1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Setting VPN Routing by MAC address?

Discussion in 'VPN' started by Apnomis, Jun 23, 2019.

  1. Apnomis

    Apnomis New Around Here

    Joined:
    Jun 6, 2019
    Messages:
    8
    I'm having trouble with setting up VPN on my Asus RT-AC86U. I'm trying to set it up to use VPN as default and I've found setting IP 192.168.1.0/24 to VPN routes everything to VPN (albeit it disables the router.asus.com and I have to use the IP address directly to get to the settings menu) and then I can choose what I want to exclude, i.e. streaming devices that don't like VPN (I've tried to work out how to exclude streaming services from the VPN but I'm a novice and the thread went completely over my head!).

    However selecting the device from the list just selects the IP address and as all my IP addresses are dynamic they occasionally change IP - when this happens they come under VPN protection again stopping me from using streaming services. Is there a way to set exceptions by MAC address instead?

    Is there any way to set exceptions by device, or explain (in simple terms) how to set exceptions to video streaming sites? I've tried finding some step by step instructions but they get very techie very fast!
     
  2. CaptainSTX

    CaptainSTX Very Senior Member

    Joined:
    May 2, 2012
    Messages:
    1,881
    Is there some reason you don't want to assign devices static IPs? If you assign IPs then the Merlin firmware makes it easy to select WAN or VPN routing. As a shortcut you could assign all DHCP addresses in your IP pool to VPN and then just assign static IPs to your streaming devices outside this pool and by default they would route using the WAN.
     
  3. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,244
    Location:
    UK
    Usually (because the GUI makes it simpler) it is safer to assign static IP addresses for LAN devices to be selectively routed via a VPN/WAN.

    However, with the use of very simple ;) 'techie' scripting (if using RMerlin firmware), it is possible to selectively route MAC addresses, which may appear to be seemingly more secure (and requires less admin overhead i.e. assigning unique IPs to a usually already unique LAN entity :rolleyes:), although it is fairly trivial to spoof MAC addresses.

    See the RMerlin Wiki and Example 5 in Selective Port (or MAC address) selective routing via VPN/WAN
    although you may need to tweak the example if you want ALL traffic from the MAC address to be routed, rather than the examples' specified HTTP/HTTPS Ports.
     
    Last edited: Jun 23, 2019
    royarcher likes this.
  4. dosborne

    dosborne Regular Contributor

    Joined:
    May 11, 2019
    Messages:
    92
    Location:
    /dev/null
    As CaptainSTX says, assigning IPs is your best bet as there is no way I know of to filter by MAC.

    If you don't want to change the clients (i.e. you can leave them as DHCP), then you can set static IPs based on the MAC addresses in your DHCP server (see the manual assignment section). This will give you what you want. Static IPs (including those assigned by binding the MAC and IP addresses) for devices that are any type of server typically makes your network easier to manage and use (although obviously not mandatory).
     
  5. eibgrad

    eibgrad Senior Member

    Joined:
    Feb 20, 2017
    Messages:
    220
    As others have suggested, the use of static leases is the way to go, at least when it comes to routing based on the source IP. However, when it comes to the *destination* IP, you don't need policy based routing at all. You just add static routes.

    For example, if I want to force all traffic for 8.8.8.8 over the VPN, I can add the following to the OpenVPN client's custom configuration:

    Code:
    route 8.8.8.8 255.255.255.255 vpn_gateway
    If instead I want it to be forced over the WAN, I can specify the following:

    Code:
    route 8.8.8.8 255.255.255.255 net_gateway
    You can even specify a domain name, and it will create *multiple* routes if it resolves to multiple IPs.

    Code:
    route netflix.com 255.255.255.255 net_gateway
    One caveat though. Some of the megasites like Netflix, Hulu, etc., will use many sub- domains, and the public IPs assigned to those sub-domains can change a lot more often than ppl suspect. You can also get different IPs depending on whether you use the WAN/ISP or VPN for name resolution. So it can be tricky to deal w/ destination IPs when it comes to certain sites. For simple sites, w/ reasonably consistent IPs, this technique works reasonably well.
     
    Last edited: Jun 23, 2019
    royarcher likes this.
  6. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,287
    Location:
    The Land of Smiles
    @Martineau and I collaborated on a solution that may fit your use case requirements:

    x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

    Policy Rule Routing using the OpenVPN Client screen.
     
    Last edited: Jun 24, 2019
    L&LD and royarcher like this.