Routing / IPTables - Selective routing

[msalerno]

RT-N66U
Firmware:378.55
OpenVPN

br0 - Regular Cable (US)
Client 1 - tun11 - VPN to Endpoint1
Client 2 - tun12 - VPN to Endpoint2

Client 1 is setup with policy based routes for my server to use.
Client 2 is setup for policy based routes, but I have no entries.
The rest of my LAN should be using the standard internet connection.

My objective is to route only specific IP ranges out of my LAN through Client 2.

For testing purposes, I used http://ipleak.net (54.164.36.190) to show my IP address.

When I enter:

ip rule add to 54.164.36.190 lookup 112
ip route add 54.164.36.190 table 112 dev tun12

I am able to browse to the site from anywhere on my lan and get my VPN ip address. The strange thing is that if I execute a traceroute, it times out as soon as it hits my routers internal ip.

If I set Client 2 to handle all traffic (through merlin), the traceroute executes without missing a hop.

I read some other solutions that call for using IPtables to mark the packets, but I'm not sure how that would translate into a situation with 2 tun adapters up at the same time.

Is anyone doing something similar?

Thanks

 

[RMerlin]

Traceroute is a bad way to test selective routing, since it will access each hop directly.

 

[msalerno]

After further reading, it seems like the issue with the my traceroute was the fact I didn't disable Reverse Path Filtering

http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.kernel.rpf.html

 

[RMerlin]

After further reading, it seems like the issue with the my traceroute was the fact I didn't disable Reverse Path Filtering

http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.kernel.rpf.html

I always wondered why some OpenVPN routing implementation were disabling that. I chose not to in mine, as I never had any explanation as to why people were disabling it, and what would be the consequences for non VPN related routing.