goes down with the exception of the one IP.
I've been messing around with different options and settings for a few days now and can't seem to get this to work. Sometimes everything looks ok, and then I'll suddenly get a DNS leak issue until I reconnect the VPN. The more I try to fix the problem, the worse I seem to make it. Right now, I have a DNS leak the entire time (unless I remove 'route-nopull' from the OpenVPN custom configurations) and there is no traffic to 10.0.2.53 unless the VPN is disconnected.

All the PCs are on DHCP with 10.0.2.53 getting its IP through a DHCP reservation.

My settings are as follows;

The 'OpenVPN Clients' tab: https://i.imgur.com/1A3rpFL.jpg





I would greatly appreciate any help I can get!!
Click to expand...


Remove 'route-nopull' from the OpenVPN custom configuration

Then (as recommended by RMerlin) replace

Code: 
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.0.2.53 -j MARK --set-mark 12

with

Code: 
ip rule add from 10.0.2.53 lookup 12
 
First of all, I want to thank all you guys work. Specially @RMerlin and @Martineau . I read almost all posts and I almost getting there.

My plan is simple. I want route my home server traffic on port 18920,4662,4672,4665 to VPN. port 22,443 must through ISP. I am using AC66U with the latest 378.52_2 firmware. VPN provider PIA.

WAN -> VirtualServer/Port Forwarding:
Code: 
Port Range    Local IP    Local Port
22        192.168.0.122    22        TCP  
32400        192.168.0.122    32400        BOTH  
18920        192.168.0.122    18920        BOTH  
4662        192.168.0.122    4662        TCP  
4672        192.168.0.122    4672        UDP  
443        192.168.0.122    443        BOTH  
4665        192.168.0.122    4665        UDP

OpenVPN Client -> Custom Configuration: (first 3 lines from PIA and the rest from forum)
Code: 
tls-client
remote-cert-tls server
reneg-sec 0

route-nopull
script-security 2
route-up /jffs/scripts/VPN_select.sh

VPN_select.sh
Code: 
#!/bin/sh

logger -t "($(basename $0))" $$ Kobe seletive OpenVPN Starting... " $0${*:+ $*}."
Home_Server="192.168.0.122"

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10

ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12

ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -s $Home_Server -p tcp --dport 18920 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s $Home_Server -p tcp --dport 4662 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s $Home_Server -p udp --dport 4672 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s $Home_Server -p udp --dport 4665 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s $Home_Server -j MARK --set-mark 12

logger -t "($(basename $0))" $$ Kobe seletive OpenVPN  completed.

exit

I test and make sure the VPN works. And there is no error in syslog. I am sure traffic port 18920,4662,4672,4665 goes to VPN. The only problem now is in my home LAN, I can't use my public IP to access port 22 and 443. But no problem by using the LAN IP. The reason I need this is I have noip domain and use it on my homeserver for my website. Also the SSH tunnel I need to use. But outside my home, I have no problem using the public IP to access port 22 and 443. Can anybody help out on this? Thanks!!!!!!

ip rule:
Code: 
0:    from all lookup local
32764:    from all fwmark 0xc lookup 12
32765:    from all fwmark 0xa lookup 10
32766:    from all lookup main
32767:    from all lookup default

ip route show table:
Code: 
admin@RT-AC66U-2F88:/tmp/home/root# ip route show table 10
default via 10.111.1.6 dev tun11
admin@RT-AC66U-2F88:/tmp/home/root# ip route show table 12

iptables -L PREROUTING -t mangle -n --line-numbers:
Code: 
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination       
1    MARK       tcp  --  192.168.0.122        0.0.0.0/0           tcp dpt:18920 MARK set 0xa
2    MARK       tcp  --  192.168.0.122        0.0.0.0/0           tcp dpt:4662 MARK set 0xa
3    MARK       udp  --  192.168.0.122        0.0.0.0/0           udp dpt:4672 MARK set 0xa
4    MARK       udp  --  192.168.0.122        0.0.0.0/0           udp dpt:4665 MARK set 0xa
5    MARK       all  --  192.168.0.122        0.0.0.0/0           MARK set 0xc

iptables -t mangle -L PREROUTING:
Code: 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination       
MARK       tcp  --  HOMESERVER           anywhere            tcp dpt:18920 MARK set 0xa
MARK       tcp  --  HOMESERVER           anywhere            tcp dpt:4662 MARK set 0xa
MARK       udp  --  HOMESERVER           anywhere            udp dpt:4672 MARK set 0xa
MARK       udp  --  HOMESERVER           anywhere            udp dpt:4665 MARK set 0xa
MARK       all  --  HOMESERVER           anywhere            MARK set 0xc

iptables -t mangle -L -nv --line:
Code: 
Chain PREROUTING (policy ACCEPT 138K packets, 96M bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1        6   360 MARK       tcp  --  br0    *       192.168.0.122        0.0.0.0/0           tcp dpt:18920 MARK set 0xa
2        5   607 MARK       tcp  --  br0    *       192.168.0.122        0.0.0.0/0           tcp dpt:4662 MARK set 0xa
3       10   769 MARK       udp  --  br0    *       192.168.0.122        0.0.0.0/0           udp dpt:4672 MARK set 0xa
4        2   125 MARK       udp  --  br0    *       192.168.0.122        0.0.0.0/0           udp dpt:4665 MARK set 0xa
5    54131 2894K MARK       all  --  br0    *       192.168.0.122        0.0.0.0/0           MARK set 0xc

Chain INPUT (policy ACCEPT 12477 packets, 1825K bytes)
num   pkts bytes target     prot opt in     out     source               destination       

Chain FORWARD (policy ACCEPT 125K packets, 94M bytes)
num   pkts bytes target     prot opt in     out     source               destination       

Chain OUTPUT (policy ACCEPT 12451 packets, 5954K bytes)
num   pkts bytes target     prot opt in     out     source               destination       

Chain POSTROUTING (policy ACCEPT 137K packets, 100M bytes)
num   pkts bytes target     prot opt in     out     source               destination
 
kobe said:
First of all, I want to thank all you guys work. Specially @RMerlin and @Martineau . I read almost all posts and I almost getting there.

My plan is simple. I want route my home server traffic on port 18920,4662,4672,4665 to VPN. port 22,443 must through ISP. I am using AC66U with the latest 378.52_2 firmware. VPN provider PIA.

<snip>

I test and make sure the VPN works. And there is no error in syslog. I am sure traffic port 18920,4662,4672,4665 goes to VPN. The only problem now is in my home LAN, I can't use my public IP to access port 22 and 443. But no problem by using the LAN IP. The reason I need this is I have noip domain and use it on my homeserver for my website. Also the SSH tunnel I need to use. But outside my home, I have no problem using the public IP to access port 22 and 443. Can anybody help out on this? Thanks!!!!!!
Click to expand...

So this is not a selective routing issue, but a NAT Loopback issue?

I believe the problem is that the '-t mangle PREROUTING' chain is being broken by this version of the VPN_select.sh script.

If you have enabled 'NAT Loopback=Merlin' on the Firewall GUI, then an entry is inserted into the chain for your Public WAN address...

Code: 
iptables -t mangle -L -nv --line

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination   
1        0     0 MARK       all  --  !eth0  *       0.0.0.0/0            xxx.xxx.xxx.xxx     MARK set 0xb400

So guess what happens when you run the VPN_select.sh script..... it executes the statement on line 11 and trashes the chain...:eek:

Code: 
iptables -t mangle -F PREROUTING

I suggest you remove this statement immediately and see if this fixes your NAT Loopback issue.
If it does, then best-practice states it is probably wise to modify the VPN_Select.sh script to ensure that multiple/duplicate fwmark tagging rules are not inserted into the '-t mangle PREROUTING' chain each time the VPN client is started (although I'm not sure what the performance penalty would be if you didn't. )

Regards,
 
Last edited:
janosek said:
Gosh. If you can wait a couple more weeks, the optimal solution is coming from RMerlin!
Click to expand...
It's close, but does the opposite of what I'm after! :(
That feature directs all traffic through the ISP by default and using VPN is the exception. I want to do the opposite.

Martineau said:
Remove 'route-nopull' from the OpenVPN custom configuration
Then (as recommended by RMerlin) replace
Code: 
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.0.2.53 -j MARK --set-mark 12
with
Code: 
ip rule add from 10.0.2.53 lookup 12
Click to expand...
Thanks a lot for the pointers, Martineau! I tried removing 'route-nopull' and changing the line you suggested, but things are still not working as expected. With these changes; all network clients (including 10.0.2.53) are going through the VPN as though it is ignoring the ip rule. If I add 'route-nopull' back in for testing, 10.0.2.53 uses the ISP and the rest of the network uses the VPN, but the rest of the network is leaking my ISP DNS. Is there anything you can suggest to help me troubleshoot this problem?
 
Kuro said:
It's close, but does the opposite of what I'm after! :(
That feature directs all traffic through the ISP by default and using VPN is the exception. I want to do the opposite.


Thanks a lot for the pointers, Martineau! I tried removing 'route-nopull' and changing the line you suggested, but things are still not working as expected. With these changes; all network clients (including 10.0.2.53) are going through the VPN as though it is ignoring the ip rule. If I add 'route-nopull' back in for testing, 10.0.2.53 uses the ISP and the rest of the network uses the VPN, but the rest of the network is leaking my ISP DNS. Is there anything you can suggest to help me troubleshoot this problem?
Click to expand...


If it appears that the preferred RPDB rule

Code: 
ip rule add from 10.0.2.53 lookup 12

is being ignored, then you will probably need to also issue

Code: 
ip route flush cache

once the RPDB rule has been added/defined and check the ip rule table?

DNS leaks are not strictly the same as device selective routing, however there are a couple of options you could try:

1. Use the VPN Client DNS options 'Strict' etc., but you may encounter additional issues if you enable them.

2. Explicitly tag the DNS port requests to use only the VPN.

3. Modify DNSmasq with appropriate DNS directives when the VPN client connection is established.

I'm afraid I don't care about DNS leaks in my environment, so I've never had to resolve them so will leave this for a DNS guru to chime in.
 
Last edited:
Martineau said:
If it appears that the preferred RPDB rule

Code: 
ip rule add from 10.0.2.53 lookup 12

is being ignored, then you will probably need to also issue

Code: 
ip route flush cache

once the RPDB rule has been added/defined and check the ip rule table?
Click to expand...

Before running the route-up.sh script, the rule table appears as:
Code: 
admin@RT-AC68U-10A8:/tmp/home/root# ip rule
0:     from all lookup local
32766: from all lookup main
32767: from all lookup default

After the script, the table appears as:
Code: 
admin@RT-AC68U-10A8:/tmp/home/root# ip rule
0:     from all lookup local
32763: from 10.0.2.53 lookup 12
32764: from all fwmark 0xc lookup 12
32765: from all fwmark 0xa lookup 10
32766: from all lookup main
32767: from all lookup default

Is that what I should be expecting?

I've tried adding 'ip route flush cache' at different parts of the route-up script (before, between and after the two iptables lines), but wasn't about to make it affect network traffic.

I'll do some reading on the other DNS points that you mentioned to see if I can resolve the leak to enable me to use route-nopull in the configurations if necessary! :)
 
Kuro said:
After the script, the table appears as:
Code: 
admin@RT-AC68U-10A8:/tmp/home/root# ip rule
0:     from all lookup local
32763: from 10.0.2.53 lookup 12
32764: from all fwmark 0xc lookup 12
32765: from all fwmark 0xa lookup 10
32766: from all lookup main
32767: from all lookup default

Is that what I should be expecting?
Click to expand...

Yes the RPDB table shows that 10.0.2.53 should use the WAN route via table 12 - the same as any other traffic also tagged with fwmark 12.
(Assuming that table 12 does contain the correct default route via the WAN eth0 interface?)

Did you manually check/flush the routing cache?

Code: 
ip -s route show cache >RouteCacheBefore.txt

ip route flush cache

ip -s route show cache >RouteCacheAfter.txt

The intention is to eliminate the exposure caused by the random flushing of the '-t mangle PREROUTING' chain tagging rules.
(or perhaps you should move/replicate them from VPN_select.sh into nat-start).

Apologies if this has caused confusion and been a waste of your time :oops:
 
Martineau said:
So this is not a selective routing issue, but a NAT Loopback issue?

Regards,
Click to expand...

Thank you so very much @Martineau !!! I remove the line and everything works fine now. I copied most part of the code from forum. I should exam and understand each line of the code. Shame of me. Anyway thanks again for your help.
 
One thing I notice now in syslog, I have a lot of ntp: start NTP update. Does it normal? It happens every few to thirty seconds.

Code: 
Dec 31 21:43:01 ntp: start NTP update
Dec 31 21:43:31 ntp: start NTP update
Dec 31 21:44:01 ntp: start NTP update
Dec 31 21:44:31 ntp: start NTP update
Dec 31 21:45:01 ntp: start NTP update
Dec 31 21:45:04 ntp: start NTP update
Dec 31 21:45:34 ntp: start NTP update
Dec 31 21:46:04 ntp: start NTP update
Dec 31 21:46:34 ntp: start NTP update
Dec 31 21:47:04 ntp: start NTP update
Dec 31 21:47:34 ntp: start NTP update
Dec 31 21:47:37 ntp: start NTP update
Dec 31 21:47:40 ntp: start NTP update
Dec 31 21:48:10 ntp: start NTP update
Dec 31 21:48:40 ntp: start NTP update
Dec 31 21:49:10 ntp: start NTP update
Dec 31 21:49:40 ntp: start NTP update
Dec 31 21:49:43 ntp: start NTP update
Dec 31 21:50:13 ntp: start NTP update
Dec 31 21:50:43 ntp: start NTP update
Dec 31 21:51:13 ntp: start NTP update
Dec 31 21:51:43 ntp: start NTP update
Dec 31 21:52:13 ntp: start NTP update
Dec 31 21:52:16 ntp: start NTP update
Dec 31 21:52:46 ntp: start NTP update
Dec 31 21:53:16 ntp: start NTP update
Dec 31 21:53:46 ntp: start NTP update
Dec 31 21:54:16 ntp: start NTP update
Dec 31 21:54:46 ntp: start NTP update
Dec 31 21:54:49 ntp: start NTP update
Dec 31 21:54:52 ntp: start NTP update
Dec 31 21:55:23 ntp: start NTP update
Dec 31 21:55:53 ntp: start NTP update
Dec 31 21:56:23 ntp: start NTP update
Dec 31 21:56:53 ntp: start NTP update
Dec 31 21:57:23 ntp: start NTP update
Dec 31 21:57:53 ntp: start NTP update
Dec 31 21:57:56 ntp: start NTP update
Dec 31 21:57:59 ntp: start NTP update
Dec 31 21:58:29 ntp: start NTP update
Dec 31 21:58:32 ntp: start NTP update
 
Martineau said:
Code: 
iptables -t mangle -F PREROUTING

I suggest you remove this statement immediately and see if this fixes your NAT Loopback issue.
If it does, then best-practice states it is probably wise to modify the VPN_Select.sh script to ensure that multiple/duplicate fwmark tagging rules are not inserted into the '-t mangle PREROUTING' chain each time the VPN client is started (although I'm not sure what the performance penalty would be if you didn't. )

Regards,
Click to expand...

Something like this might do the trick, right after your flush call:

Code: 
if [ "$(nvram get fw_nat_loopback)" == "2" ]
then
     iptables -t mangle -A POSTROUTING -m mark --mark 0xb400 -j MASQUERADE
fi
 
Is there any need for me to convert this script to the new method using RPDB method, and if so how?

Code: 
!/bin/sh

logger -t "($(basename $0))" $$ VPN Selective Customization Started.

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache

iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan_gateway) dev ppp0 table 12
ip rule add fwmark 12 table 12


echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.9 -m set --set play2 dst -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.13 -m set --set play2 dst -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.14 -m set --set play2 dst -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.16 -m set --set play2 dst -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.51 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.5 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.10 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.23 -j MARK --set-mark 10
#iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.5 -p tcp -m multiport --dport 443,1935 -j MARK --set-mark 12
#iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.35 -p tcp -m multiport --dport 443,1935 -j MARK --set-mark 12
#iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.23 -p tcp -m multiport --dport 443,1935 -j MARK --set-mark 12




logger -t "($(basename $0))" $$ VPN Selective Customization completed.
exit
 
;)
bilboSNB said:
Is there any need for me to convert this script to the new method using RPDB method, and if so how?

Code: 
!/bin/sh

logger -t "($(basename $0))" $$ VPN Selective Customization Started.

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache

iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan_gateway) dev ppp0 table 12
ip rule add fwmark 12 table 12


echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.9 -m set --set play2 dst -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.13 -m set --set play2 dst -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.14 -m set --set play2 dst -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.16 -m set --set play2 dst -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.51 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.5 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.10 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.23 -j MARK --set-mark 10
#iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.5 -p tcp -m multiport --dport 443,1935 -j MARK --set-mark 12
#iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.35 -p tcp -m multiport --dport 443,1935 -j MARK --set-mark 12
#iptables -t mangle -A PREROUTING -i br0 -s 192.168.0.23 -p tcp -m multiport --dport 443,1935 -j MARK --set-mark 12




logger -t "($(basename $0))" $$ VPN Selective Customization completed.
exit
Click to expand...

NO

Unfortunately the RPDB method only allows a simple I/P address or a subnet to be selectively routed:

e.g. xxx.xxx.xxx.xxx or xxx.xxx.xxx.0/24 etc.

For more complex selective routing based on traffic criteria such as you have

i.e. combination of both source I/P and '-m set' / destination port etc.

then the current iptables tagging method will still be required.

The iptables tagging method (whilst technically flexible) is now potentially unreliable. If the firewall is restarted internally by say the DPI engine configuration then you will lose the '-t mangle PREROUTING' chain, and this will break your selective routing until the VPN client is restarted. I suppose you could modify nat-start to restart the VPN client(s).

NOTE: It is advisable to delete the following statement

Code: 
iptables -t mangle -F PREROUTING

as it breaks the Rmerlin NAT loopback functionality and if you use the same script concurrently with VPN Client2, then it will wipe out the VPN Client1 tagging rules.:eek:
 
Last edited:
Martineau said:
Yes the RPDB table shows that 10.0.2.53 should use the WAN route via table 12 - the same as any other traffic also tagged with fwmark 12.
(Assuming that table 12 does contain the correct default route via the WAN eth0 interface?)

Did you manually check/flush the routing cache?

Code: 
ip -s route show cache >RouteCacheBefore.txt

ip route flush cache

ip -s route show cache >RouteCacheAfter.txt

The intention is to eliminate the exposure caused by the random flushing of the '-t mangle PREROUTING' chain tagging rules.
(or perhaps you should move/replicate them from VPN_select.sh into nat-start).

Apologies if this has caused confusion and been a waste of your time :oops:
Click to expand...
I have been left thoroughly confused, but it is definitely your time that has been wasted trying to help me when I am out of my depth. I could confirm that 'ip route flush cache' is doing something when I output the routes to txt files, but they meant nothing to me.

I think my best option will be to leave 'route-nopull' enabled so that I can force all traffic except for one IP through the VPN, and try to correct the dns leak as a separate issue.

Thanks for all your efforts!
 
The second stage of this feature was completed today.

ovpn-routing2.png


Source and/or destination, can be single IP or whole subnet (in CIDR format).
 
You must log in or register to reply here.

Similar threads

S
Explicit oVPN routing
Replies
4
Views
699
ZebMcKayhan
Z
themaidenmaniac
x3mrouting selective routing help for a noobie
Replies
2
Views
556
lomax
L
R
Domain VPN Routing
2
Replies
24
Views
2K
Ranger802004
R
lewtrocki
Problem with routing only specific IP with OpenVPN client on Asuswrt router
Replies
3
Views
1K
IvanSB
I
dacid44
Routing packets through a wireguard client
Replies
15
Views
2K
ZebMcKayhan
Z
Similar threads
Thread starter Title Forum Replies Date
E Multi source selective port forward? Asuswrt-Merlin 1
M OpenVPN / site to site with special security/routing constraints Asuswrt-Merlin 7
Acru Bug Report: nvram chilli_enable=1 when guest network is removed causes no routing to occur Asuswrt-Merlin 2
G [Help] Routing VPN server through VPN client (external VPN Provider) Asuswrt-Merlin 14
P IPv6 routing table flags Asuswrt-Merlin 2
F Help with routing 2 VLAN's to the same Ethernet Port Asuswrt-Merlin 36
nothingness RT-AC86U VPN Director Not Routing Through WAN Asuswrt-Merlin 1
JCompagner Offloading ssl/tls for https (the router handling the https, routing http through) Asuswrt-Merlin 7
A Policy-based port routing to bypass NordVPN client Asuswrt-Merlin 10
A whats the command to enable routing to my secondary wan? Asuswrt-Merlin 3

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 810 (members: 19, guests: 791)
Top