Another selective routing question

[raylock]

Is it possible to write a policy rule which would cause the data from Verizon (guide and on demand data) to bypass the VPN in an Asus RT-AC68C with Asus-Merlin firmware? As I noted in an earlier post elsewhere, I lose the guide and on demand when running VPN on the router. I don't have enough knowledge to begin to know if this is possible. However, if someone thinks it is possible I will dig into it and try to learn. Thanks

Update: Maybe it's as simple as writing a policy rule to route data from the Actiontec router (which is used solely as a bridge for certain Television data) to the ISP rather than the VPN? Well, simple is a relative word depending on where you are coming from. My knowledge base is zero, but I am finding some clues. If anybody has done this I would appreciate your comments.

 

[yorgi]

Is it possible to write a policy rule which would cause the data from Verizon (guide and on demand data) to bypass the VPN in an Asus RT-AC68C with Asus-Merlin firmware? As I noted in an earlier post elsewhere, I lose the guide and on demand when running VPN on the router. I don't have enough knowledge to begin to know if this is possible. However, if someone thinks it is possible I will dig into it and try to learn. Thanks

Update: Maybe it's as simple as writing a policy rule to route data from the Actiontec router (which is used solely as a bridge for certain Television data) to the ISP rather than the VPN? Well, simple is a relative word depending on where you are coming from. My knowledge base is zero, but I am finding some clues. If anybody has done this I would appreciate your comments.

You would need to know what IP address verizon is sending data from, then you can write a policy rule that would send all data from Verizon to local ISP
I did a nslookup and 192.16.31.23 is verizon.com address but I am not sure if they transmit their data via that IP address.
if its this address 192.16.31.23 then this would be the rule you would put in the policy rules.
I hope that helps you out.

source ip 0.0.0.0 destination ip 192.16.31.23 lface WAN

 

[raylock]

Thanks Yorgi. I will try that. I also have tried the opposite approach, ie designating the source such as
source ip 192.168.1.103 destination 0.0.0.0 Iface WAN But it appears that if I do that I will have to make an entry for every device on my network. Between desktops, ipads, phones, STBs, Dvd players etc. etc there is about 30 devices. That is a lot of entering and I would have to it for each client. I tried just entering the STBs but that did not mask the IP address of my computers. I am not sure if there is an easier way to do this such as designating a range addresses for example. I like your idea, but I am a little afraid that Verizon may be using other address for their television related feeds. I don't know how to identify them if they do. Thanks again.

 

[yorgi]

Thanks Yorgi. I will try that. I also have tried the opposite approach, ie designating the source such as
source ip 192.168.1.103 destination 0.0.0.0 Iface WAN But it appears that if I do that I will have to make an entry for every device on my network. Between desktops, ipads, phones, STBs, Dvd players etc. etc there is about 30 devices. That is a lot of entering and I would have to it for each client. I tried just entering the STBs but that did not mask the IP address of my computers. I am not sure if there is an easier way to do this such as designating a range addresses for example. I like your idea, but I am a little afraid that Verizon may be using other address for their television related feeds. I don't know how to identify them if they do. Thanks again.

Source IP is the local IP address of your devices. If you put 0.0.0.0 that means any device on your network will use that rule.
then you have the destination IP this is the internet IP address of a site example: netflix.com or youtube.com or comcast.com you need to find out their IP address
usually using nslookup command in command promt or your ASUS router under network tool and method nslookup then you can use a IP range calculator found here
http://networkcalculator.ca/ip-calculator.php
and you enter CIDR range if needed.
the lface is weather you want to send traffic to WAN which is local ISP or VPN

 

[raylock]

Is there a hierarchy for rules? If there are conflicts, which one has precedence? For example, 0.0.0.0 0.0.0.0 VPN would seem to send everything to VPN (although it doesn't seem to do that) is followed by 192.168.1.100 WAN what would happen? And what about local addresses that that are not in included in any rule? I tried 192.168.1.07 VPN 192.168.1.105 WAN (which worked for those addresses) and then accessed the net from another device for which there was not a rule and it resulted in WAN. Are these rules spelled out somewhere? Thanks

 

[yorgi]

Is there a hierarchy for rules? If there are conflicts, which one has precedence? For example, 0.0.0.0 0.0.0.0 VPN would seem to send everything to VPN (although it doesn't seem to do that) is followed by 192.168.1.100 WAN what would happen? And what about local addresses that that are not in included in any rule? I tried 192.168.1.07 VPN 192.168.1.105 WAN (which worked for those addresses) and then accessed the net from another device for which there was not a rule and it resulted in WAN. Are these rules spelled out somewhere? Thanks

Think of it this way so it doesn't become confusing.
Source IP is your local network which refers to your devices on the network.
If you want specific IP address to go to VPN and all other IP goes to Local ISP you would put down a rule like this
Source IP 192.168.1.80/28 which allows IP range of 192.168.1.80-192.168.1.95
Destination IP will be any address from the Internet so putting 0.0.0.0 means all address.
lface is where you want the traffic to go to WAN for local IPS or VPN
so we can say this
192.168.1.80/28 0.0.0.0 VPN this means 192.168.1.80-192.168.1.95 will go to VPN and
all other IP address that are not those of the example will automatically get directed to local ISP

you can say this as well.
192.168.1.0/24 0.0.0.0 VPN this would put every IP address on VPN
then you can create a rule as follows for specific traffic to get directed to WAN
192.168.1.50 24.66.122.24 WAN
this rule says all traffic goes to VPN but when 192.168.1.50 sends email direct it via WAN
24.66.122.24 is an example if your email server was that address.

0.0.0.0 0.0.0.0 should work in theory but I guess it doesn't. I never tried it

I tried 192.168.1.07 VPN 192.168.1.105 WAN (which worked for those addresses) and then accessed the net from another device for which there was not a rule and it resulted in WAN. Are these rules spelled out somewhere? Thanks

You don't have to tell the router which IP goes to VPN and which IP goes to WAN
you reserve specific IP that will either go to WAN or VPN and the rest automatically get routed properly.

so if you say 192.168.1.80/28 0.0.0.0 VPN
these IP address 192.168.1.80-192.168.1.95 will go to VPN and all the rest will go to WAN local ISP
there is no need to add other address which are not in the VPN range to go to WAN.
You would only do that if there are Internet address's that you want for specific devices weather they are on VPN or WAN
when a rule comes its way it will redirect the traffic according to the rules you set.

You can also say this
192.168.1.80/28 0.0.0.0 WAN
so IP range 192.168.1.80-192.168.1.95 will go to Local ISP and all other IP address will go to VPN

I hope that will make things clear for you.

 

[raylock]

Yorgi, thank you for trying to educate this technology challenged old man. I think I now understand some of the basics of creating instructions for rerouting in the Asus. My objective is quite simple and I am sure I am making it much more difficult than it needs to be. I have five STBs with addresses between 192.168.1.83 and 192.168.1.105 which I want to direct to WAN and everything else below and above that range to VPN. So I think the following will work if I understood your message correctly.
192.168.1.0/24 0.0.0.0 VPN
192.168.1.83 0.0.0.0 WAN
192.168.1.100 0.0.0.0 WAN
192.168.1.102 0.0.0.0 WAN
192.168.1.103 0.0.0.0 WAN
192.168.1.105 0.0.0.0 WAN
I have been trying to become familiar with CIDR notation but have not mastered it yet. I tried to use the CIDR calculator referenced above but it did not return a range that encompasses only the STBs. Still, this is much simpler than the long list I envisioned. Elsewhere, RMerlin suggested that we google Tomato for instructions for openvpn. I have been doing and have found several good tutorials which have been very helpful overall but I have not found one that explains the "redirect internet traffic" function. In fact, one tutorial said "don't touch that button because it doesn't do anything helpful." Thanks

 

[yorgi]

Yorgi, thank you for trying to educate this technology challenged old man. I think I now understand some of the basics of creating instructions for rerouting in the Asus. My objective is quite simple and I am sure I am making it much more difficult than it needs to be. I have five STBs with addresses between 192.168.1.83 and 192.168.1.105 which I want to direct to WAN and everything else below and above that range to VPN. So I think the following will work if I understood your message correctly.
192.168.1.0/24 0.0.0.0 VPN
192.168.1.83 0.0.0.0 WAN
192.168.1.100 0.0.0.0 WAN
192.168.1.102 0.0.0.0 WAN
192.168.1.103 0.0.0.0 WAN
192.168.1.105 0.0.0.0 WAN
I have been trying to become familiar with CIDR notation but have not mastered it yet. I tried to use the CIDR calculator referenced above but it did not return a range that encompasses only the STBs. Still, this is much simpler than the long list I envisioned. Elsewhere, RMerlin suggested that we google Tomato for instructions for openvpn. I have been doing and have found several good tutorials which have been very helpful overall but I have not found one that explains the "redirect internet traffic" function. In fact, one tutorial said "don't touch that button because it doesn't do anything helpful." Thanks

That will work but you can get really confused the way you did it.
Why don't you do it like this.
setup your DCHP in LAN, DHCP SERVER that will cover the range of 192.168.1.100-192.168.1.254
IP Pool Starting Address 192.168.1.100
IP Pool Ending Address 192.168.1.254
Now you can do a rule that works like this

192.168.1.0/26 0.0.0.0 VPN
this says 192.168.1.0 to 192.168.1.63 will go to VPN
and everything else to WAN which is local ISP
you have over 60 Static IP address's that are reserved for VPN and use the DHCP range 192.168.1.100-192.168.254 for Local ISP WAN
Instead of writing all those rules as you did which will work this makes it simple and cleaner.
you just need to have 1 rule in CIDR which will do the job and this way you can add other specific rules without making it to complicated.
For example you want 192.168.1.83 to go to VPN when using Netflix.
then you can write a specific rule for that device to use VPN when on Netflix
or you can say any device when on Netflix will use the VPN
Unless you have over 200 devices connected then you don't need to over complicated your life.
You seem to have 5 Devices that you want to have on WAN all the time.
This way you have DHCP address's automatically go to WAN, so when guests get onto your network they will automatically be in Local ISP because they are in the DHCP range
and only specific address which you reserved in CIDR will go to VPN.
its another way of doing it and have better control.

Here is a cool calculator for CDIR
http://networkcalculator.ca/ip-calculator.php
and here is a whois site for figuring out CDIR range for IP address like google, facebook etc.
http://www.whois.com/whois/

btw you are never to old to learn

 

[raylock]

btw you are never to old to learn

Yeah, means I am still alive Thanks for taking the time to reply in such detail. This is a BIG help to me.

 

[yorgi]

Yeah, means I am still alive Thanks for taking the time to reply in such detail. This is a BIG help to me.

One note. Since you have 5 devices on WAN I strongly suggest that you point a proper DNS to them.
Go to Air Protection, DNSfiltering and set a DNS like google or which ever DNS you want for each device that is on WAN
this is very important because if you don't do this your devices will be showing the VPN's DNS instead of google, Norton or whatever other DNS you prefer to use.
I have made a few examples in this article about policy rules and DNSfiltering
http://www.snbforums.com/threads/ho...y-step-how-to-guide-ver-380-58-updated.30851/

go here to test the Local ISP devices to make sure their DNS is pointing to the right place.
https://ipleak.net/

now you are ready to setup a nice policy rules

 

[RMerlin]

One note. Since you have 5 devices on WAN I strongly suggest that you point a proper DNS to them.
Go to Air Protection, DNSfiltering and set a DNS like google or which ever DNS you want for each device that is on WAN
this is very important because if you don't do this your devices will be showing the VPN's DNS instead of google, Norton or whatever other DNS you prefer to use.
I have made a few examples in this article about policy rules and DNSfiltering
http://www.snbforums.com/threads/ho...y-step-how-to-guide-ver-380-58-updated.30851/

go here to test the Local ISP devices to make sure their DNS is pointing to the right place.
https://ipleak.net/

now you are ready to setup a nice policy rules

That bug was fixed in 380.59.

https://github.com/RMerl/asuswrt-merlin/commit/9993b4bdcced87188917fd82b3abe9b528fc127d

Sent from my Nexus 9 using Tapatalk

 

[yorgi]

That bug was fixed in 380.59.

https://github.com/RMerl/asuswrt-merlin/commit/9993b4bdcced87188917fd82b3abe9b528fc127d

Sent from my Nexus 9 using Tapatalk

Excellent, I was bugging you about that forever and you found the way
I will update the guide