Viktor Jaep
Part of the Furniture
Hahaha you crack me up @SomeWhereOverTheRainBow! Thank you!That is because you are clever and an awesome coder! Keep up the brilliant works!
@Viktor Jaep for his musical montage!
Hahaha you crack me up @SomeWhereOverTheRainBow! Thank you!That is because you are clever and an awesome coder! Keep up the brilliant works!
@Viktor Jaep for his musical montage!
How do you have killmon configured? What IP address is your lan PC that's pinging 8.8.8.8? Also, what exactly did you change in the UI that caused it to update and reset?Following happened.
Killmon enabled, watching vpnmon-r2 and also watching dns traffic with eibgrad script, also pinging 8.8.8.8 from LAN PC.
Made a change in web UI WAN Internet connection and pressed apply.
Once the UI finished loading 100% and page was reloading i pressed R for reset in vpnmon-r2.
Ping window on LAN PC as expected stopped, though just for a second or two and whilst vpnmon was going through it's reconnect cycle the ping window started again for 5 lines before killmon fw setup blocked it again, effectively bypassing killmon.
I am working on having no DNS leaks and making sure that ALL traffic goes always through the VPN hence why i come to killmon.How do you have killmon configured? What IP address is your lan PC that's pinging 8.8.8.8? Also, what exactly did you change in the UI that caused it to update and reset?
Granted, I'm not using Pihole, but I am not able to duplicate this issue... it's killing all traffic for me, including DNS traffic.I am working on having no DNS leaks and making sure that ALL traffic goes always through the VPN hence why i come to killmon.
vpnmon is watching over 2 vpn clients with same exit point.
VPN Director has 2 rules, ovpn1 and ovpn2 both for 192.168.50.0/24
killmon paranoid mode wouldn't let vpnmon get it's nordVPN updates so i tried ranged mode, leaving router IP out of that range, router IP 192.168.50.20, ranged mode 192.168.50.21 - 192.168.50.255
In this range is the LAN PC and a rpi pihole server. Pihole ip is in DNS Server 1 (DNS and WINS Server Setting) field. DNS Director ON, Global Redirection Router and Client list has the pihole with No redirection.
webUI changes were checking out what happens regarding leaks in Advanced_WAN_Content when changing DNS fields.
I have not found a way have killmon/vpnmon working without leaking DNS as much as i do not understand how a fw rule that is supposed to be persistent could be bypassed.
curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/KILLMON/master/killmon-1.01.sh" -o "/jffs/scripts/killmon.sh" && chmod a+rx "/jffs/scripts/killmon.sh"
"Sorry, honey, just completing my testing."Just a testament that killmon is working as advertised... I mistakingly stopped my VPN connection from remote, and killmon blocked everything from making it out over the WAN. My wife and kids thought the internet went down. Started getting google camera/doorbell alerts that all devices had become unavailable. TeamViewer was no longer functional, and all my backdoors to get into my home network we're locked securely. Nothing was going in or out. After this "incident" and profuse apologies to my family for the unintended downtime, I have high confidence that killmon will do the job for those who need this extra layer of protection.
Exactly... "you all are going to get something extra in your Christmas stockings for being such awesome beta testers". Lol"Sorry, honey, just completing my testing."
The leak that happens is for a very short time window, enough to expose LAN clients but not enough for all this IoT and other software you mentioned to stay up.Just a testament that killmon is working as advertised... I mistakingly stopped my VPN connection from remote, and killmon blocked everything from making it out over the WAN. My wife and kids thought the internet went down. Started getting google camera/doorbell alerts that all devices had become unavailable. TeamViewer was no longer functional, and all my backdoors to get into my home network we're locked securely. Nothing was going in or out. After this "incident" and profuse apologies to my family for the unintended downtime, I have high confidence that killmon will do the job for those who need this extra layer of protection.
One would have to have another watchdog script preferably running on another lan client to check if the router scripts are running, though wouldn't that be to late in some cases.because an event like this could very well likely reset the iptables and set them back to defaults,
One would have to have another watchdog script preferably running on another lan client to check if the router scripts are running, though wouldn't that be to late in some cases.
Just a testament that killmon is working as advertised... I mistakingly stopped my VPN connection from remote, and killmon blocked everything from making it out over the WAN. My wife and kids thought the internet went down. Started getting google camera/doorbell alerts that all devices had become unavailable. TeamViewer was no longer functional, and all my backdoors to get into my home network we're locked securely. Nothing was going in or out. After this "incident" and profuse apologies to my family for the unintended downtime, I have high confidence that killmon will do the job for those who need this extra layer of protection.
We are all beta testers.Exactly... "you all are going to get something extra in your Christmas stockings for being such awesome beta testers". Lol
His wifey and his little Viks might differ with you on this. (grin)We are all beta testers.
That is because they are the at home beta testers - a.k.a. team vik.His wifey and his little Viks might differ with you on this. (grin)
Good catch, @eleVator! Thanks for the great step-by-steps... I was able to confirm what you're seeing. As I suspected, after making such a major change to the WAN settings, it basically resets everything, and all custom iptables rules are thrown out... thus leaving you momentarily exposed until rules are reset again through the firewall-start event...The leak that happens is for a very short time window, enough to expose LAN clients but not enough for all this IoT and other software you mentioned to stay up.
I am not saying that your coding is at fault but you indicate yourself that the router is not to be trusted and can ignore any rules defined by the user.
Dec 11 09:29:55 rc_service: httpd 1958:notify_rc restart_wan_if 0;restart_stubby
Dec 11 09:29:55 custom_script: Running /jffs/scripts/service-event (args: restart wan_if)
Dec 11 09:29:55 custom_script: Running /jffs/scripts/wan-event (args: 0 stopping)
Dec 11 09:29:55 custom_script: Running /jffs/scripts/wan-event (args: 0 disconnected)
Dec 11 09:29:55 custom_script: Running /jffs/scripts/wan-event (args: 0 stopped)
Dec 11 09:29:55 wsdd2[3753]: error: wsdd-mcast-v4: wsd_send_soap_msg: send
Dec 11 09:29:55 custom_script: Running /jffs/scripts/wan-event (args: 0 stopped)
Dec 11 09:29:55 custom_script: Running /jffs/scripts/wan-event (args: 0 init)
Dec 11 09:29:55 custom_script: Running /jffs/scripts/wan-event (args: 0 connecting)
Dec 11 09:29:55 custom_script: Running /jffs/scripts/service-event-end (args: restart wan_if)
Dec 11 09:29:55 custom_script: Running /jffs/scripts/service-event (args: restart stubby)
Dec 11 09:29:55 custom_script: Running /jffs/scripts/wan-event (args: 0 disconnected)
Dec 11 09:29:55 custom_script: Running /jffs/scripts/wan-event (args: 0 stopped)
Dec 11 09:29:55 custom_script: Running /jffs/scripts/service-event-end (args: restart stubby)
Dec 11 09:29:56 wsdd2[3753]: error: wsdd-mcast-v4: wsd_send_soap_msg: send
Dec 11 09:29:56 custom_script: Running /jffs/scripts/wan-event (args: 0 connected)
Dec 11 09:29:56 wan-event[1981]: Started wanuptime with pid 1983
Dec 11 09:29:56 wanuptime[1983]: Started by wan-event, new event date/time recorded in RAM save file
Dec 11 09:29:56 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Dec 11 09:29:56 wan: finish adding multi routes
That brief moment is the leak, that should not happen but i understand that this is what you get from this kind of application devices.
@Wrkdbf_Guy @SomeWhereOverTheRainBow ... all I get to hear is this endless "why can't we be like a normal family, with a normal internet connection, where it just WORKS all the time". No appreciation for the amount of country blacklisting, DoT, whole-home secure random VPN tunnels all over the country, kill switch blackouts, or all the ad/malware blocking that is going into all this... little do they know. But man, if that internet goes down, I'm definitely on the receiving end.That is because they are the at home beta testers - a.k.a. team vik.
Yes and there might be other times when this happens, might want to check if this also can happen when ISP do they there daily reset.2.) Don't make major WAN changes while a kill switch is in place because doing so will reset all your iptables rules, leaving you exposed until they are reset. If you truly want to be safe, take the WAN down, disconnect your router/firewall... make your critical changes, test, test, test, reconnect and bring the WAN back up.
can this script be used with original firmware? i have GT-AX6000 and i seem to be having issues seperating devices from using the VPNor not unless i stay with the regular firmware. I tried Merlin for the kill switch but I couldn’t get the vpn director to work. I will try again just to be sure but yeah this could be also what i was looking for. all I really need is a kill switch so if this would work with regular firmware it would be better. My VPN fusion is doing most of the work i need.Hahaha you crack me up @SomeWhereOverTheRainBow! Thank you!
i just tried to install the script on original asus firmware. it installed and configured correctly but when I disconnected VPN my 4 clients I have on the list still have internet access. how can I fix it?@Wrkdbf_Guy @SomeWhereOverTheRainBow ... all I get to hear is this endless "why can't we be like a normal family, with a normal internet connection, where it just WORKS all the time". No appreciation for the amount of country blacklisting, DoT, whole-home secure random VPN tunnels all over the country, kill switch blackouts, or all the ad/malware blocking that is going into all this... little do they know. But man, if that internet goes down, I'm definitely on the receiving end.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!