1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OpenVPN - Policy Rules 100 Limit???

Discussion in 'Asuswrt-Merlin' started by Laxarus, Oct 14, 2019.

  1. Laxarus

    Laxarus Occasional Visitor

    Joined:
    Jun 26, 2017
    Messages:
    24
    I am struggling with arranging policy rules to my router to route the traffic.
    All source ips are 0.0.0.0
    and I have a list of around 90 ips that need to be entered to the list for policy rules.
    Rotuer is RT-AC5300 with Asus Merlin 384.13.
    I have manually entered around 53 entries to GUI but I cannot add more of them. When I click apply it just doesnt do anything.
    They are all single ips.
    1- What might be the problem?
    2- Is there a way for me to use more than 100 entries for policy rules considering that I am running out?
    3- Is there a more efficient way?

    Any gurus out there help?
     
  2. Val D.

    Val D. Very Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    648
    Location:
    Great White North
    Why do you need so many individual entries?
    Just run all network through VPN using 192.168.x.x/24 rule and then exclude what has to go through WAN.

    Do you really have so many devices attached to this router?
    It has relatively slow CPU for VPN processing, you can expect about 60-70Mbps speeds through the VPN Client.
     
    Last edited: Oct 14, 2019
  3. 0x1D12ED

    0x1D12ED New Around Here

    Joined:
    Oct 13, 2019
    Messages:
    6
    Do you have enough free NVRAM? (Tools >>> Sysinfo)
    The 100 entry limit is global for all VPN Client or per VPN Client?
    If the limit is per client then the overall limit is 500 theorically (if there is enough NVRAM left for the entries)
     
  4. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,330
    Location:
    Canada
    The webui has its own limit for the newer models where nvram settings cannot be larger than a specific size. You will ahve to either use shorter descriptions to save nvram space, or configure everything manually through scripting.
     
  5. Laxarus

    Laxarus Occasional Visitor

    Joined:
    Jun 26, 2017
    Messages:
    24
    I need my whole network to use VPN when accessing certain websites. It has no relation to attached devices.

    Current nvram usage with 53 policy rules 87802 / 131072 bytes

    and there is only 1 vpn client.

    I will try to shorten the descriptions to see how this will go.

    As for manual configuration, I looked through this page https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing-(manual-method) , but it seems to be deprecated and it is routing the configured devices through VPN. I need all devices to go through the VPN for certain websites. (I have an IP table for these.)
     
  6. Val D.

    Val D. Very Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    648
    Location:
    Great White North
    And what happens if the DNS redirects your request to a different server with a different IP address?
     
  7. Laxarus

    Laxarus Occasional Visitor

    Joined:
    Jun 26, 2017
    Messages:
    24
    Never happened so far. Why would dns redirect me when I manually enter the ips to be tunneled?
     
  8. Val D.

    Val D. Very Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    648
    Location:
    Great White North
    So, you give a list of IPs to the users on your network?
    Kind of manual printed on a paper DNS... interesting technique.
     
  9. Laxarus

    Laxarus Occasional Visitor

    Joined:
    Jun 26, 2017
    Messages:
    24
    The most I could squeeze was 66 with the 2 letter descriptions. @RMerlin can I utilize some other method to to add more?
     
  10. 0x1D12ED

    0x1D12ED New Around Here

    Joined:
    Oct 13, 2019
    Messages:
    6
    What if you set up another client? Can you add additional IP-s there?
     
  11. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,370
    Location:
    UK
    As per post
    Code:
    RMerlin said: ↑
    You will ahve[sic]to either use shorter descriptions to save nvram space, or configure everything manually through scripting.
    Having exhausted the first option, you will need to use option 2 - manual scripting.

    I'm not sure of the maximum number of iptables rules allowed, (although you may be able to use CIDR notation if the target IPs can be grouped) but you should consider the IPSET method - where 1 rule can route thousands of IPs - see the end of this Wiki article