Policy routing with specific ports?

[TheShark]

I am trying to utilize the latest enhancements regarding Policy Routing. I am attempting to make certain ports bypass the VPN. This is generally to facilitate remote access to a Synology NAS.

I have been able to route specific IPs (say 192.168.1.5) but not specific ports (say 192.168.1.5:5000). Is this possible? Am I being dumb? Is there some clever work around?

 

[RMerlin]

See this thread:

http://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/

However it's not 100% reliable because on some models, the router can flush the firewall rules on certain events, causing the mark rules to be lost.

 

[nonstatic]

Is it possible for you to list which models work 100% and which don't? Or, at the very least, if this is an issue with the ac56u?

I'd really like to do this on my ac56u to access certain webUI's which are on a home server running W7 behind a openVPN client running on the router.

I'm basically trying to accomplish what PIA have suggested in the last post here (Policy Routing): https://www.privateinternetaccess.com/forum/discussion/8804/openvpn-ddns-for-remote-access

I'm assuming since my ISP does not assign me a static IP that I need to use DDNS together with what they've suggested, but maybe I'm not entirely understanding the whole thing?

 

[RMerlin]

Is it possible for you to list which models work 100% and which don't? Or, at the very least, if this is an issue with the ac56u?

Any model that has the Trend Micro DPI engine, used by AiProtection and Adaptive QoS can flush the firewall rules at any time.

 

[nonstatic]

Sorry to bother, just want to understand this completely: if I disable QoS and any of the AiProtection (don't use any of it anyway), then I erase the risk of the firewall rules being flushed?

 

[RMerlin]

Sorry to bother, just want to understand this completely: if I disable QoS and any of the AiProtection (don't use any of it anyway), then I erase the risk of the firewall rules being flushed?

You should be fine then, at least with the current firmware. Unless something else causes the DPI engine to load, I can't predict what future changes Asus has in store concerning that engine. I suspect it will become more and more used in the firmware in the future.

 

[nonstatic]

Ok, it may be more hassle than it's worth for me then. Thanks for the info.

 

[Zirescu]

See this thread:

http://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/

However it's not 100% reliable because on some models, the router can flush the firewall rules on certain events, causing the mark rules to be lost.

Ah, finally discovered why it would appear that my VPN Client connection would drop and all my traffic would start going out the WAN to my ISP again. I discovered that by just clicking on the Adaptive QOS option it triggers the firewall to be restarted. This seems like a bug as I've got all of those options turned off.

Aug 30 11:47:52 kernel: * Make sure sizeof(struct sw_struct)=160 is consistent
Aug 30 11:47:52 kernel: IDPfw: TrendMicro forward module ver-1.0.28
Aug 30 11:47:52 kernel: IDPfw: Apply module param dev_wan=vlan2
Aug 30 11:47:52 kernel: IDPfw: Apply module param sess_num=30000
Aug 30 11:47:52 kernel: IDPfw: Init chrdev /dev/idpfw with major 191
Aug 30 11:47:52 kernel: IDPfw: IDPfw is ready
Aug 30 11:47:52 kernel: sizeof forward param = 160
Aug 30 11:48:02 kernel: mod epilog takes 0 jiffies
Aug 30 11:48:02 kernel: IDPfw: Exit IDPfw
Aug 30 11:48:02 kernel: Stop the IPS/AppID engine...
Aug 30 11:48:02 kernel: IDPfw: Exit chrdev /dev/idpfw with major 191
Aug 30 11:48:02 rc_service: bwdpi_check 573:notify_rc start_firewall
Aug 30 11:48:02 start_nat_rules: apply the nat_rules(/tmp/nat_rules_vlan2_vlan2)!
Aug 30 11:48:02 custom script: Running /jffs/scripts/firewall-start (args: vlan2)

Now that I know it's causing the mark rules to be lost I'll avoid clicking on that option.