Policy Based Routing IPTV problem

octopus · Oct 2, 2019

I discovered that to when tried to add exception in GUI.

Martineau said:
Rightly or wrongly, my script generated custom RPDB rules take priority over GUI generated rules

i.e.

Code:

Script: UseDNSOnly <-HIGHEST priority Script: Selective Routing IPSET / Port / MAC (fwmark tagging) GUI: Selective Routing Source/Destination (Client 1 WAN) GUI: Selective Routing Source/Destination (Client 1 VPN) <snip> GUI: Selective Routing Source/Destination (Client 5 WAN) GUI: Selective Routing Source/Destination (Client 5 VPN) <-LOWEST priority

NOTE: The crude 'UseDNSOnly' hack was intended to allow a non-VPN Client to use the VPN ISP DNS (via the VPN tunnel), but access the Internet via the WAN.

OK. My goal was to ensure that right DNS is used with setting "exclusive" WAN and VPN use different DNS.
VPN usen my VPN-provider DNS and WAN-client at lan use ISP DNS.
When using GUI to set VPN/WAN only WAN use right DNS, VPN use WAN-DNS instead of my VPN-provider DNS.
This does not acheiving what I want but is willing to try something different instead.

Thanks!

Martineau · Oct 2, 2019

octopus said:
My goal was to ensure that right DNS is used with setting "exclusive" WAN and VPN use different DNS.

When using GUI to set VPN/WAN only WAN use right DNS, VPN use WAN-DNS instead of my VPN-provider DNS.

So if I define the following in the VPN Client 1 GUI

e.g.

are you reporting an issue that (in my example) 172.16.1.100 doesn't actually use the 'EXCLUSIVE' VPN ISP DNS 100.120.178.1 ?

Code:

iptables --line -t nat -nvL PREROUTING;iptables --line -t nat -nvL DNSVPN1

Chain PREROUTING (policy ACCEPT 580 packets, 171K bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 DNSVPN1    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
2        1    68 DNSVPN1    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
<snip>

Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 RETURN     all  --  *      *       172.16.1.222         0.0.0.0/0          
2        0     0 RETURN     all  --  *      *       172.168.1.123        0.0.0.0/0          
3        0     0 DNAT       all  --  *      *       172.16.1.100         0.0.0.0/0            to:100.120.178.1

octopus · Oct 2, 2019

Martineau said:

So if I define the following in the VPN Client 1 GUI
e.g.
View attachment 19462
are you reporting an issue that (in my example) 172.16.1.100 doesn't actually use the 'EXCLUSIVE' VPN ISP DNS 100.120.178.1 ?

Code:

iptables --line -t nat -nvL PREROUTING;iptables --line -t nat -nvL DNSVPN1

Chain PREROUTING (policy ACCEPT 580 packets, 171K bytes)
num   pkts bytes target     prot opt in     out     source               destination     
1        0     0 DNSVPN1    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
2        1    68 DNSVPN1    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
<snip>

Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination     
1        0     0 RETURN     all  --  *      *       172.16.1.222         0.0.0.0/0       
2        0     0 RETURN     all  --  *      *       172.168.1.123        0.0.0.0/0       
3        0     0 DNAT       all  --  *      *       172.16.1.100         0.0.0.0/0            to:100.120.178.1

Strange is I can see same as you but when testing with ipleak.net I get my ISP-dns, using Exclusive and Policy Rules.
In example DNSVPN3 show right DNS.

Code:

Chain DNSVPN3 (2 references)
 pkts bytes target     prot opt in     out     source               destination       
    0     0 DNAT       all  --  *      *       172.16.12.0          0.0.0.0/0            to:46.227.67.134

Code:

octopus@RT-AC68U:/tmp/home/root# iptables --line -t nat -nvL PREROUTING;iptables --line -t nat -nvL DNSVPN3
Chain PREROUTING (policy ACCEPT 39880 packets, 2367K bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1        2   100 DNSVPN3    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
2     8990  707K DNSVPN3    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
3     4751  238K VSERVER    all  --  *      *       0.0.0.0/0            158.1xx.xxx.xx

octopus · Oct 3, 2019

I have just removed all of this and tested with Strict and Policy Rule and its that is only way I can get VPN-dns working.
Wan use ISP but shows both ISP and VPN dns when tested with ipleak.net.
In Exclusive mode I can't get it working. VPN use IPS-dns and WAN use ISP-dns.

How can I get WAN use IPS-dns and VPN use VPN-dns with or without GUI and with exceptions?
@Martineau

Martineau · Oct 3, 2019

octopus said:
How can I get WAN use IPS-dns and VPN use VPN-dns with or without GUI and with exceptions?
@Martineau

This basic "Accept DNS Configuration=EXCLUSIVE" VPN Client feature should just simply work.

Many others successfully use "Accept DNS Configuration=EXCLUSIVE" so I would check the usual suspects e.g. typos etc.

octopus · Oct 4, 2019

Martineau said:
This basic "Accept DNS Configuration=EXCLUSIVE" VPN Client feature should just simply work.

Many others successfully use "Accept DNS Configuration=EXCLUSIVE" so I would check the usual suspects e.g. typos etc.

I'm really don't know whats going on here.

I have turned off all vpn exept vpn1 and set it to Exclusive.
I can read in log, which is right DNS from VPN-provider.

Code:

Oct  4 10:21:44 openvpn-updown: Forcing 192.168.12.122 to use DNS server 46.227.67.134
Oct  4 10:21:44 openvpn-updown: Forcing 192.168.12.120 to use DNS server 46.227.67.134

But when test with ipleak.net I get strange result.
Not my VPN-dns but my vpn-gateway.
VPN-ip => VPN-gateway => here should be VPN-dns from VPN-provider.
Must be my VPN-providers set it up strange, but not sure about that.

When look at VPN-provider I get this, DNS=OK

EDIT: After more investigation I have seen when I compare VPN-provider app I get same result with DNS request.
Seems that is right. That confuse me a lot, didn't know of routeing dns-request.

Thread starter	Title	Forum	Replies	Date
A	Policy-based port routing to bypass NordVPN client	Asuswrt-Merlin	10	Sep 12, 2023
C	VPN Policy rules director	Asuswrt-Merlin	1	Jan 1, 2024
J	Redirect internet traffic through tunnel - yes (all) vs. VPN director (policy rules)	Asuswrt-Merlin	0	Apr 23, 2023
G	Will Merlin firmware based on the new 3.0.0.6 version be available?when?	Asuswrt-Merlin	3	Nov 29, 2023
M	OpenVPN / site to site with special security/routing constraints	Asuswrt-Merlin	7	Apr 8, 2024
	Bug Report: nvram chilli_enable=1 when guest network is removed causes no routing to occur	Asuswrt-Merlin	2	Jan 9, 2024
G	[Help] Routing VPN server through VPN client (external VPN Provider)	Asuswrt-Merlin	14	Dec 27, 2023
P	IPv6 routing table flags	Asuswrt-Merlin	2	Dec 21, 2023
F	Help with routing 2 VLAN's to the same Ethernet Port	Asuswrt-Merlin	36	Nov 1, 2023
	RT-AC86U VPN Director Not Routing Through WAN	Asuswrt-Merlin	1	Oct 16, 2023

Search

Search

Policy Based Routing IPTV problem

octopus

Part of the Furniture

Martineau

Part of the Furniture

octopus

Part of the Furniture

octopus

Part of the Furniture

Martineau

Part of the Furniture

octopus

Part of the Furniture

Similar threads

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Members online