[Fork] Asuswrt-Merlin 374.43 LTS releases (Archive)

[sbailey4]

I use this fork since version 03 with full satisfaction. Now I have registered an SNB account, first I want to thank John for the excellent work on this firmware!

Now.. ofcourse I also have a question.. and I could use some help with it because I don't have much experience with iptables configuration. I use OpenVPN for years now for all my devices. Now I would like to configure the below scenario on the secondary OpenVPN server on the router:

Behind my ASUS N66U, I have a NAS that is used by an external client to store it's offsite backups. Lets say the OpenVPN server on on the N66U router has IP 10.6.0.1 and my NAS has an internal LAN IP of 192.168.1.50. When the remote client connects to the OpenVPN server, it gets IP 10.6.0.2. What I would like to achieve is that the remote client (10.6.0.2) can ONLY access the NAS IP (192.168.1.50) in my local network. All other devices etc. may not be reached/discovered etc.

The OpenVPN server is working and I configured the following from the GUI:
Push LAN to clients: NO
Direct clients to redirect Internet traffic: NO
Respond to DNS: NO


With these settings I can connect to the OpenVPN server and ping it's IP (10.6.0.1), but obviously cannot connect to anything else in my LAN. I think I have to setup the specific rule within iptables, but I don't know how...

Can anyone help me figuring this out?

You should probably create your own thread in another area. This particular topic is about Johns fork and its various versions and updates. You would probably get better results. Welcome to the SNB forums tho!

 

[zonnebril]

You should probably create your own thread in another area. This particular topic is about Johns fork and its various versions and updates. You would probably get better results. Welcome to the SNB forums tho!

Hmm. I was hoping maybe someone could help me in this thread because I am running on John's awesome firmware I guess it must me a simple configuration. If not I will create a separate one. Thanks

 

[Builder71]

Is the Broken pipe message expected when you download using the OpenVPN connection?

 

[sbailey4]

I use this fork since version 03 with full satisfaction. Now I have registered an SNB account, first I want to thank John for the excellent work on this firmware!

Now.. ofcourse I also have a question.. and I could use some help with it because I don't have much experience with iptables configuration. I use OpenVPN for years now for all my devices. Now I would like to configure the below scenario on the secondary OpenVPN server on the router:

Behind my ASUS N66U, I have a NAS that is used by an external client to store it's offsite backups. Lets say the OpenVPN server on on the N66U router has IP 10.6.0.1 and my NAS has an internal LAN IP of 192.168.1.50. When the remote client connects to the OpenVPN server, it gets IP 10.6.0.2. What I would like to achieve is that the remote client (10.6.0.2) can ONLY access the NAS IP (192.168.1.50) in my local network. All other devices etc. may not be reached/discovered etc.

The OpenVPN server is working and I configured the following from the GUI:
Push LAN to clients: NO
Direct clients to redirect Internet traffic: NO
Respond to DNS: NO


With these settings I can connect to the OpenVPN server and ping it's IP (10.6.0.1), but obviously cannot connect to anything else in my LAN. I think I have to setup the specific rule within iptables, but I don't know how...

Can anyone help me figuring this out?

Why not assign the NAS an IP in the 10.6.x.x network? That should allow the access to it from your 10.6.x.x external users but your 192.168.x.x network should remain isolated.

 

[zonnebril]

Why not assign the NAS an IP in the 10.6.x.x network? That should allow the access to it from your 10.6.x.x external users but your 192.168.x.x network should remain isolated.

Because I also use the same NAS for filestorage. So unfortunately that is not an option. I really need to find a way to setup the IPtables...

 

[john9527]

Is the Broken pipe message expected when you download using the OpenVPN connection?

I've never seen it......can you provide a little more detail about what you mean 'download using the OpenVPN connection'?

 

[sbailey4]

Because I also use the same NAS for filestorage. So unfortunately that is not an option. I really need to find a way to setup the IPtables...

So if I understand, you also need to access it from local network? Then perhaps using the advanced option in your PC'c NIC IP4 settings and adding a secondary IP address in the 10.6.x.x range is what you need. You will have to put the primary IP (the 192.168.x.x one) in as a static then you can add the additional one in the box. I believe that should do it for you.

 

[zonnebril]

yeah, thanks mate for your reply and effort. But I have a lot of devices in my network (phones/tabs/mediaplayers/notebooks) that use the NAS. So I need a robust solution for this. I see if I can enable this config on the router, if anyone has suggestions for setting this up on the router's firewall/routing table, let me know!

 

[RMerlin]

Push LAN to clients: NO

That's your problem. If you want your LAN to be accessible by clients, you need to enable this.

Also make sure your NAS's firewall isn't configured to reject connections from IPs other than your LAN subnet (some NAS have a configurable firewall).

 

[zonnebril]

That's your problem. If you want your LAN to be accessible by clients, you need to enable this.

Also make sure your NAS's firewall isn't configured to reject connections from IPs other than your LAN subnet (some NAS have a configurable firewall).

Hi RMerlin, thanks for your reply! If one knows, it would be you! The thing is, normally for my own openvpn clients, I do push the LAN, redirect internet traffic, respond to dns etc, and it is accessible. All working fine.

What I want to achieve, is to activate the secondary openvpn server and the client that connects to that opevpn server, must ONLY be able to connect to the IP of the NAS server located in my internal network.

So I dont want to push the whole LAN (subnet) to that client, because that is my private LAN. It connects from a small company that has nothing to do with my private LAN. The only thing it needs to do, is backup it's data to a share on my NAS, the rest of the network must be hidden and not accessible. So no need for DNS responses, redirect internet traffic etc. Just backup purposes straight to my NAS. So only allow the IP of the openvpn client to access the IP of the NAS without pushing the whole lan (subnet).

I thought, maybe this can be achieved by setting push LAN to NO, so all entries to my LAN are closed and then manually set an iptable rule for the connected client so that it is allowed to connect to the nas ip on the internal network.

If I need to explain it better, please tell me and I will make a network drawing or scheme. Thanks for your help!

 

[RMerlin]

I thought, maybe this can be achieved by setting push LAN to NO, so all entries to my LAN are closed and then manually set an iptable rule for the connected client so that it is allowed to connect to the nas ip on the internal network.

You need to Push the LAN because what this does is provide a route for your clients to be able to reach the LAN. Without that route, your clients won't know that the remote LAN IP resides at the end of your 10.8.x.x tunnel.

What I would try is enable that option, but create a firewall rule that would allow traffic between tun22 and the NAS's IP, another that allows traffic between tun22 and the router's IP (just to be safe), followed by a rule that drops all traffic between TUN22 and your LAN subnet.

Another potential (but not as secure) method that might work is to not push any route, but in the custom config section push a route for 192.168.0.200/32 through the tunnel (change that IP for your actual NAS IP). This is not as secure, because anyone could manually create a route for the whole /24 if they wished so, bypassing your configuration. A firewall-based set of rules is safer.

 

[zonnebril]

You need to Push the LAN because what this does is provide a route for your clients to be able to reach the LAN. Without that route, your clients won't know that the remote LAN IP resides at the end of your 10.8.x.x tunnel.

What I would try is enable that option, but create a firewall rule that would allow traffic between tun22 and the NAS's IP, another that allows traffic between tun22 and the router's IP (just to be safe), followed by a rule that drops all traffic between TUN22 and your LAN subnet.

Another potential (but not as secure) method that might work is to not push any route, but in the custom config section push a route for 192.168.0.200/32 through the tunnel (change that IP for your actual NAS IP). This is not as secure, because anyone could manually create a route for the whole /24 if they wished so, bypassing your configuration. A firewall-based set of rules is safer.

The second method works! I've tried this myself as a first test but with the subnet mask /24 which ofcourse will not work... Thanks for pointing this one out! But, just like you, I prefer the second method by using the firewall to actually drop the traffic.

Now, (as you probably already know by now ) I am not familiar with iptables firewall rules... I saw on your GitHub that I first need to enable the JFFS partition in order to use them on the router. So that would be step one. The way that you are pointing out seems the way to go, but how to enter this configuration in the router? Do you know how the rules must look like in order to achieve your example?

EDIT: Maybe it is even better to push only the 192.168.0.200/32 and then also insert firewall rules protecting the rest of the subnet instead of pushing the whole LAN subnet and then insert firewall rules?

 

[Builder71]

I've never seen it......can you provide a little more detail about what you mean 'download using the OpenVPN connection'?

I have a hard time to recreate the problem myself.
Maybe this happens when the WAN connection from the office is maxing out and I'm connected to home trying to download a file.

 

[john9527]

I have a hard time to recreate the problem myself.
Maybe this happens when the WAN connection from the office is maxing out and I'm connected to home trying to download a file.

It may be possible it's related to a timeout when trying to do the transfer. But my first thought was actually that some node was monitoring/blocking VPN connections and killing the transfer. Some ISPs may be doing traffic shaping during peak times.....do you see any correlation with the time of day in seeing the error?

 

[KGB7]

Is anyone else having issues with parental control settings?
The pc on lan and laptop over wifi still have internet access even though i set it up to have no access for 24 hours.


Also cant reduce traffic speed via QoS I set it to 0 just for two computers but, i still able to use Internet on both computers.

Running 20e9 firmware on
AC68r router.

 

[KGB7]

Url filter in firewall settings doesnt work either. Ive tried different combinations to block facebook and youtube but, i can still can access them.

 

[john9527]

Is anyone else having issues with parental control settings?
The pc on lan and laptop over wifi still have internet access even though i set it up to have no access for 24 hours.

I believe the parental controls only affect new connections, not existing connections. So if they are already connected somewhere on the internet, they will maintain that connection.

EDIT: Also note that running an OpenVPN client can bypass the parental controls.

Also cant reduce traffic speed via QoS I set it to 0 just for two computers but, i still able to use Internet on both computers.

Running 20e9 firmware on
AC68r router.

You can't use QoS to prevent internet access. There will always be some activity that is allowed.

 

[john9527]

Url filter in firewall settings doesnt work either. Ive tried different combinations to block facebook and youtube but, i can still can access them.

Check the note on the url filter page.....you can't filter sites accessed via https.

 

[john9527]

The beta has been refreshed to Update-22B4....
http://www.snbforums.com/threads/fo...lts-releases-v20e9.18914/page-238#post-294327


Time for the next beta, and this is truly a beta It includes a rewrite of the traditional QoS function. For those wondering why the jump to V22, V21 was a private beta used for the QoS development and was not generally released. Special thanks to @ColinTaylor for helping to test the QoS changes.

Feedback on the new QoS implementation is welcome.

 

[Livin]

@john9527

Small (hopefully) feature request:
Would you be able to add 'Google' to the options under "WAN - DDNS"?

thx