What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Having issues with 'Redirect Internet traffic' setting

nova

Occasional Visitor
Hey guys, ive got my ASUS 3200 router setup linked to my open router with the modem so now i have the old router for everything else and the new router setup just for VPN, issue is i would like to activate the 'Block routed clients if tunnel goes down' which is located in the advanced settings.

Problem i have is if i have it set to 'policy rules active' so i can get the option of blocking the tunnel, no matter what i switch on,off or add ips ect my VPN stops and i just get access to the internet with my real IP? nothing stops the connection it just seems to bypass the vpn client.

any ideas guys?

Thanks.
 
Post your configuration, there is something that you configured which bypasses the policy rules. That feature definitely works, I used it only a few days ago to test something.
 
Hey RMerlin, i omitted my username, here goes:

i am using your 380.59 cfw on my RT-AC3200



149m628.jpg


Custom Configuration
fast-io
remote-random
pull
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
keysize 256
sndbuf 524288
rcvbuf 524288

i have DNS set to 2 manual address's that expressVPN use.


Edit: these settings are imported from ExpressVPN's config file.
Edit 2: I have the ASUS 3200 running through another router that controls the internet access, i need 2 routers one with and one without VPN. Im not sure if that would make a difference though. The VPN router has the Ethernet cable in its WAN port from one of the internet access router's Ethernet ports.

Do you need an image of the WAN settings on the 3200 with VPN?
 
Last edited:
Redirect Internet Traffic is set to "No" on that screenshot. You have to enable that if you want your clients to use the VPN tunnel.

Also since you are cascading two routers, make sure they are in different subnets (192.168.1.x and 192.168.2.x for instance), and that the client is connected to that VPN-configured router, with an IP within its subnet.
 
Yup i had it switched to NO because i couldn't get it working, if i set it to on i get no internet connection at all. My normal router is on 192.168.0.1 and my VPN router is 192.168.1.1. How do i check that the client is connected with the correct IP subnet? i assume it was ok because it is running the VPN fine and hiding my IP etc.

Although the 2 routers are on different subnets if i log into the Asus router that has the VPN client it says the WAN IP is 192.168.0.6 and is set to automatic, could this be the issue?
 
Last edited:
Yup i had it switched to NO because i couldn't get it working, if i set it to on i get no internet connection at all.

Make sure you also set DNS to Exclusive, and that your computer doesn't have a hardcoded nameserver. Many VPN providers will refuse to route DNS traffic that isn't going to one of their own nameservers, for "security" purposes.

You can determine if it's a routing or DNS issue by trying out a traceroute, or pinging an IP address.

My normal router is on 192.168.0.1 and my VPN router is 192.168.1.1. How do i check that the client is connected with the correct IP subnet? i assume it was ok because it is running the VPN fine and hiding my IP etc.

If you connect through Wifi, make sure you connect to the router that runs the VPN server. You should be able to confirm by checking if your computers gets an IP address in the first router's subnet or the second one.

Although the 2 routers are on different subnets if i log into the Asus router that has the VPN client it says the WAN IP is 192.168.0.6 and is set to automatic, could this be the issue?

No, this is normal.
 
How strange ive set it this morning without changing anything and it seems to be working, i have nothing listed in the section it creates when switching this option on 'Rules for routing client traffic through the tunnel (Max Limit : 100)' What should i be adding here? are IP's added to WLAN list things that bypass the VPN and if so what are the IP's added with 'VPN' added for?

With regards the 'Block routed clients if tunnel goes down' is there a way to test this?

Thanks for your help so far, the information has been invaluable.

edit: The IP's given to my devices are all on the 192.168.1.x subnet which is the ASUS VPN client router.
 
How strange ive set it this morning without changing anything and it seems to be working, i have nothing listed in the section it creates when switching this option on 'Rules for routing client traffic through the tunnel (Max Limit : 100)' What should i be adding here?

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

With regards the 'Block routed clients if tunnel goes down' is there a way to test this?

You can try killing the client through SSH.

Code:
killall vpnclient1
 
Thanks, so if i leave the policy rules blank it will just send everything through the vpn tunnel unless it goes down then all access to the internet will b blocked as i have the block route if tunnel goes down option selected, im not needing any IP's having access outside of the VPN tunnel.
 
Thanks, so if i leave the policy rules blank it will just send everything through the vpn tunnel unless it goes down then all access to the internet will b blocked as i have the block route if tunnel goes down option selected, im not needing any IP's having access outside of the VPN tunnel.
check out this article
there are many examples of policy rules and explains all the questions you are asking.
http://www.snbforums.com/threads/ho...ng-policy-rules-for-ver-380-59-updated.30851/
 
Thanks, so if i leave the policy rules blank it will just send everything through the vpn tunnel unless it goes down then all access to the internet will b blocked as i have the block route if tunnel goes down option selected, im not needing any IP's having access outside of the VPN tunnel.
if you set redirect internet traffic to "all traffic" every device will go to VPN.
if you want to have selective routing use "policy rules" that means you can have certain IP addresses go to VPN and the rest of the Addresses will use the Local ISP internet.
Or have all traffic to VPN and selected IP addresses go to local ISP
All this is explained in the article I posted above.
 
if you set redirect internet traffic to "all traffic" every device will go to VPN.
if you want to have selective routing use "policy rules" that means you can have certain IP addresses go to VPN and the rest of the Addresses will use the Local ISP internet.
Or have all traffic to VPN and selected IP addresses go to local ISP
All this is explained in the article I posted above.


If i select 'ALL traffic' i lose the option to close the connection if the VPN tunnel goes down which isnt really the thing i wanted :(

I just want 100% data from any ip on my network to go through the VPN tunnel and it close if it drops out.
 
If i select 'ALL traffic' i lose the option to close the connection if the VPN tunnel goes down which isnt really the thing i wanted :(

I just want 100% data from any ip on my network to go through the VPN tunnel and it close if it drops out.
No worries. Put it on "All traffic" and in
"Rules for routing client traffic through the tunnel" section put these values. Assuming that 192.168.1.1 is still the VPN router.
Source IP 192.168.1.0/24 Destination IP 0.0.0.0 lface VPN
that will send all the traffic to VPN and you can have the option to drop connection if tunnel goes down.
 
Thank you yorgi.


edit: when you said put 'all traffic on' did you mean 'policy rules' because if you select All traffic you dont get the ability to add rules and select kill connection if tunnel goes down.
 
Last edited:
Thank you yorgi.


edit: when you said put 'all traffic on' did you mean 'policy rules' because if you select All traffic you dont get the ability to add rules and select kill connection if tunnel goes down.
sorry you are right I wrote the wrong option.
You need to put it to Policy Rules if you use the example with the CIDR subnet.
Source IP 192.168.1.0/24 Destination IP 0.0.0.0 lface VPN
and click on if "Block routed clients if tunnel goes down"
 
This way you are telling the router all IP address from 192.168.1.0-192.168.1.254 will go to VPN
and if the tunnel drops kill the connection until the tunnel goes back up.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top