No you need to write a script.Hi, apologies if this has been covered before.
I am using an ASUS RT-AC68U running merlin firmware with VPN over PPTP configured as a client.
is there a way to block internet if the PPTP tunnel goes down?
I see this as a feature in the GUI for openVPN clients.
Maybe this can be a start.So its IPtables i guess? .... can anyone point me in the direction of a good tutorial and i'll have a go
Sep 18 09:13:55 pptp[26836]: Connect: ppp5 <--> pptp (104.23X.XX.XXX)
Sep 18 09:13:56 pptp[26836]: CHAP authentication succeeded
Sep 18 09:13:56 pptp[26836]: MPPE 128-bit stateless compression enabled
Sep 18 09:13:56 pptp[26836]: local IP address 10.0.0.10
Sep 18 09:13:56 pptp[26836]: remote IP address 10.0.0.1
Sep 18 09:13:56 pptp[26836]: primary DNS address 10.0.0.1
Sep 18 09:13:56 pptp[26836]: secondary DNS address 10.0.0.1
Cool let me know how it works out for you.Much appreciated Yorgi.... i believe the PPTP is ppp5 for the ASUS
Code:Sep 18 09:13:55 pptp[26836]: Connect: ppp5 <--> pptp (104.23X.XX.XXX) Sep 18 09:13:56 pptp[26836]: CHAP authentication succeeded Sep 18 09:13:56 pptp[26836]: MPPE 128-bit stateless compression enabled Sep 18 09:13:56 pptp[26836]: local IP address 10.0.0.10 Sep 18 09:13:56 pptp[26836]: remote IP address 10.0.0.1 Sep 18 09:13:56 pptp[26836]: primary DNS address 10.0.0.1 Sep 18 09:13:56 pptp[26836]: secondary DNS address 10.0.0.1
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
104.237.90.131 192.168.1.1 255.255.255.255 UGH 0 0 0 vlan2
192.168.1.1 * 255.255.255.255 UH 0 0 0 vlan2
192.168.2.0 * 255.255.255.0 U 0 0 0 br0
192.168.1.0 * 255.255.255.0 U 0 0 0 vlan2
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 10.0.0.1 0.0.0.0 UG 0 0 0 ppp5
default 192.168.1.1 0.0.0.0 UG 1 0 0 vlan2
You will need to assign Static IP addresses to your devices that need drop connection if tunnel goes down.If i run the route command i get this output
Code:Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 104.237.90.131 192.168.1.1 255.255.255.255 UGH 0 0 0 vlan2 192.168.1.1 * 255.255.255.255 UH 0 0 0 vlan2 192.168.2.0 * 255.255.255.0 U 0 0 0 br0 192.168.1.0 * 255.255.255.0 U 0 0 0 vlan2 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 10.0.0.1 0.0.0.0 UG 0 0 0 ppp5 default 192.168.1.1 0.0.0.0 UG 1 0 0 vlan2
so what is the ip address i plug into the iptables command in this instance? Thanks
I'm double NAted..... the main routers lan in 192.168.1.1 and the ASUS is 192.168.2.1Looking at your routing, maybe you might have to replace br0 with vlan2
you need to test this script thoroughly as it was written for openvpn.
I am sure you can make it work with a little persistence because for some reason br0 which is your WAN is assigned a different IP address.
is your routers IP address 192.168.1.1 or 192.168.2.1?
If I am correct the script should start with
iptables -I FORWARD -i vlan2 -o ppp5 -j ACCEPT
Try it out and let me know how it goes
#!/bin/sh
sleep 4
iptables -I FORWARD -i vlan2 -o ppp5 -j ACCEPT
iptables -I FORWARD -i ppp5 -o vlan2 -j ACCEPT
iptables -I FORWARD ! -o ppp5 -s 192.168.2.50 -j DROP
iptables -I FORWARD ! -o ppp5 -s 192.168.2.60 -j DROP
iptables -I FORWARD ! -o ppp5 -s 192.168.2.70 -j DROP
iptables -I INPUT -i ppp5 -j REJECT
iptables -t nat -A POSTROUTING -o ppp5 -j MASQUERADE
OK ...set three devices with static IP addresses and got this into /jffs/scripts/firewall-start as executable
Code:#!/bin/sh sleep 4 iptables -I FORWARD -i vlan2 -o ppp5 -j ACCEPT iptables -I FORWARD -i ppp5 -o vlan2 -j ACCEPT iptables -I FORWARD ! -o ppp5 -s 192.168.2.50 -j DROP iptables -I FORWARD ! -o ppp5 -s 192.168.2.60 -j DROP iptables -I FORWARD ! -o ppp5 -s 192.168.2.70 -j DROP iptables -I INPUT -i ppp5 -j REJECT iptables -t nat -A POSTROUTING -o ppp5 -j MASQUERADE
will see how it goes at reboot....
Yes you need to have the tunnel up otherwise the script will stop the internet.Hmmm... well that doesn't work ....... no devices are able to connect regardless of whether they are in the tables or not..... VPN tunnel was up......any idea? ...... does the VPN tunnel have to be up before applying the iptables??
iptables -I INPUT -i vlan6 -j ACCEPT
iptables -I FORWARD -i vlan6 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan6 -o ppp0 -m state --state NEW -j ACCEPT
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
65749 4079K TCPMSS tcp -- any any anywhere anywhere tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
11M 14G ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 DROP all -- !br0 vlan2 anywhere anywhere
0 0 DROP all -- vlan2 any anywhere anywhere state INVALID
0 0 ACCEPT all -- br0 br0 anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT
107K 7988K ACCEPT all -- br0 any anywhere anywhere
0 0 DROP all -- !br0 ppp5 anywhere anywhere
#!/bin/sh
sleep 4
iptables -I FORWARD -i br0 -o ppp5 -j ACCEPT
iptables -I FORWARD -i ppp5 -o br0 -j ACCEPT
iptables -I FORWARD ! -o ppp5 -s 192.168.2.50 -j DROP
iptables -I FORWARD ! -o ppp5 -s 192.168.2.60 -j DROP
iptables -I FORWARD ! -o ppp5 -s 192.168.2.70 -j DROP
iptables -I INPUT -i ppp5 -j REJECT
iptables -t nat -A POSTROUTING -o ppp5 -j MASQUERADE
Thread starter | Title | Forum | Replies | Date |
---|---|---|---|---|
I can ping PPTP VPN-server from router, but the clients have no connection | VPN | 0 |
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!