VPN User Script nat-start causing loss of internet connection Merlin 384.4_2

[Kaputpug]

Good day everyone,

This is my first post here and before getting into why I am here I would first like to thank RMerlin for his hard work. I have been using his firmware for quite some time and I’m sure it has saved me many headaches.

I have resolved most of my issues in the past and learned how to do things from just browsing this forum. Although this time I think the best thing to do is ask for help on this one. I am only a novice and rely on posts and guides put up by you dedicated people to help me accomplish and setup features on these routers.

First I will describe my current setup and hardware. My ISP is Bell and I have a Bell Home Hub 3000 which is configured for advanced DMZ. I have an Asus RT-AC5300 connected to this which I use as my default router. Everything was working fine with no issues until upgrading the firmware to 384.4_2.

I upgraded 380.69_2 to 384.4_2 on my Asus RT-AC5300. A factory reset was completed prior to upgrading to the new firmware and also cleared browser cache after, as stated in Asuswrt- Merlin 384 Changelog. Once complete I continued to setup to my desired needs. After rebooting I lost my connection to the internet and could not re-establish.

It took me quite some time to find out what was causing the issue. First I suspected the Bell Home Hub 3000 as I have had issues with it in the past and the firmware is quite buggy. Although this was not the issue and I decided to factory default the Asus again and sure enough I got my internet connect back instantly. I continued to configure again thinking maybe there was just some minor issue during the previous setup that I had missed or some glitch possibly. After inputting my settings again and rebooting I had the exact same issue (No Internet Connection with yellow triangle). I then decided to back up and remove some settings and that’s when I found the issue. It appears the user scripts I have been using previously to configure ports for my VPN connection was causing me to lose my connection. I removed both scripts and rebooted and all was good. I added them again and rebooted and my connection was lost again.

I eliminated one script (openvpn-event) which I use to bypass certain ports from going through my VPN and this script works just fine when I reboot but the other script (nat-start) which is used to forward ports for my VPN was the culprit. Although once the router was rebooted I could manually enter the commands from this script and my ports are confirmed open and I still have my internet connection.

My user scripts (Thanks to all who helped with this code on this forum)

nat-start script

#!/bin/sh


iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.100 --dport 41175 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.100 --dport 41175 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 41175 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 41175 -j DNAT --to-destination 192.168.1.100

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.150 --dport 41176 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.150 --dport 41176 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 41176 -j DNAT --to-destination 192.168.1.150
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 41176 -j DNAT --to-destination 192.168.1.150

openvpn-event script

sleep 10

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
#ip route del default table 100
#ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#

ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#

# Bypass VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 80 --match iprange --src-range 192.168.1.100 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p udp --sport 80 --match iprange --src-range 192.168.1.100 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 41000 --match iprange --src-range 192.168.1.100 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p udp --sport 41000 --match iprange --src-range 192.168.1.100 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 8081 --match iprange --src-range 192.168.1.150 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 8112 --match iprange --src-range 192.168.1.150 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 51000 --match iprange --src-range 192.168.1.150 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p udp --sport 51000 --match iprange --src-range 192.168.1.150 -j MARK --set-mark 1

Would anyone here have any idea as to why this script (nat-start) currently does not work after upgrading to the new firmware? If pointed in the right direction i can provide logs if needed or any other information required. Also, if anyone knows a better way to accomplish what the scripts above provide i would be interested in hearing how to do this.

Thanks in advance

 

[Kaputpug]

Update to previous post

The problem still persists!

When i apply the nat-start script to /jffs/scripts and reboot i have noticed that under OpenVPN Client Settings the "Service State" is enabled with a green slider and it says connected next to this. Although there is no vpn public ip shown, it is just blank? When i remove the nat-start script and reboot the public ip is then shown. This is also noticed under the VPN status section.

nat-start at boot

http://www.imagebam.com/image/f075a9805222983

nat-start removed from boot

http://www.imagebam.com/image/185d64805243243

Losing internet is also intermittent when applying the nat-start script on reboot as it sometimes will connect but after a few hours it will always lose the internet connection on all devices (Wifi and LAN) but the VPN connection will still function correctly with ports open and connection established.

As stated in my previous post I can apply the nat-start script commands after the router has rebooted and everything works as it should with no disconnects. This does give me the option to run the script another way after the router has booted and get around this issue but that is not the way it should be done.

At this point i have no idea what is going on here. The nat-start script is only forwarding ports and it has worked fine on the legacy firmware for almost a year with no issues at all. I think the problem is deeper than just the nat-start script, it is most likely an issue with the VPN Client or configuration itself. Although the settings are exactly as previously setup on 380.69_2. Any help would be appreciated, i'd hate to have to go back to the older firmware.

 

[Kaputpug]

I appear to have found a solution to this problem. I am still monitoring to confirm 100% but so far it has been fine for a few days, with multiple reboots. What i did was just add "sleep 2" to the beginning of the nat-start script and now everything works fine. I can only assume the problem was due to the script running a little early and causing an issue with the WAN connection. Maybe this will help someone else.

Although i still see the symptoms quoted below which i posted earlier. Not sure why it doesn't show the public IP. I also have the client2 vpn setup for another purpose and the public ip is shown here, as i expect it should for client1 as well. Anyone able to help with this? Thanks

When i apply the nat-start script to /jffs/scripts and reboot i have noticed that under OpenVPN Client Settings the "Service State" is enabled with a green slider and it says connected next to this. Although there is no vpn public ip shown, it is just blank? When i remove the nat-start script and reboot the public ip is then shown. This is also noticed under the VPN status section.

 

[Kaputpug]

Scripts are working as they should now for a week with no issues. Looks like editing nat-start worked. Hopefully this post saves someone else a headache.

 

[marsan71]

Thanks a lot. I was banging my head to the wall to try to find out what is wrong after update from 380.69_4 to 384.5. After adding "sleep 2" to my nat-start script internet is working again. Thanks again!

 

[Kaputpug]

Thanks a lot. I was banging my head to the wall to try to find out what is wrong after update from 380.69_4 to 384.5. After adding "sleep 2" to my nat-start script internet is working again. Thanks again!

I knew someone else would have this issue that's why I decided to take the time to write my solution. It's very important to always update your forum post and not leave people hanging. A lot of people fix an issue and never return to post how. Glad it helped!

 

[hpalmete]

I created an account for the sole purpose of updating this fairly old post to thank you for taking the time to do this. You solved my problem and I can say, with confidence, I would not have gotten there on my own.

Thank you kindly.

 

[Kaputpug]

I created an account for the sole purpose of updating this fairly old post to thank you for taking the time to do this. You solved my problem and I can say, with confidence, I would not have gotten there on my own.

Thank you kindly.

You're Welcome! Glad it helped!

 

[TooSwee4Life]

Good day everyone,

This is my first post here and before getting into why I am here I would first like to thank RMerlin for his hard work. I have been using his firmware for quite some time and I’m sure it has saved me many headaches.

I have resolved most of my issues in the past and learned how to do things from just browsing this forum. Although this time I think the best thing to do is ask for help on this one. I am only a novice and rely on posts and guides put up by you dedicated people to help me accomplish and setup features on these routers.

First I will describe my current setup and hardware. My ISP is Bell and I have a Bell Home Hub 3000 which is configured for advanced DMZ. I have an Asus RT-AC5300 connected to this which I use as my default router. Everything was working fine with no issues until upgrading the firmware to 384.4_2.

I upgraded 380.69_2 to 384.4_2 on my Asus RT-AC5300. A factory reset was completed prior to upgrading to the new firmware and also cleared browser cache after, as stated in Asuswrt- Merlin 384 Changelog. Once complete I continued to setup to my desired needs. After rebooting I lost my connection to the internet and could not re-establish.

It took me quite some time to find out what was causing the issue. First I suspected the Bell Home Hub 3000 as I have had issues with it in the past and the firmware is quite buggy. Although this was not the issue and I decided to factory default the Asus again and sure enough I got my internet connect back instantly. I continued to configure again thinking maybe there was just some minor issue during the previous setup that I had missed or some glitch possibly. After inputting my settings again and rebooting I had the exact same issue (No Internet Connection with yellow triangle). I then decided to back up and remove some settings and that’s when I found the issue. It appears the user scripts I have been using previously to configure ports for my VPN connection was causing me to lose my connection. I removed both scripts and rebooted and all was good. I added them again and rebooted and my connection was lost again.

I eliminated one script (openvpn-event) which I use to bypass certain ports from going through my VPN and this script works just fine when I reboot but the other script (nat-start) which is used to forward ports for my VPN was the culprit. Although once the router was rebooted I could manually enter the commands from this script and my ports are confirmed open and I still have my internet connection.

My user scripts (Thanks to all who helped with this code on this forum)

nat-start script

#!/bin/sh


iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.100 --dport 41175 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.100 --dport 41175 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 41175 -j DNAT --to-destination 192.168.1.100
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 41175 -j DNAT --to-destination 192.168.1.100

iptables -I FORWARD -i tun11 -p udp -d 192.168.1.150 --dport 41176 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.1.150 --dport 41176 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 41176 -j DNAT --to-destination 192.168.1.150
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 41176 -j DNAT --to-destination 192.168.1.150

openvpn-event script

sleep 10

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
#ip route del default table 100
#ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#

ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#

# Bypass VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 80 --match iprange --src-range 192.168.1.100 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p udp --sport 80 --match iprange --src-range 192.168.1.100 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 41000 --match iprange --src-range 192.168.1.100 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p udp --sport 41000 --match iprange --src-range 192.168.1.100 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 8081 --match iprange --src-range 192.168.1.150 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 8112 --match iprange --src-range 192.168.1.150 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 51000 --match iprange --src-range 192.168.1.150 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p udp --sport 51000 --match iprange --src-range 192.168.1.150 -j MARK --set-mark 1

Would anyone here have any idea as to why this script (nat-start) currently does not work after upgrading to the new firmware? If pointed in the right direction i can provide logs if needed or any other information required. Also, if anyone knows a better way to accomplish what the scripts above provide i would be interested in hearing how to do this.

Thanks in advance

OMG thank you so much! I've been trying to figure this out for last 3 days. Hoping that unknown public IP bug gets resolved as well. Thanks again!

 

[Kaputpug]

OMG thank you so much! I've been trying to figure this out for last 3 days. Hoping that unknown public IP bug gets resolved as well. Thanks again!

You're quite welcome I'm glad it helped you as well.

I haven't really looked into the public IP issue since. Everything works fine, it just doesn't display the IP. I may look into it again at some point when I'm bored lol. I was kinda hoping someone would have some input but nothing yet