Policy Based Routing

[Tony Abraham]

Hi there,

I would like to know if it is possible to use Policy Based Routing and L2TP with Asuswrt-Merlin firmware. My reason for not using OpenVPN is that the speeds with this router are really slow and my main reason for VPN is not for security reasons but to mask my traffic from my ISP.

In an ideal world I would to direct traffic to certain addresses to use the VPN and other addresses to use the normal internet.

Is this possible?

Thanks

 

[Martineau]

Hi there,

I would like to know if it is possible to use Policy Based Routing and L2TP with Asuswrt-Merlin firmware. My reason for not using OpenVPN is that the speeds with this router are really slow and my main reason for VPN is not for security reasons but to mask my traffic from my ISP.

In an ideal world I would to direct traffic to certain addresses to use the VPN and other addresses to use the normal internet.

Is this possible?

Thanks

Yes, this script should still be valid, which by default (i.e no arg supplied) will simply initialise the Selective Routing (via the PPTP/L2TP tunnel) environment.

https://www.snbforums.com/threads/l2tp-vpn-client-for-only-one-device.37927/#post-312177

Once the script has run, you should then be able to manually issue the appropriate RPDB Selective Routing rules for your target remote I/P addresses.

e.g. ALL local devices on the LAN will be routed via the PPTP/L2TP tunnel for site I/P xxx.xxx.xxx.xxx, and only device 192.168.1.xxx will use the tunnel to access xxx.xxx.xxx.yyy

ip rule add from 0/0 to xxx.xxx.xxx.xxx table 99 prio 9000

ip rule add from 192.168.1.xxx to xxx.xxx.xxx.yyy table 99 prio 9001

ip rule

and to apply the RPDB selective routing rules immediately issue

ip route flush cache

otherwise it can take several minutes for the new RPDB rules to be applied.

Once you are satisfied with the manual rules you can then add them to the script, although to prevent duplicated rules you should issue the appropriate 'delete' command before adding the new rule 'priority'

e.g. for the two sample rules above

ip rule del prio 9000
ip rule del prio 9001

 

[Tony Abraham]

Are there detailed instructions on how the script works? I am a novice so can't seem to see where the rules are set. I.e. if 192.168.1.110 (wifi device) tries to contact Netflix.com then it will go via normal internet. If 192.168.1.110 tries to contact HBO.com it will route via VPN.

Thanks for your help

 

[Martineau]

Are there detailed instructions on how the script works? I am a novice so can't seem to see where the rules are set. I.e. if 192.168.1.110 (wifi device) tries to contact Netflix.com then it will go via normal internet. If 192.168.1.110 tries to contact HBO.com it will route via VPN.

Thanks for your help

As listed above, to see the current RPDB rules issue:

ip rule

 

[Tony Abraham]

Ah I see, so these are issues via command line? I think i'll do a bit of reading up on this firmware as you can see I am a novice

 

[Martineau]

Ah I see, so these are issues via command line? I think i'll do a bit of reading up on this firmware as you can see I am a novice

So I take it you can't currently access/use the command line, and you don't know how to copy'n'paste the script onto the router correctly? see https://github.com/RMerl/asuswrt-merlin/wiki and the section about User scripts

However, I think you may find that you become stuck very quickly in resolving your requirement.

Unfortunately, RPDB rules cannot use domain names as the target.

So if you try

ip rule add from 192.168.1.110 to www.hbo.com via table 99 9000

Error: an inet prefix is expected rather than "www.hbo.com".

So depending on the time of day, which DNS server responds first etc., 'www.hbo.com' will resolve to a CDN address list, that 49 times out of 50 could be the same but not necessarily so

e.g. for me just now

nslookup www.hbo.com

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      www.hbo.com
Address 1: 52.42.218.150 ec2-52-42-218-150.us-west-2.compute.amazonaws.com
Address 2: 34.208.245.59 ec2-34-208-245-59.us-west-2.compute.amazonaws.com
Address 3: 52.43.34.171 ec2-52-43-34-171.us-west-2.compute.amazonaws.com

So which Address should you use or perhaps you should add all three RPDB rules

ip rule add from 192.168.1.110 to 52.42.218.150 via table 99 9000
ip rule add from 192.168.1.110 to 34.208.245.59 via table 99 9001
ip rule add from 192.168.1.110 to 52.43.34.171  via table 99 9002

but www.hbo.com has probably hundreds of actual I/P addresses in various subnets.

If you search the forum, you will see that the most successful tracking method of ALL the current streaming service I/P addresses is using ipsets.

So in theory once the ipset (say we call it HBO) is created and populated then you would simply have 1 RPDB rule to redirect those hundreds of HBO I/P addresses correctly.

But that is for another thread.

 

[Tony Abraham]

Thanks for that.

HBO and Netflix was just an example, the services I will be using will only have a small number of servers I would imagine.

To be honest, there is only a couple of services I would like to use via VPN so if I can create a rule for the small amount of services to use VPN but everything else just uses the normal internet that would be perfect.