Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Policy Based Routing

Discussion in 'Asuswrt-Merlin' started by Tony Abraham, Sep 19, 2017.

  1. Tony Abraham

    Tony Abraham New Around Here

    Joined:
    Sep 13, 2017
    Messages:
    7
    Hi there,

    I would like to know if it is possible to use Policy Based Routing and L2TP with Asuswrt-Merlin firmware. My reason for not using OpenVPN is that the speeds with this router are really slow and my main reason for VPN is not for security reasons but to mask my traffic from my ISP.

    In an ideal world I would to direct traffic to certain addresses to use the VPN and other addresses to use the normal internet.

    Is this possible?

    Thanks
     
  2. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,211
    Location:
    UK

    Yes, this script should still be valid, which by default (i.e no arg supplied) will simply initialise the Selective Routing (via the PPTP/L2TP tunnel) environment.

    https://www.snbforums.com/threads/l2tp-vpn-client-for-only-one-device.37927/#post-312177

    Once the script has run, you should then be able to manually issue the appropriate RPDB Selective Routing rules for your target remote I/P addresses.

    e.g. ALL local devices on the LAN will be routed via the PPTP/L2TP tunnel for site I/P xxx.xxx.xxx.xxx, and only device 192.168.1.xxx will use the tunnel to access xxx.xxx.xxx.yyy
    Code:
    ip rule add from 0/0 to xxx.xxx.xxx.xxx table 99 prio 9000
    
    ip rule add from 192.168.1.xxx to xxx.xxx.xxx.yyy table 99 prio 9001
    
    ip rule
    and to apply the RPDB selective routing rules immediately issue
    Code:
    ip route flush cache
    otherwise it can take several minutes for the new RPDB rules to be applied.

    Once you are satisfied with the manual rules you can then add them to the script, although to prevent duplicated rules you should issue the appropriate 'delete' command before adding the new rule 'priority'

    e.g. for the two sample rules above
    Code:
    ip rule del prio 9000
    ip rule del prio 9001
     
    Last edited: Sep 20, 2017
  3. Tony Abraham

    Tony Abraham New Around Here

    Joined:
    Sep 13, 2017
    Messages:
    7
    Are there detailed instructions on how the script works? I am a novice so can't seem to see where the rules are set. I.e. if 192.168.1.110 (wifi device) tries to contact Netflix.com then it will go via normal internet. If 192.168.1.110 tries to contact HBO.com it will route via VPN.

    Thanks for your help
     
  4. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,211
    Location:
    UK

    As listed above, to see the current RPDB rules issue:

    Code:
    ip rule
     
  5. Tony Abraham

    Tony Abraham New Around Here

    Joined:
    Sep 13, 2017
    Messages:
    7
    Ah I see, so these are issues via command line? I think i'll do a bit of reading up on this firmware as you can see I am a novice :)
     
  6. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,211
    Location:
    UK
    So I take it you can't currently access/use the command line, and you don't know how to copy'n'paste the script onto the router correctly? see https://github.com/RMerl/asuswrt-merlin/wiki and the section about User scripts

    However, I think you may find that you become stuck very quickly in resolving your requirement.

    Unfortunately, RPDB rules cannot use domain names as the target.

    So if you try
    Code:
    ip rule add from 192.168.1.110 to www.hbo.com via table 99 9000
    
    Error: an inet prefix is expected rather than "www.hbo.com".
    So depending on the time of day, which DNS server responds first etc., 'www.hbo.com' will resolve to a CDN address list, that 49 times out of 50 could be the same but not necessarily so

    e.g. for me just now
    Code:
    nslookup www.hbo.com
    
    Server:    127.0.0.1
    Address 1: 127.0.0.1 localhost.localdomain
    
    Name:      www.hbo.com
    Address 1: 52.42.218.150 ec2-52-42-218-150.us-west-2.compute.amazonaws.com
    Address 2: 34.208.245.59 ec2-34-208-245-59.us-west-2.compute.amazonaws.com
    Address 3: 52.43.34.171 ec2-52-43-34-171.us-west-2.compute.amazonaws.com
    So which Address should you use or perhaps you should add all three RPDB rules
    Code:
    ip rule add from 192.168.1.110 to 52.42.218.150 via table 99 9000
    ip rule add from 192.168.1.110 to 34.208.245.59 via table 99 9001
    ip rule add from 192.168.1.110 to 52.43.34.171  via table 99 9002
    but www.hbo.com has probably hundreds of actual I/P addresses in various subnets.

    If you search the forum, you will see that the most successful tracking method of ALL the current streaming service I/P addresses is using ipsets.

    So in theory once the ipset (say we call it HBO) is created and populated then you would simply have 1 RPDB rule to redirect those hundreds of HBO I/P addresses correctly.

    But that is for another thread.
     
    Last edited: Sep 20, 2017
    thelonelycoder likes this.
  7. Tony Abraham

    Tony Abraham New Around Here

    Joined:
    Sep 13, 2017
    Messages:
    7
    Thanks for that.

    HBO and Netflix was just an example, the services I will be using will only have a small number of servers I would imagine.

    To be honest, there is only a couple of services I would like to use via VPN so if I can create a rule for the small amount of services to use VPN but everything else just uses the normal internet that would be perfect.
     

Share This Page