I have an issue with VPN policy based routing I'm hoping some of the wiser forum members who have played around with this in the past can shed some light on.
I have a fairly specific need - tunnel all traffic from a specific MAC address through tun(11) unless it matches a specific ip range or top level domain. I've seen similar threads here with similar setups regarding Netflix etc, but I've tried to port the setup I used successfully on OpenWRT to my new AC86U running latest Merlin beta as it was essentially the same.
The setup uses various ipsets, iptable x-marks and a route up script in the openvpn conf file to manually add routes to a vpn routing table. I had to make some adjustments to make it fit in with the Merlin setup but all seems relatively consistent.
The problem is that, if the VPN is established without policy based routing enabled ('Force Internet traffic through tunnel > Policy Rules') then it appears no traffic can flow through tun11 - I cannot ping/reach any destination that is routed through tun11.
Weirdly, if I then enable policy base routing (even with no rules listed), the setup starts to work. Even stranger, if I then disable policy based routing, it still works!
I've looked at the routing tables and the iptables setup both pre, post and post reversion of the setting - I can't seem to find any changes that would explain why tun11 routing is not working originally, starts to work after enabling PBR and then keeps working when it is turned off again. I guess I am either looking in the wrong place or PBR is making another change I cannot locate.
The only difference I can find is that on router start, the VPN connection is reporting no public IP address - this changes when the VPN reconnects after enabling PBR.
Does anyone have any ideas, or can someone point me towards the location of the code that enacts PBR so I can see exactly what changes it makes (and does not fully unmake)?
I have a fairly specific need - tunnel all traffic from a specific MAC address through tun(11) unless it matches a specific ip range or top level domain. I've seen similar threads here with similar setups regarding Netflix etc, but I've tried to port the setup I used successfully on OpenWRT to my new AC86U running latest Merlin beta as it was essentially the same.
The setup uses various ipsets, iptable x-marks and a route up script in the openvpn conf file to manually add routes to a vpn routing table. I had to make some adjustments to make it fit in with the Merlin setup but all seems relatively consistent.
The problem is that, if the VPN is established without policy based routing enabled ('Force Internet traffic through tunnel > Policy Rules') then it appears no traffic can flow through tun11 - I cannot ping/reach any destination that is routed through tun11.
Weirdly, if I then enable policy base routing (even with no rules listed), the setup starts to work. Even stranger, if I then disable policy based routing, it still works!
I've looked at the routing tables and the iptables setup both pre, post and post reversion of the setting - I can't seem to find any changes that would explain why tun11 routing is not working originally, starts to work after enabling PBR and then keeps working when it is turned off again. I guess I am either looking in the wrong place or PBR is making another change I cannot locate.
The only difference I can find is that on router start, the VPN connection is reporting no public IP address - this changes when the VPN reconnects after enabling PBR.
Does anyone have any ideas, or can someone point me towards the location of the code that enacts PBR so I can see exactly what changes it makes (and does not fully unmake)?