VPN Client Rules: Why can WAN iface clients not access internet?

alwaysCurious

New Around Here
Setup: Cable modem --> AC86U (router, WiFi off, OpenVPN Client) --> AC1900P (AP Mode) --> WiFi clients

I just added an AC86U to my setup to boost OpenVPN speeds. However, my FireTV Stick (FTS) won't play Prime Videos when connected to a VPN (i.e., "You are connected to a VPN. Please disconnect..."). I expected this. When I had only the AC1900P, I created a VPN rule to redirect traffic from the FTS to the WAN iface. Everything worked.

Using the AC86U, the same rule causes all traffic from the FTS to get dropped. It connects to the network, but not the internet. Here is a summary of what I've tried:
- Restarted FTS, modem, AC86U, and AC1900P --> no internet access
- Used WiFi on AC86U --> no internet access
- "Block routed clients if tunnel goes down" Yes/No --> no internet access
- Turned off VPN client connection --> no internet access o_O
- Kept VPN connected, but removed FTS rule (i.e., it used the VPN) --> can access internet (but can't play Prime Video because of VPN connection)
- Kept VPN connected on, and changed FTS rule to explicitly use the VPN --> can access internet (but can't play Prime Video because of VPN connection)

I was able to recreate the issue with my Android phone by adding a VPN rule for it. However, doing the same with my Windows laptop (WiFi) does not recreate the issue. o_O I am perplexed as to what this could be.

How can I get my FTS to bypass the VPN? Please let me know what additional information would be pertinent to add. Thanks
 

Attachments

CaptainSTX

Part of the Furniture
I think your notation is the problem. Keep it simple to start.

Delete the first two rows in your client selection table. By default everything not listed in this table will be routed by WAN.

The only rows you need are to list are the IPs you want routed using the VPN. Again keep it simple and start by listing individual IPs as source. If you get it working you can try using notation later. It is easier to do this if you assign specific devices static IPs. Other ways to accomplish this but get your basic setup working first.

Also no need to list a destination for most use cases. Just leave that field blank .
 

alwaysCurious

New Around Here
Thank you for your reply. I think I have an incorrect understanding of the rules table.

Delete the first two rows in your client selection table...

The only rows you need are to list are the IPs you want routed using the VPN.
Done, but now with only the "Default" rule in the table, doesn't that mean all traffic will go through the VPN? I've tried adding a rule ("Passthrough") to bypass the VPN, but that's where the problem starts. My passthrough device is now blocked from the internet. Is this a problem with my configuration, or a bug in the updated firmware code (i.e., should I downgrade to 384.18)?
 

Attachments

Last edited:

CaptainSTX

Part of the Furniture
Thank you for your reply. I think I have an incorrect understanding of the rules table.



Done, but now with only the "Default" rule in the table, doesn't that mean all traffic will go through the VPN? I've tried adding a rule ("Passthrough") to bypass the VPN, but that's where the problem starts. My passthrough device is now blocked from the internet. Is this a problem with my configuration, or a bug in the updated firmware code (i.e., should I downgrade to 384.18)?
The problem is with your setup. VPN clients works well for me on .19 as well as most other on this site. NORD VPN is used by many individuals on this site.

1. Assign devices you want to use the VPN static IPs in the LAN tab
2. Add these devices to the list of devices to be routed using the VPN
3. Temporarily change block internet connection if tunnel down to NO
4. Click apply at bottom of page

If it works and it is vital to your setup go back and change block connection setting. I don't block because my VPN clients are stable and I have never had one drop. I also use just policy rules not strict policy rules and that has never been an issue for me.
 

alwaysCurious

New Around Here
Instead of creating a static/reserved IP address and VPN rule for almost every device on my network, I want all devices on my network to go through the VPN by default, and only exclude specific ones (one or two devices). I created static IPs and rules for those devices, but without the expected result. It worked on the AC1900p. What about my setup could be preventing this from working with the AC86u?

Update 1: Once I apply a VPN routing rule (static IP, regardless of device), the FTS and my smartphone (which have static IPs, but no VPN rules) get blocked from the internet. It seems I can have everything go though the VPN (i.e., "Force internet traffic through tunnel": Yes), everything go through WAN (i.e., "Force internet traffic through tunnel": No), or some devices go through the VPN and other lose internet completely (i.e., "Force internet traffic through tunnel": Policy Rules (Strict)).

Update 2: I downgraded to 384.18, reset, and configured the same settings. The VPN rules worked correctly, as they did with the AC1900P. If someone else experiences the same issue I did, I hope this helps.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top