What's new

Custom routing config. Need advice

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

BANsOnLn

Occasional Visitor
So I have an ASUS RT-AC5300. I am running a Mac Mini (10.5.50.110) with Plex. I have a subscription to Torguard to route some of my traffic from the Mac Mini. I have updated to the latest firmware 384.5. When I have the VPN client running on my router all my internet traffic seems to be slow. Only traffic coming from the Mac Mini, excluding Plex is supposed to go through the VPN tunnel. Everything else is supposed to go out through my ISP. Here is what I have configured in my openvpn-event file under /jffs/scripts

Code:
#!/bin/sh


sleep 2
 
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun11\
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.5.50.110 -j MARK --set-mark 0

# Plex Traffic: Bypass VPN
iptables -t mangle -C PREROUTING -i br0 -p tcp --sport 32400 -j MARK --set-mark 1
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 32400 -j MARK --set-mark 1
fi
iptables -t mangle -C PREROUTING -i br0 -p udp --sport 32400 -j MARK --set-mark 1
if [ $? -eq 1 ]
    iptables -t mangle -A PREROUTING -i br0 -p udp --sport 32400 -j MARK --set-mark 1
then
fi
iptables -t mangle -C PREROUTING -i br0 -p tcp --dport 32400 -j MARK --set-mark 1
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 32400 -j MARK --set-mark 1
fi
iptables -t mangle -C PREROUTING -i br0 -p udp --dport 32400 -j MARK --set-mark 1
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p udp --dport 32400 -j MARK --set-mark 1
fi
exit 1

Here is what I have configured in the Client VPN Settings on the router:


Network Settings
Interface: TUN
Protocol: UDP
Server Address and Port: x.x.x.x:443
Accept DNS Configuration: Strict
Create NAT on Tunnel: Yes
Authentication Settings
Authorization Mode: TLS
Username/Password Authentication: Yes
Username: xxxxxxxxx
Password: xxxxxxxx
Username / Password Auth. Only: No
Crypto Negotiation
Keys and Certificates
Cipher negotiation: Enable (with fallback)
Negotiable cipher: AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
Legacy/fallback cipher: Default
TLS control channel security: Disabled
Auth digest: Default
Advanced Settings
Log verbosity 3
Compression LZO Adaptive
TLS Renegotiation Time: -1
Connection Retry attempts: 15
Verify Server Certificate: No
Redirect Internet Traffic: No
Custom Configuration
persist-key
persist-tun

This used to work a long time ago and even if I roll back to an older firmware that worked before I am still having issues with browsing being very slow. I am at a loss at this point I just don't understand why it is acting up now when I have not changed anything except for FW but even if I roll back to the FW that worked before it still does not work. Any advice would be greatly appreciated.
 
Last edited:
When browsing is slow, have you check the public IP to see if it’s going through the VPN or not?

Judging by the fact that even downgrading isn’t helping, maybe reset and start over? It’s very easy to setup selective VPN routing right from the web UI now.
I think everything you have in that script is doable from the webui as op said.
 
It’s very easy to setup selective VPN routing right from the web UI now.

The OP requires to perform Selective Port Routing which cannot be achieved via the GUI which only supports IPs/subnets for Selective Routing.
 
  • Like
Reactions: kfp
So I have an ASUS RT-AC5300. I am running a Mac Mini (10.5.50.110) with Plex. I have a subscription to Torguard to route some of my traffic from the Mac Mini. I have updated to the latest firmware 384.5. When I have the VPN client running on my router all my internet traffic seems to be slow. Only traffic coming from the Mac Mini, excluding Plex is supposed to go through the VPN tunnel. Everything else is supposed to go out through my ISP. Here is what I have configured in my openvpn-event file under /jffs/scripts

<snip>

if I roll back to the FW that worked before it still does not work..

I have stated many times that the script method you have deployed is flawed and should be discarded.

Use the GUI to enable Selective Routing for all traffic from the Mac Mini Plex device out via the VPN

upload_2018-6-15_17-8-59.png


For hosting, you should Port Forward 32400 to 10.5.50.110 for both TCP and UDP

Use the following commands to enable Selective Port Routing of TCP/UDP 32400 traffic via the WAN
Code:
ip rule del fwmark 0x7000/0x7000 2> /dev/null
ip rule add fwmark 0x7000/0x7000 table 254 prio 9990
ip route flush cache

iptables -t mangle -D PREROUTING -i br0 --src 10.5.50.110 -p udp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null
iptables -t mangle -D PREROUTING -i br0 --src 10.5.50.110 -p tcp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null
iptables -t mangle -A PREROUTING -i br0 --src 10.5.50.110 -p udp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 --src 10.5.50.110 -p tcp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000

If the above commands work, then they can be added to nat-start but you should add a 'sleep 10' in nat-start before attempting to issue the above commands.
 
Last edited:
I have stated many times that the script method you have deployed is flawed and should be discarded.

Use the GUI to enable Selective Routing for all traffic from the Mac Mini Plex device out via the VPN

View attachment 13481

For hosting, you should Port Forward 32400 to 10.5.50.110 for both TCP and UDP

Use the following commands to enable Selective Port Routing of TCP/UDP 32400 traffic via the WAN
Code:
ip rule del fwmark 0x7000/0x7000 2> /dev/null
ip rule add fwmark 0x7000/0x7000 table 254 prio 9990
ip route flush cache

iptables -t mangle -D PREROUTING -i br0 --src 10.5.50.110 -p udp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null
iptables -t mangle -D PREROUTING -i br0 --src 10.5.50.110 -p tcp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null
iptables -t mangle -A PREROUTING -i br0 --src 10.5.50.110 -p udp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 --src 10.5.50.110 -p tcp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000

If the above commands work, then they can be added to nat-start but you should add a 'sleep 10' in nat-start before attempting to issue the above commands.

Thank you all so much! I assume the CODE above would go into the openvpn-event file? Sorry, a bit of a noob when it comes to this stuff.

Sorry, the above should be added to nat-start file? Where is that located?

So I should ssh into he router and run the commands above to see if it works? Then if it works, add those lines to the nat-start file and delete the openvpn-event file?
 
Last edited:
Here is my nat-start file:

Code:
#!/bin/sh


sleep 10


ip rule del fwmark 0x7000/0x7000 2> /dev/null

ip rule add fwmark 0x7000/0x7000 table 254 prio 9990

ip route flush cache


iptables -t mangle -D PREROUTING -i br0 --src 10.2.50.110 -p udp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null

iptables -t mangle -D PREROUTING -i br0 --src 10.2.50.110 -p tcp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null

iptables -t mangle -A PREROUTING -i br0 --src 10.2.50.110 -p udp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000

iptables -t mangle -A PREROUTING -i br0 --src 10.2.50.110 -p tcp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000

When I run it manually and then do a iptables --list I don't see anything listed for what I just added in the nat-start file. Again, sorry for being a bit of a noob at this.
 
Here is my nat-start file:

Code:
#!/bin/sh


sleep 10


ip rule del fwmark 0x7000/0x7000 2> /dev/null

ip rule add fwmark 0x7000/0x7000 table 254 prio 9990

ip route flush cache


iptables -t mangle -D PREROUTING -i br0 --src 10.2.50.110 -p udp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null

iptables -t mangle -D PREROUTING -i br0 --src 10.2.50.110 -p tcp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null

iptables -t mangle -A PREROUTING -i br0 --src 10.2.50.110 -p udp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000

iptables -t mangle -A PREROUTING -i br0 --src 10.2.50.110 -p tcp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000

When I run it manually and then do a iptables --list I don't see anything listed for what I just added in the nat-start file. Again, sorry for being a bit of a noob at this.

Issue the following commands:
Code:
ip rule

iptables -nvL PREROUTING --line -t mangle
 
Ok. I think it is in the router config. Here are the results from the commands you sent me.

# ip rule

0: from all lookup local

9989: from all fwmark 0x1 lookup wan0

9990: from all fwmark 0x7000/0x7000 lookup main

10101: from 10.2.50.110 lookup ovpnc1

32766: from all lookup main

32767: from all lookup default

# iptables -nvL PREROUTING --line -t mangle

Chain PREROUTING (policy ACCEPT 108K packets, 29M bytes)

num pkts bytes target prot opt in out source destination

1 196K 32M MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1

2 3797 463K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 10.2.50.110-10.2.50.110 MARK and 0x0

3 0 0 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:32400 MARK set 0x1

4 0 0 MARK udp -- br0 * 10.2.50.110 0.0.0.0/0 multiport sports 32400 MARK or 0x7000

5 0 0 MARK tcp -- br0 * 10.2.50.110 0.0.0.0/0 multiport sports 32400 MARK or 0x7000

When I launch plex it is still trying to use the IP of the VPN and the ISP IP.
 
Ok. I think it is in the router config. Here are the results from the commands you sent me.

# ip rule

0: from all lookup local

9989: from all fwmark 0x1 lookup wan0

9990: from all fwmark 0x7000/0x7000 lookup main

10101: from 10.2.50.110 lookup ovpnc1

32766: from all lookup main

32767: from all lookup default

# iptables -nvL PREROUTING --line -t mangle

Chain PREROUTING (policy ACCEPT 108K packets, 29M bytes)

num pkts bytes target prot opt in out source destination

1 196K 32M MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1

2 3797 463K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 10.2.50.110-10.2.50.110 MARK and 0x0

3 0 0 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:32400 MARK set 0x1

4 0 0 MARK udp -- br0 * 10.2.50.110 0.0.0.0/0 multiport sports 32400 MARK or 0x7000

5 0 0 MARK tcp -- br0 * 10.2.50.110 0.0.0.0/0 multiport sports 32400 MARK or 0x7000

When I launch plex it is still trying to use the IP of the VPN and the ISP IP.

You still have the old rules in place. :rolleyes:

I suggest you reboot and ensure that the old script no longer is executed.
 
Ok, so I rebooted and it looks better but it is still not working.

# ip rule

0: from all lookup local

9990: from all fwmark 0x7000/0x7000 lookup main

10101: from 10.2.50.110 lookup ovpnc1

32766: from all lookup main

32767: from all lookup default

# iptables -nvL PREROUTING --line -t mangle

Chain PREROUTING (policy ACCEPT 16233 packets, 3852K bytes)

num pkts bytes target prot opt in out source destination

1 1165 469K MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7

2 0 0 MARK udp -- br0 * 10.2.50.110 0.0.0.0/0 multiport sports 32400 MARK or 0x7000

3 0 0 MARK tcp -- br0 * 10.2.50.110 0.0.0.0/0 multiport sports 32400 MARK or 0x7000

4 913 260K BWDPI_FILTER udp -- eth0 * 0.0.0.0/0 0.0.0.0/0

When I launch Plex it is still using the VPN IP. This is so close.
 
In my old config, here was the code I used that I believe was used to bypass the VPN for my Mac Mini. I notice the code you sent me was a little different. Is there something else I need to add from the old code to get this to work?

Old:
Code:
# Plex Traffic: Bypass VPN
iptables -t mangle -C PREROUTING -i br0 -p tcp --sport 32400 -j MARK --set-mark 1
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 32400 -j MARK --set-mark 1
fi
iptables -t mangle -C PREROUTING -i br0 -p udp --sport 32400 -j MARK --set-mark 1
if [ $? -eq 1 ]
    iptables -t mangle -A PREROUTING -i br0 -p udp --sport 32400 -j MARK --set-mark 1
then
fi
iptables -t mangle -C PREROUTING -i br0 -p tcp --dport 32400 -j MARK --set-mark 1
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 32400 -j MARK --set-mark 1
fi
iptables -t mangle -C PREROUTING -i br0 -p udp --dport 32400 -j MARK --set-mark 1
if [ $? -eq 1 ]
then
    iptables -t mangle -A PREROUTING -i br0 -p udp --dport 32400 -j MARK --set-mark 1
fi
exit 1

New:
Code:
iptables -t mangle -D PREROUTING -i br0 --src 10.2.50.110 -p udp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null
iptables -t mangle -D PREROUTING -i br0 --src 10.2.50.110 -p tcp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null
iptables -t mangle -A PREROUTING -i br0 --src 10.2.50.110 -p udp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 --src 10.2.50.110 -p tcp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000
 
Ok, so I rebooted and it looks better but it is still not working.
Code:
# iptables -nvL PREROUTING --line -t mangle

Chain PREROUTING (policy ACCEPT 16233 packets, 3852K bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1     1165  469K MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
When I launch Plex it is still using the VPN IP. This is so close.
NOTE: When posting command results it is easier on the eye to enclose the text in the 'insert' menu 'Code' tags

Q. Are you hosting the Plex server?....there are no hits on the inbound Port Forward Plex port 32400 rules?
 
In my old config, here was the code I used that I believe was used to bypass the VPN for my Mac Mini. I notice the code you sent me was a little different. Is there something else I need to add from the old code to get this to work?

You could try adding the outbound Port 32400 rules
Code:
iptables -t mangle -D PREROUTING -i br0 --src 10.2.50.110 -p udp -m multiport --dport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null
iptables -t mangle -D PREROUTING -i br0 --src 10.2.50.110 -p tcp -m multiport --dport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null
iptables -t mangle -A PREROUTING -i br0 --src 10.2.50.110 -p udp -m multiport --dport 32400 -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 --src 10.2.50.110 -p tcp -m multiport --dport 32400 -j MARK --set-mark 0x7000/0x7000
 
So here is my current nat-start. I added the additional lines and rebooted. Still not working. The Plex server is running on the Mac Mini. I want all traffic from the Mac Mini to use the VPN except for the Plex server running on port 32400. So far the Mac Mini is showing as using the IP of the VPN when I do a "What is my IP" via the browser, which is good. In the past, Plex would show the IP of the ISP when looking at the Plex GUI. It still shows the IP of the VPN. Everything looks correct in the code. The only thing I notice is that old code only used port and not IP. You have more knowledge then I do at this so I am sure you are giving me what I need but it just does not work so far.

#!/bin/sh



sleep 10



ip rule del fwmark 0x7000/0x7000 2> /dev/null

ip rule add fwmark 0x7000/0x7000 table 254 prio 9990

ip route flush cache



iptables -t mangle -D PREROUTING -i br0 --src 10.2.50.110 -p udp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null

iptables -t mangle -D PREROUTING -i br0 --src 10.2.50.110 -p tcp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null

iptables -t mangle -A PREROUTING -i br0 --src 10.2.50.110 -p udp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000

iptables -t mangle -A PREROUTING -i br0 --src 10.2.50.110 -p tcp -m multiport --sport 32400 -j MARK --set-mark 0x7000/0x7000

iptables -t mangle -D PREROUTING -i br0 --src 10.2.50.110 -p udp -m multiport --dport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null

iptables -t mangle -D PREROUTING -i br0 --src 10.2.50.110 -p tcp -m multiport --dport 32400 -j MARK --set-mark 0x7000/0x7000 2> /dev/null

iptables -t mangle -A PREROUTING -i br0 --src 10.2.50.110 -p udp -m multiport --dport 32400 -j MARK --set-mark 0x7000/0x7000

iptables -t mangle -A PREROUTING -i br0 --src 10.2.50.110 -p tcp -m multiport --dport 32400 -j MARK --set-mark 0x7000/0x7000
 
So here is my current nat-start. I added the additional lines and rebooted. Still not working. The Plex server is running on the Mac Mini. I want all traffic from the Mac Mini to use the VPN except for the Plex server running on port 32400. So far the Mac Mini is showing as using the IP of the VPN when I do a "What is my IP" via the browser, which is good. In the past, Plex would show the IP of the ISP when looking at the Plex GUI. It still shows the IP of the VPN. Everything looks correct in the code. The only thing I notice is that old code only used port and not IP. You have more knowledge then I do at this so I am sure you are giving me what I need but it just does not work so far.

What is the output of the commands?
 
# ip rule

0: from all lookup local

9990: from all fwmark 0x7000/0x7000 lookup main

10101: from 10.2.50.110 lookup ovpnc1

32766: from all lookup main

32767: from all lookup default

# iptables -nvL PREROUTING --line -t mangle

Chain PREROUTING (policy ACCEPT 71536 packets, 19M bytes)

num pkts bytes target prot opt in out source destination

1 1362 569K MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7

2 0 0 MARK udp -- br0 * 10.2.50.110 0.0.0.0/0 multiport sports 32400 MARK or 0x7000

3 0 0 MARK tcp -- br0 * 10.2.50.110 0.0.0.0/0 multiport sports 32400 MARK or 0x7000

4 0 0 MARK udp -- br0 * 10.2.50.110 0.0.0.0/0 multiport dports 32400 MARK or 0x7000

5 0 0 MARK tcp -- br0 * 10.2.50.110 0.0.0.0/0 multiport dports 32400 MARK or 0x7000

6 2173 760K BWDPI_FILTER udp -- eth0 * 0.0.0.0/0 0.0.0.0/0
 
What is the difference between "mangle - C" and "mangle -D"? I notice my old code had -C, not -D.

'-D' means delete the rule.
'-C' means check if rule exists.
 

Do you have CTF enabled?

You can try removing the '--src 10.250.2.110' from the iptables commands.

As a last resort, what happens if you issue

Code:
iptables -D PREROUTING 1 -t mangle
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top