1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Routing VPN traffic only for a particular port

Discussion in 'Asuswrt-Merlin' started by WuTang LAN, Jul 15, 2019.

  1. WuTang LAN

    WuTang LAN Regular Contributor

    Joined:
    May 5, 2019
    Messages:
    70
    On my PC I have Plex running which works fine expect for remote access from outside of the LAN.
    I have port-forwarded the port used by Plex and I have added a rule in the custom VPN config
    Code:
    route plex.tv 255.255.255.255 192.168.1.1
    neither have made my server accessible from outside the LAN.

    I suspect it's to do with the VPN as I route all traffic to and from my PC through the VPN.

    I would obviously rather not have to route all traffic through the WAN as this negates using a VPN. Is there anyway to keep all traffic on my PC routed through the VPN except for Plex?

    I know that you can route all traffic for an entire device through either the WAN or the VPN, but what about just for a particular port?
     
  2. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    1,202
  3. WuTang LAN

    WuTang LAN Regular Contributor

    Joined:
    May 5, 2019
    Messages:
    70
    Thank you for the link, octopus.

    I have read through the information and hopefully I have understood it correctly.

    Does the below look correct for routing all traffic on source port and destination port 32400 through the WAN?

    Code:
    #!/bin/sh
    
    sleep 10  # During the boot process nat-start may run multiple times so this is required               
    
    # Ensure duplicate rules are not created
    for VPN_ID in 0 1 2 3 4 5
       do
          ip rule del prio 999$VPN_ID  2>/dev/null
       done
    
    # Create the RPDB rules
    ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark
    ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark
    ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
    ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
    ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark
    ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark
    
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -p tcp -m multiport --dport 32400 -j MARK --set-mark 0x8000/0x8000
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -p tcp -m multiport --sport 32400 -j MARK --set-mark 0x8000/0x8000
     
  4. WuTang LAN

    WuTang LAN Regular Contributor

    Joined:
    May 5, 2019
    Messages:
    70
    I have created nat-start which looks like this

    Code:
    #!/bin/sh
    
    sleep 10  # During the boot process nat-start may run multiple times so this is required              
    
    # Ensure duplicate rules are not created
    for VPN_ID in 0 1 2 3 4 5
       do
          ip rule del prio 999$VPN_ID  2>/dev/null
       done
    
    # Create the RPDB rules
    ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark
    ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark
    ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
    ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
    ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark
    ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark
    
    iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.10 -p tcp --dport 32400 -j MARK --set-mark 0x8000/0x8000
    iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.10 -p tcp --sport 32400 -j MARK --set-mark 0x8000/0x8000
    
    When I do

    Code:
    iptables -nvL PREROUTING -t mangle --line
    it shows that no traffic is being redirected through the WAN

    Code:
    Chain PREROUTING (policy ACCEPT 785K packets, 756M bytes)
    num   pkts bytes target     prot opt in     out     source               destination        
    1     280K  207M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
    2    3589K 4945M BWDPI_FILTER  udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0          
    3        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            source IP range 192.168.1.10-192.168.1.10 orts 32400 MARK or 0x8000
    4        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            source IP range 192.168.1.10-192.168.1.10 orts 32400 MARK or 0x8000
    When I first created the nat-start script, it was working as intended very briefly- approx an hour before it no longer worked.

    Please could one of you brain boxes assist?