Beta Asuswrt-Merlin 386.3 beta is now available

[maxbraketorque]

It won`t block access to the VPN, it will just use the WAN gateway for routing their traffic.

Make sure you set the local IP as your LAN clients, and leave the remote IP empty.

If you are saying that for the LAN clients I want to block from the VPN tunnels, I should select their LAN IP range, then leave the Remote IP range blank, and then select the WAN interface?

 

[RMerlin]

If you are saying that for the LAN clients I want to block from the VPN tunnels, I should select their LAN IP range, then leave the Remote IP range blank, and then select the WAN interface?

That`s correct. It will force these clients to directly use your Internet connection without redirecting them through the tunnel.

https://github.com/RMerl/asuswrt-merlin.ng/wiki/VPN-Director

 

[New2This]

Going to probably factory reset, but before I do, anyone else loosing there VPN Director configuration after a reboot. It ran smooth for about 4 days, before I rebooted it.

 

[shabbs]

Going to probably factory reset, but before I do, anyone else loosing there VPN Director configuration after a reboot. It ran smooth for about 4 days, before I rebooted it.

I did not experience that on my RT-AX86U Router.

 

[Xrsenal]

That`s correct. It will force these clients to directly use your Internet connection without redirecting them through the tunnel.

https://github.com/RMerl/asuswrt-merlin.ng/wiki/VPN-Director

Hey Merlin,

For the AX86u, I have verizon fios fiber gig, whats the best options as far as NAT Passthrough, DNS WAN/LAN (do i input in both?) ANY other settings that would be beneficial for gaming?

No one here really provided me much help

I just dont know what settings affect what.... any insight on anything related to gaming ? im on console btw

 

[maxbraketorque]

That`s correct. It will force these clients to directly use your Internet connection without redirecting them through the tunnel.

https://github.com/RMerl/asuswrt-merlin.ng/wiki/VPN-Director

I just tried, and its not preventing access to the VPN networks for LAN clients in the target IP range. I guess I'm doing something wrong?

 

[Makaveli]

Hey Merlin,

For the AX86u, I have verizon fios fiber gig, whats the best options as far as NAT Passthrough, DNS WAN/LAN (do i input in both?) ANY other settings that would be beneficial for gaming?

No one here really provided me much help

I just dont know what settings affect what.... any insight on anything related to gaming ? im on console btw

This thread is for Beta feedback not the right place for this.

 

[bbunge]

Hey Merlin,

For the AX86u, I have verizon fios fiber gig, whats the best options as far as NAT Passthrough, DNS WAN/LAN (do i input in both?) ANY other settings that would be beneficial for gaming?

No one here really provided me much help

I just dont know what settings affect what.... any insight on anything related to gaming ? im on console btw

Well, the beta 1 works well on my AX86U. I do not use VPN client. I do use Cloudflare Secure, 1.1.1.2 and 1.0.0.2 in Wan DNS Servers and have DoT/DNSSEC enabled. Nothing in LAN/DHCP Server/DNS Server. As I have 100/100 FIOS I use QOS but with Gig you do not need QOS.
Hope this helps.

 

[RMerlin]

I just tried, and its not preventing access to the VPN networks for LAN clients in the target IP range. I guess I'm doing something wrong?

Can you explain what you mean exactly by "preventing access"?

 

[RMerlin]

Going to probably factory reset, but before I do, anyone else loosing there VPN Director configuration after a reboot. It ran smooth for about 4 days, before I rebooted it.

Check the state of your JFFS partition (i.e. make sure it's not filled up).

 

[SomeWhereOverTheRainBow]

Check the state of your JFFS partition (i.e. make sure it's not filled up).

@RMerlin great job with VPN director. The icing on the cake would be if you include a menu option to route VPN site tunnels( openvpn, pptp, or ipsec) to Open VPN client. ---- I know you are not big on extra features beyond the norm~, but if you think about it, it would be a nice option. Thank you for your long term efforts and maintenance of Asuswrt-Merlin.

 

[RMerlin]

To make sure I am clear as mud. I had everything routed through VPN except the Roku on 386.2_6. It worked flawless. Local TV via Fubo works with the VPN however Vudu and Amazon Prime ect. do not, hence the WAN setting for the Roku. Family was watching tv while I upgraded firmware to 386.3b and the Roku went down, no internet connection detected. The only way I can get it back up is to disable the WAN rule for the Roku. I hope these screen shots are what you requested.

I cannot reproduce your issue here, works fine for me when I exclude my tablet. Can you test using a PC instead of the Roku?

EDIT: I can actually see one scenario where it might be problematic: if your VPN provider uses a non-public DNS server. WAN clients aren't currently "excluded" from using it, this is actually a bug.

Can you try connecting your VPN, then running the following command?

/usr/sbin/iptables -t nat -I DNSVPN1 -s 192.168.1.100 -j RETURN

Replace DNSVPN1 by whichever instance you are using if it's not the first one, and replace 192.168.1.100 by the IP address of your Roku.

Then test again the Roku.

 

[RMerlin]

@RMerlin great job with VPN director. The icing on the cake would be if you include a menu option to route VPN site tunnels( openvpn, pptp, or ipsec) to Open VPN client. ---- I know you are not big on extra features beyond the norm~, but if you think about it, it would be a nice option. Thank you for your long term efforts and maintenance of Asuswrt-Merlin.

Routing a VPN through another VPN makes little sense. But if for some reason you want to do that, just create a rule with the remote IP of your other server.

 

[SomeWhereOverTheRainBow]

Routing a VPN through another VPN makes little sense. But if for some reason you want to do that, just create a rule with the remote IP of your other server.

I know how to manually do it. it is more of a simplicity option, something to make life easier. But as I mentioned I know you are not big on extra features.

 

[RMerlin]

I know how to manually do it. it is more of a simplicity option, something to make life easier. But as I mentioned I know you are not big on extra features.

This is definitely way too niche of a feature to be added, sorry.

 

[maxbraketorque]

Can you explain what you mean exactly by "preventing access"?

I guess I'll provide my 30,000 ft view. IMHO, guest and IOT clients are the biggest security risk to my home network at this point, just a tad above my concern about my wife and daughter getting suckered into allowing a socially engineered network intrusion. The built-in ASUS guest network capability does not meet my needs for two reasons. One of the two issues I'm trying to resolve now is that while the built-in ASUS guest network capability can isolate guests from my "local" LAN, it does not isolate guests from my VPN LANs. I have two site-to-site (router-to-router) "2-way" VPNs permanently enabled to link my local LAN to two remote LANs. When the ASUS guest network capability is enabled on the local LAN with "Access Intranet" disabled, guests on the local LAN can still access all resources on my remote LANs.

So I'm trying to find a way to isolate local guests from my remote LANs. I'm currently exploring two options, one of which is using VPN director in combination with the ASUS guest network capability to prevent guest clients on my local LAN from accessing the resources on my remote LANs. I was hoping that VPN director could be used to prevent a subset of my local LAN IP range from accessing resources on my VPN LAN's, but its not working. To clarify on this, I have my guests and IOT devices set to use auto DHCP IP assignment, and I attempted to use VPN Director to send my auto DHCP range to the WAN as a means to prevent access to my VPN LANs. My auto DHCP range is set to xxx.xxx.xxx.128/26 (128-191), and I have a rule in VPN director to send xxx.xxx.xxx.128/26 to "WAN". However, it does not prevent local LAN guest clients from accessing my VPN LANs.

Hopefully that all makes sense.

 

[RMerlin]

I guess I'll provide my 30,000 ft view. IMHO, guest and IOT clients are the biggest security risk to my home network at this point, just a tad above my concern about my wife and daughter getting suckered into allowing a socially engineered network intrusion. The built-in ASUS guest network capability does not meet my needs for two reasons. One of the two issues I'm trying to resolve now is that while the built-in ASUS guest network capability can isolate guests from my "local" LAN, it does not isolate guests from my VPN LANs. I have two site-to-site (router-to-router) "2-way" VPNs permanently enabled to link my local LAN to two remote LANs. When the ASUS guest network capability is enabled on the local LAN with "Access Intranet" disabled, guests on the local LAN can still access all resources on my remote LANs.

So I'm trying to find a way to isolate local guests from my remote LANs. I'm currently exploring two options, one of which is using VPN director in combination with the ASUS guest network capability to prevent guest clients on my local LAN from accessing the resources on my remote LANs. I was hoping that VPN director could be used to prevent a subset of my local LAN IP range from accessing resources on my VPN LAN's, but its not working. To clarify on this, I have my guests and IOT devices set to use auto DHCP IP assignment, and I attempted to use VPN Director to send my auto DHCP range to the WAN as a means to prevent access to my VPN LANs. My auto DHCP range is set to xxx.xxx.xxx.128/26 (128-191), and I have a rule in VPN director to send xxx.xxx.xxx.128/26 to "WAN". However, it does not prevent local LAN guest clients from accessing my VPN LANs.

Hopefully that all makes sense.

So you don't want to just route then through the WAN, you want to actively block them from accessing the tunnel. VPN Director cannot really do that. All it does is configure routing tables, it does not firewall access to specific subnets. To achieve what you want to do, you'd have to manually configure things at the firewall level, not at the routing tables level (which is what VPN Director does). Something like that, through iptables:

iptables -I FORWARD -s 192.168.1.128/26 -d 10.1.1.0/24 -j DROP
iptables -I FORWARD -s 192.168.1.128/26 -d 10.2.1.0/24 -j DROP

Network Service Firewall wouldn't work either, because its rules are parsed too late in the FORWARD chain.

 

[maxbraketorque]

So you don't want to just route then through the WAN, you want to actively block them from accessing the tunnel. VPN Director cannot really do that. All it does is configure routing tables, it does not firewall access to specific subnets. To achieve what you want to do, you'd have to manually configure things at the firewall level, not at the routing tables level (which is what VPN Director does). Something like that, through iptables:

iptables -I FORWARD -s 192.168.1.128/26 -d 10.1.1.0/24 -j DROP
iptables -I FORWARD -s 192.168.1.128/26 -d 10.2.1.0/24 -j DROP

Network Service Firewall wouldn't work either, because its rules are parsed too late in the FORWARD chain.

ok. Thanks much. I guess I need to consider figuring out how to permanently enable iptables.

 

[RMerlin]

ok. Thanks much. I guess I need to consider figuring out how to permanently enable iptables.

Create a firewall-start script with the two commands.

 

[hababu]

Hello,
386.3_beta1 on AX88U causes disconnections with 5GHz WIFI (tested with notebook and smartphone). The WIFI Network is not available for about 20-30 seconds (the 5GHz Wifi disappears in the WIFI settings of the client and appears some seconds later again - this happened 2x within 30 minutes)
Does anyone have the same experience?
Now I have downgraded to 386.2_6 - I'm still testing but the connection is stable since 90 minutes.
Thank you
Kind regards
hababu