Static routes not working as expected in Asuswrt-Merlin?

[cmoskowitz]

oh I did but they are empty.

 

[BassKozz]

ok, thank you. I think I"m retarded, I enabled it but the /jffs/ directory is empty. Can I download them somewhere?

Run this from the command line (via SSH on your router):

echo -e '#!/bin/sh\niptables -D FORWARD -m state --state INVALID -j DROP' > /jffs/scripts/firewall-start && chmod +x /jffs/scripts/firewall-start

 

[cmoskowitz]

trying now and rebooting.

 

[cmoskowitz]

ok changes stuck but for whatever reason I still can't ping a few hosts while on the VPN.

 

[rescapind]

Hi,

I successfully set up the OpenVPN server on my Windows PC behind N66U router.
Initially, I also encountered the static routing issue as this thread mentioned. Creating the script to modify the rule as suggested solved the problem.

iptables -D FORWARD -m state --state INVALID -j DROP

Now, I need to set up another OpenVPN server on another PC but with N15U router.
The current firmware does not allow telnet. Defining static route doesn't work (just like with N66U without modifying the rule).

Any suggestion on how to work around this?
One way would be defining the route on all PCs on the same subnet with OpenVPN server PC but that is a bit troublesome.

Thanks a lot.

 

[lunds]

If you have an asymetric traffic pattern, like the OpenVPN setup mentioned by metamul in post #12, I would suggest to leave the existing rule intact, and instead add an exception for the vpn traffic back to the peer network (10.8.0.0/24):

iptables -I FORWARD -m state --state INVALID --destination 10.8.0.0/24 -j ACCEPT

I think this is more secure and is what metamul hinted at.

 

[xPETEZx]

The above command solves my problem!!!

However after every reboot, I need to enter it again.

I tried the "nvram commit" command, but still it drops after a reboot.

I am very new to ASUS routers command line, and could not find an obvious answer via google.

Can somebody help out? I have an ASUS AC66u.

Thanks

 

[xPETEZx]

Sorry to double post.... seems the issue is slightly more annoying than I thought.

It appears these commands stop working after a set period of time... havent figured out quiet how long. But after some time I cant route to my remote networks anymore.
If I reapply the command all is working again.

Appreciate anybody who can help!

 

[Martineau]

Sorry to double post.... seems the issue is slightly more annoying than I thought.

It appears these commands stop working after a set period of time... havent figured out quiet how long. But after some time I cant route to my remote networks anymore.
If I reapply the command all is working again.

Appreciate anybody who can help!

Try putting the command in nat-start

 

[xPETEZx]

Try putting the command in nat-start

Where would I put this command?

I tried infront, after, or seperately to the commands and get back "bad argument 'nat-start'" or "nat-start not found"

Thanks!

 

[Martineau]

Where would I put this command?

I tried infront, after, or seperately to the commands and get back "bad argument 'nat-start'" or "nat-start not found"

Thanks!

RTFM!

See

Usage

1. User scripts

https://github.com/RMerl/asuswrt-merlin/wiki

 

[xPETEZx]

RTFM!

See

Usage

1. User scripts

https://github.com/RMerl/asuswrt-merlin/wiki

Ok. thanks.

Think Ill leave it there. Not familiar or comfortable with Unix scripts.
Was hoping a simple fix to this.

Shame that these ASUS routers even need these changes making. Not had this issue with Netgear or Untangle.

Either way, I was just looking to simplify my network by getting the ASUS to do this routing. Will stick to Untangle for now.

 

[Martineau]

Ok. thanks.

Think Ill leave it there. Not familiar or comfortable with Unix scripts.
Was hoping a simple fix to this.

Shame that these ASUS routers even need these changes making. Not had this issue with Netgear or Untangle.

Either way, I was just looking to simplify my network by getting the ASUS to do this routing. Will stick to Untangle for now.

If you are using windows simply

1. Install the WinSCP utility

2. On the router Enable SSH va the GUI

In WinSCP set up SCP connection to your router. When the two window panes open in WinSCP, in the right pane navigate to /jffs/scripts

Hit shift+F4

Name the new file nat-start

then cut'n'paste the following

#!/bin/sh

logger -s -t "($(basename $0))" $$ NAT customisation starting.... "[$@]"

iptables -I FORWARD -m state --state INVALID --destination 10.8.0.0/24 -j ACCEPT

logger -s -t "($(basename $0))" $$ NAT customisation complete.

Save file, then right click nat-start then select Properties then put a tick mark in the three 'X' boxes and click OK.

Reboot router and you should see in Syslog the 'NAT customisation' messages...

Simples.

NOTE: The Custom Script / Config features provided by RMerlin, allows great flexibility on these ASUS routers without unnecessary GUI bloat that confuse ordinary users.
No Firmware is perfect, but if it was not for this scripting capability then I'm sure a lot of current owners would have reluctantly switched from ASUS to other vendors.

 

[octopus]

This is a more elegant way to do it and should be in newer merlin releses.

0 0 DROP all -- vlan11 any anywhere anywhere state INVALID

http://www.snbforums.com/threads/ne...le-for-state-invalid-check-in-iptables.23946/

 

[xPETEZx]

If you are using windows simply

1. Install the WinSCP utility

2. On the router Enable SSH va the GUI

In WinSCP set up SCP connection to your router. When the two window panes open in WinSCP, in the right pane navigate to /jffs/scripts

Hit shift+F4

Name the new file nat-start

then cut'n'paste the following

#!/bin/sh

logger -s -t "($(basename $0))" $$ NAT customisation starting.... "[$@]"

iptables -I FORWARD -m state --state INVALID --destination 10.8.0.0/24 -j ACCEPT

logger -s -t "($(basename $0))" $$ NAT customisation complete.

Save file, then right click nat-start then select Properties then put a tick mark in the three 'X' boxes and click OK.

Reboot router and you should see in Syslog the 'NAT customisation' messages...

Simples.

NOTE: The Custom Script / Config features provided by RMerlin, allows great flexibility on these ASUS routers without unnecessary GUI bloat that confuse ordinary users.
No Firmware is perfect, but if it was not for this scripting capability then I'm sure a lot of current owners would have reluctantly switched from ASUS to other vendors.

Thank you for the detailed response.
I am still running the stock ASUS firmware so dont have the SSH option.

I will look to upgrade to the Merlin firmware. If it adds VLAN support Im all but sold.

 

[lsx1970]

Hello,
I've the same problem and I solved by add

iptables -I FORWARD -m state --state INVALID --destination xxx.xxx.xxx.0/24 -j ACCEPT

With asus DSL-AC68U (no possibility of installing merlin firmware), I would like to know how to run a user defined sh script (like nat-start) on reboot.

Can you help me?

Thanks in advance.

 

[lsx1970]

Hello,
I've the same problem and I solved by add

iptables -I FORWARD -m state --state INVALID --destination xxx.xxx.xxx.0/24 -j ACCEPT

With asus DSL-AC68U (no possibility of installing merlin firmware), I would like to know how to run a user defined sh script (like nat-start) on reboot.

Can you help me?

Thanks in advance.

I solved this way, in order to run a script on reboot, I installed the app downloader on a USB pen drive and I modified the file /tmp/mnt/USB_DISK/asusware.arm/etc/init.d/S50downloadmaster
I added the following lines:

logger -t -s "($ (basename $ 0))" $$ NAT customization starting .... "[@ $]"
iptables -I FORWARD -m state --state INVALID --destination xxx.xxx.xxx.0/24 j ACCEPT
logger -t -s "($ (basename $ 0))" $$ NAT complete customization.

I must keep the pen drive inserted but it works fine.
Initially I tried to change the /asusware.arm/.asusrouter file but it was not executed.