Dual WAN load-balance brakes VPN on AC5300 w/ 384.10_2

[Hyacin]

Hello all,

I had my AC5300 running 384.10_2, with one WAN connection, two VPN connections, and some clients strictly locked into using the VPNs with "Block routed clients if tunnel goes down" working flawlessly, prior to today.

Today a second WAN connection was installed and I enabled "Dual WAN" with load-balancing, which did warn me load-balancing disables AiProtection (but no mention of anything else), and now things aren't working right :-/

One of my clients (Win10 in Hyper-V w/ bridged networking, if that matters) does still appear to be trapped within the VPN, no problem.

The other client, a WD NAS box plugged directly into the router, with a static IP, is running wild, and traces from it show the ISPs network despite "Block routed clients if tunnel goes down" still being enabled.

I'm not sure if this is a bug, or something I can resolve, but any tips or advice would be greatly appreciated.

 

[Hyacin]

I've switched it to failover now, and was hoping to route one VPN via one WAN, and the other via the other, as both connections are up ... I tried replacing 'nobind' with 'local w.x.y.z' in the openvpn client config and restarting it, but that doesn't seem to be sending it down the right path ... I then tried adding a static route in busybox, but that doesn't seem to have helped either ...

 

[Hyacin]

ok, I found this 'ip rule' stuff, I was wondering where all the routing was (I'm historically a BSD guy, not a linux guy) - and found that the ovpn redirect rule was way down at the bottom, so I deleted it, and just re-added it as I couldn't find a way to explicitly set *where* to put it, and it ended up near the top, and now it's working, as it's matching that before the WAN rules that were I guess trumping it.

So I've got things working good enough for now, thankfully, but not in any way that I would want them to stay if I was keeping both of these connections permanently! Static dual-wan routes were required for my entire subnet to get things to stop acting flaky - which means the only things using the new connections are things I point at it directly ... anyway, good enough for my purposes for now.

 

[Martineau]

ok, I found this 'ip rule' stuff, and found that the ovpn redirect rule was way down at the bottom, so I deleted it, and just re-added it as I couldn't find a way to explicitly set *where* to put it, and it ended up near the top

The PRIO (priority argument) allows you to insert the custom RPDB rule explicitly. i.e. where to place your custom rule in the execution order e.g. @1234

ip rule add          actual_RPDB_rule          PRIO 1234

So I've got things working good enough for now, thankfully, but not in any way that I would want them to stay if I was keeping both of these connections permanent

Here is one technique...it should still be valid?
Dual-WAN VPN rules not working

 

[Hyacin]

Oh awesome, at both parts, thank you so much ... I don't have much faith in my solution ((attempt to) delete and re-add the rule on openvpn-event), so I will absolutely check that out and try to get it going when I have a few minutes ... thanks!!