What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

OpenVPN Selective Routing and Port Forwarding

VH-BIL

New Around Here
I have selective routing working from instructions on this page. I want to still be able to port forward to my server from my wan address. If I do not run the openvpn-event and firewall-start scripts, port forwarding works fine. Is there something I can add to one of the scripts to keep the port forwarding working?

The server has 2 interfaces:
192.168.69.250
192.168.69.240 (anything bound to 240 should go through the VPN)

I am forwarding ports on the router:
7990 -> 192.168.69.250 (Atlassian Stash)
8080 -> 192.168.69.250 (Atlassian Jira)
80 -> 192.168.69.250 (Web Server)

My openvpn-event script:
Code:
#!/bin/sh

 sleep 2

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun11\
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.69.240 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.69.241 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.69.242 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.69.243 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.69.244 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.69.245 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.69.246 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.69.247 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.69.248 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.69.249 -j MARK --set-mark 0

exit 1

My firewall-start script:
Code:
#!/bin/sh

sleep 4

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD ! -o tun11 -s 192.168.69.240 -j DROP
iptables -I FORWARD ! -o tun11 -s 192.168.69.241 -j DROP
iptables -I FORWARD ! -o tun11 -s 192.168.69.242 -j DROP
iptables -I FORWARD ! -o tun11 -s 192.168.69.243 -j DROP
iptables -I FORWARD ! -o tun11 -s 192.168.69.244 -j DROP
iptables -I FORWARD ! -o tun11 -s 192.168.69.245 -j DROP
iptables -I FORWARD ! -o tun11 -s 192.168.69.246 -j DROP
iptables -I FORWARD ! -o tun11 -s 192.168.69.247 -j DROP
iptables -I FORWARD ! -o tun11 -s 192.168.69.248 -j DROP
iptables -I FORWARD ! -o tun11 -s 192.168.69.249 -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

chmod a+rx /jffs/scripts/firewall-start
 
I resolved this by using the redirect internet traffic policy rules (not the openvpn-event script) but still using the firewall-start script
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Back
Top