LAN computers cannot access WAN IP of a computer when connected to VPN

[fediddy]

Below is the script i'm using on my RT-N66U. Seems like everything is working ok. The only problem is. None of the computers including the Server which is bypassing the VPN are able to use the WAN ip address to connect to itself. I can only use the LAN ip addresses. The WAN ip address with a certain port number is accessible outside of my network using my cell service or my computer at work. I want my LAN computers to have the ability to access the WAN ip. I can ping the WAN ip, but cannot access a port forwarded ip



Please help me. I'm going crazy.

#!/bin/sh


sleep 2

touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
done



#US VPN

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING



#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
 done



ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
 



#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#


# All traffic from Roku Wireless will use the UK VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.2.100 -j MARK --set-mark 1


#  All LAN traffic will US the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

   iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0
 







exit 0

 

[RMerlin]

Below is the script i'm using on my RT-N66U. Seems like everything is working ok. The only problem is. None of the computers including the Server which is bypassing the VPN are able to use the WAN ip address to connect to itself. I can only use the LAN ip addresses. The WAN ip address with a certain port number is accessible outside of my network using my cell service or my computer at work. I want my LAN computers to have the ability to access the WAN ip. I can ping the WAN ip, but cannot access a port forwarded ip



Please help me. I'm going crazy.

iptables -t mangle -F PREROUTING

Your script flushes the mangle table, which contains the NAT loopback rules. That's why the NAT loopback no longer works.

 

[fediddy]

Merlin, first i would like to thank you for the time and effort you spend on providing us with awesome custom firmware. You are awesome. I would have no patience for it. Second, Thank you for replying so quickly and letting me know what the problem is. A little about myself, I have no clue how to fix it. Im an idiot and this is the first time ever messing with these custom iprule scripts.

Should I remove the line you quoted and it will work?

 

[RMerlin]

Merlin, first i would like to thank you for the time and effort you spend on providing us with awesome custom firmware. You are awesome. I would have no patience for it. Second, Thank you for replying so quickly and letting me know what the problem is. A little about myself, I have no clue how to fix it. Im an idiot and this is the first time ever messing with these custom iprule scripts.

Should I remove the line you quoted and it will work?

Not sure, I never really looked at how people were implementing VPN routing exceptions so far.

Try using a firewall-start or nat-start script instead of a wan-start script, and remove the flushing line. Not sure if that would work, but worth a try.

 

[fediddy]

I cant figure it out. I really need this to work. Please

This is the script I am using now. openvpn-event

#!/bin/sh

sleep 2

touch /tmp/000vpnstarted

SABNZBD="192.168.2.100"
DISH="192.168.2.110"

# This code goes in the WAN UP section of the Tomato GUI.
# This code based on the contributions from this thread:
#  http://www.linksysinfo.org/index.php...openvpn.37240/
#
# And from material in these articles:
#  http://linux-ip.net/html/adv-multi-internet.html
#  http://fedorasolved.org/Members/kanarip/iptables-howto
#
# This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#


#  To list the current rules on the router, issue the command:
#      iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#      iptables -t mangle -F PREROUTING
#
 
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#



for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done
 
#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
#iptables -t mangle -F PREROUTING
 
#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
 
touch /tmp/000vpnmiddle
 
#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
 
 
# By default all traffic will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

# DISH will go through VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.2.110 -j MARK --set-mark 1


touch /tmp/000vpnended

exit 0

 
# Spotify explicitly by passes the VPN
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.xxx -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.xxx -j MARK --set-mark 1

This is in the custom Config

persist-key
persist-tun
tls-client
comp-lzo
route-nopull
verb 1