What's new

OpenVPN - Policy Rules 100 Limit???

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Laxarus

Regular Contributor
I am struggling with arranging policy rules to my router to route the traffic.
All source ips are 0.0.0.0
and I have a list of around 90 ips that need to be entered to the list for policy rules.
Rotuer is RT-AC5300 with Asus Merlin 384.13.
I have manually entered around 53 entries to GUI but I cannot add more of them. When I click apply it just doesnt do anything.
They are all single ips.
1- What might be the problem?
2- Is there a way for me to use more than 100 entries for policy rules considering that I am running out?
3- Is there a more efficient way?

Any gurus out there help?
 
3- Is there a more efficient way?

Why do you need so many individual entries?
Just run all network through VPN using 192.168.x.x/24 rule and then exclude what has to go through WAN.

Do you really have so many devices attached to this router?
It has relatively slow CPU for VPN processing, you can expect about 60-70Mbps speeds through the VPN Client.
 
Last edited:
Do you have enough free NVRAM? (Tools >>> Sysinfo)
The 100 entry limit is global for all VPN Client or per VPN Client?
If the limit is per client then the overall limit is 500 theorically (if there is enough NVRAM left for the entries)
 
The webui has its own limit for the newer models where nvram settings cannot be larger than a specific size. You will ahve to either use shorter descriptions to save nvram space, or configure everything manually through scripting.
 
Why do you need so many individual entries?
Just run all network through VPN using 192.168.x.x/24 rule and then exclude what has to go through WAN.

Do you really have so many devices attached to this router?
It has relatively slow CPU for VPN processing, you can expect about 60-70Mbps speeds through the VPN Client.

I need my whole network to use VPN when accessing certain websites. It has no relation to attached devices.

Do you have enough free NVRAM? (Tools >>> Sysinfo)
The 100 entry limit is global for all VPN Client or per VPN Client?
If the limit is per client then the overall limit is 500 theorically (if there is enough NVRAM left for the entries)

Current nvram usage with 53 policy rules 87802 / 131072 bytes

and there is only 1 vpn client.

The webui has its own limit for the newer models where nvram settings cannot be larger than a specific size. You will ahve to either use shorter descriptions to save nvram space, or configure everything manually through scripting.

I will try to shorten the descriptions to see how this will go.

As for manual configuration, I looked through this page https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing-(manual-method) , but it seems to be deprecated and it is routing the configured devices through VPN. I need all devices to go through the VPN for certain websites. (I have an IP table for these.)
 
Never happened so far. Why would dns redirect me when I manually enter the ips to be tunneled?

So, you give a list of IPs to the users on your network?
Kind of manual printed on a paper DNS... interesting technique.
 
The most I could squeeze was 66 with the 2 letter descriptions. @RMerlin can I utilize some other method to to add more?

As per post
Code:
RMerlin said: ↑
You will ahve[sic]to either use shorter descriptions to save nvram space, or configure everything manually through scripting.
Having exhausted the first option, you will need to use option 2 - manual scripting.

I'm not sure of the maximum number of iptables rules allowed, (although you may be able to use CIDR notation if the target IPs can be grouped) but you should consider the IPSET method - where 1 rule can route thousands of IPs - see the end of this Wiki article
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top