I would add the firewall restore setting, it shouldn't interfere, all it does is add the restore policy command to the firewall start script. While you technically can reduce the cronjob to 1 minute, I don't recommend it because it will constantly have your router querying policies attempting it every minute. There won't be duplicate runs because of the lock file but whenever a job completes, the next minute another will start and that's a bit aggressive.
No the reason why I was asking is using killmon with the firewall restore does in fact cause no connectivity on the vpn. Meaning some rules that killmon is adding to iptables doesn’t work when your script does the firewall restore. So what would be your recommendation ? Also could you make an option that it query’s at reboot automatically. Cause that’s my issue my issue is after a reboot unless I wait the 15 minutes without the firewall restore active my policies don’t work. Could you make a config option that after a reboot the policies are automatically queried.
I'm not sure what the killmon is doing to disrupt the traffic but the rules are going to be added once the query policy cron job runs anyway. Are you saying that once the rules are added you can't access the domains once the traffic is being told to be blocked? Are you wanting it to bypass and start using regular WAN if the VPN is killed? Query policy is called at boot via the wan-event, openvpn-event, or wgclient-start scripts (Executes from one of these, whichever is called first).
I honestly don’t know why but when I use Killmon all the policies don’t work when I enable reboot protection of killmon. I am wondering if as a feature request if you can add a feature that if the router reboots once the router reboots it re-Querys the policy.
It already calls query policy from the event script like I said, so it should be calling to query your policies on a reboot as well as create cron job for continuous runs. Maybe there is something going on timing wise preventing it from creating the rules necessary at the reboot time or they are being recreated and deleted. You'd have to enable verbose logging on a policy and see what it is doing during that time.
Oh maybe it’s VPN-Mon which is like monitoring the VPN. Maybe I need to delay it meaning delay the start of your script. I think you have that option.
Not too sure what has those locked up, did you have something else accessing those IPSets?
I am not sure how @Viktor Jaep 's tool detects the VPN not working, maybe something going on with the VPN Server side of your VPN Client at the moment?
@ComputerSteve ... if it successively fails a ping and a curl through the VPN tunnel 3x in a row, it will assume the VPN slot is non-responsive, and causes a reset.
Yes I understand.. What i'm saying is i'm getting that now everyday now that i'm using Domain Routing and I haven't got that once when I was using x3mrouting.. Also I notice it isn't down... Meaning as soon as VPNmon resets it then the connection is back up. Its not that the vpn is actually down because even with a reset the vpn wouldn't connect. Should I enable that nvram check feature?
Could be some kind of routing or resolution issue in that case?
I’m not sure. I haven’t seen it happen in 24 hours. Maybe my VPN provider was doing work on it.
Is there a disadvantage to enable NVRAM checks meaning why isn’t that on by default ?
It just runs a little slower processing but not really.
Nothing in VPNMON would be doing that. Doubt Domain Routing would be causing something. Have you looked at your syslogs and/or cronjobs?
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!
