Policy Based Routing breaks DNS for WAN

[adamlar]

Hi all!

I'm trying to get policy based routing to work on my Asus RT-AC66U with Merlin.
The goal is to route some of my devices via a VPN (OpenVPN, www.ovpn.se) so that they can access american content (like Netflix).

I've tried routing all devices via the VPN, and that works well.. dnsleaktest.com shows the VPN's IP and DNS-servers.
There is no problem with the WAN as everything works when the VPN client is turned off.

When I change "Redirect Internet traffic" to "Policy rules" and enter the Source IP's that should be routed via the VPN, those devices work fine are are routed via the VPN as they should.
But then none of the other devices are working. Chrome gives me an DNS error.

Messing around with the "Accept DNS Configuration" setting (Disabled/Relaxed/Strict/Exclusive) I can get the other devices to work, but then the devices routed via the VPN fails instead. I can't get it all to work at the same time.

Changing the DNS setting under WAN from automatic to fixed addresses doesn't seem to make a difference.

Any ideas?

 

[RMerlin]

Hi all!

I'm trying to get policy based routing to work on my Asus RT-AC66U with Merlin.
The goal is to route some of my devices via a VPN (OpenVPN, www.ovpn.se) so that they can access american content (like Netflix).

I've tried routing all devices via the VPN, and that works well.. dnsleaktest.com shows the VPN's IP and DNS-servers.
There is no problem with the WAN as everything works when the VPN client is turned off.

When I change "Redirect Internet traffic" to "Policy rules" and enter the Source IP's that should be routed via the VPN, those devices work fine are are routed via the VPN as they should.
But then none of the other devices are working. Chrome gives me an DNS error.

Messing around with the "Accept DNS Configuration" setting (Disabled/Relaxed/Strict/Exclusive) I can get the other devices to work, but then the devices routed via the VPN fails instead. I can't get it all to work at the same time.

Changing the DNS setting under WAN from automatic to fixed addresses doesn't seem to make a difference.

Any ideas?

Set Accept DNS Configuration to disabled, and configure DNSFilter rules for every VPN client, pointing them to the DNS provided by your tunnel provider.

 

[cosmoxl]

Merlin has commented in other posts that he suggests we use DNS filtering to accomplish what we need. He knows this sort of problem exists with policy routing but couldn't elegantly find a solution as he coded.

When you set fixed DNS in the WAN page what DNS did you use? If you were still using ISP DNS then it makes sense that VPN clients won't work as your ISP probably blocks DNS requests from users outside their network.

One method that will work for clients routed through VPN and outside VPN is to specify a public DNS (e.g. google public) in the LAN/DHCP server page. If you do this then DHCP lease will instruct clients to use that actual DNS and not the router as DNS. Whether through VPN or not, your clients will use that public DNS. Google public DNS has servers all over so you'll have low latency through VPN and otherwise.