Menu
What's new
By:
Filters Better Search

RT-AC68U and manual bypass vpn rules - HELP

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

jaydee99

Occasional Visitor
Hi,

I've done an openvpn-event and firewall-start files to have specific rules for the VPN.

I want :
- NAS Synology on VPN except for some ports,
- TOR port on VPN for all devices,
- Internet Traffic on NAS to stop if VPN connection drops.

It works well except that when i turn off openvpn connection, traffic is still working on my NAS. I guess the problem is with the firewall-start script. Could you please help ?

Here is what i did (using a script found on a forum):

For openvpn-event :

#!/bin/sh

Sleep 2

logger -t "($(basename $0))" $$ ExpressVPN Selective Customization Starting... " $0${*:+ $*}."
DiskStation="192.168.0.2"
ByPassPortList="5000,5001,5100,5101,5005,5006,5010,6690,8001,8801,7101,7001"
VPNPortList="9150"

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"

ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
| while read ROUTE ; do
ip route add table 100 $ROUTE
logger -t "($(basename $0))" $$ ExpressVPN Table 100 added entry: $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

logger -t "($(basename $0))" $$ Selective customisation for: DiskStation

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $DiskStation -j MARK --set-mark 0
logger -t "($(basename $0))" $$ Routing ports to bypass VPN on all Devices:

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --port $ByPassPortList -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --port $VPNPortList -j MARK --set-mark 0

logger -t "($(basename $0))" $$ ExpressVPN Selective Customization completed.

exit 1

For firewall-start :

ByPassPortList="5000,5001,5100,5101,5005,5006,5010,6690,8001,8801,7101,7001"
iptables -I FORWARD -i br0 -s 192.168.0.2 -o eth0 -j DROP
iptables -I FORWARD -i br0 -s 192.168.0.2 -o eth0 -p tcp -m multiport --port $ByPassPortList -j ACCEPT


Thanx !!
 
Isn't this just a question of the order you are putting them in? ... i thought iptables entries were checked from top to bottom. In this case the first entry in your NAT table marks every packet on br0 and marks it with a 1 ... every packet will get routed by the default table 100 .... errrr... i think :D
 
jaydee99 said:
Thanx for your help.

Any ideas of what i should do to get what i want ?
Click to expand...
Is there any reason you don't want to use the policy rules built into the openVPN client in the Merlin firmware....i think it should be able to do what you want without all that mucking around with IPtables
 
Just a reminder to everyone that the base firmware also uses iptables marks....QoS, CTF bypass to name a few. You need to make sure marking you are doing doesn't conflict. I'm also working on some traditional QoS enhancements that enables some marking in the code that is currently not being used. So if you are doing custom marks, I would suggest NOT using bits in the following bitmasks.....

Anything in 0x1ff (reserved for QoS, CTF)

0x3000 (Another project I am working on to provide VPN port/ipset routing similar to what is trying to be accomplished here). For this case I'd suggest using mark 0x1000 for VPN bypass, 0x2000 for VPN force as a standard.

0x8000 - Used by Merlin NAT loopback
 
Last edited:
john9527 said:
Just a reminder to everyone that the base firmware also uses iptables marks....QoS, CTF bypass to name a few. You need to make sure marking you are doing doesn't conflict. I'm also working on some traditional QoS enhancements that enables some marking in the code that is currently not being used. So if you are doing custom marks, I would suggest NOT using bits in the following bitmasks.....

Anything in 0x1ff (reserved for QoS, CTF)

0x3000 (Another project I am working on to provide VPN port/ipset routing similar to what is trying to be accomplished here). For this case I'd suggest using mark 0x1000 for VPN bypass, 0x2000 for VPN force as a standard.

0x8000 - Used by Merlin NAT loopback
Click to expand...
Could you give a usage example how to use the mask with a custom mark?.....fwmarkmask?
 
tomsk said:
Could you give a usage example how to use the mask with a custom mark?.....fwmarkmask?
Click to expand...
Sure......Using the VPN Bypass as an example, change

... -j MARK --set-mark 1

to

...-j MARK --set-mark 0x1000/0x3000

In this case, the mask 0x3000 says to clear the bits that are specified in the mask, then OR the resulting mark with the specified mark value, 0x1000. So it clears both the VPN bypass and force bits, then sets the bypass bit while still preserving the rest of the mark.

In the case where you don't specify a mask, a mask of 0xffffffff is applied, so the entire mark is cleared, then the mark value you specify is set.
 
Thank you guys, your help is really appreciated.

I'm sorry to ask this but i really suck in networking : how would you change my openvpn-event script with what you just said to make it work please ?

It now looks like this and still doesn't stop traffic when vpn is down...

<code>

#!/bin/sh

# Script to route traffic from home network through VPN selectively.
# Based off the discussion at http://www.smallnetbuilder.com/forums/showthread.php?t=9311
# The setup is a Roku box, a Home PC running Plex, and a Synology NAS with a torrent client running a web interface.
# The aim is to have all traffic from Roku go through the VPN, all traffic from the Home PC (and all other devices) bypassing the VPN,
# and the Synology NAS using the VPN. There are however some exceptions. Since Plex uses port 32400, Roku has to bypass the VPN when
# using that port. In addition, port 9091 has to bypass the VPN as well in order to access the Synology torrent client. Lastly, ports 5000
# and 5001 has to bypass the VPN for the Synology Management UI.
#
# Requirements: Asuswrt-Merlin with OpenVPN already set up

logger -t "($(basename $0))" $$ ExpressVPN Selective Customization Starting... " $0${*:+ $*}."

Synology_NAS="192.168.0.2"

# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
# List Contents by line number
# iptables -L PREROUTING -t mangle -n --line-numbers
#
# Delete rules from mangle by line number
# iptables -D PREROUTING type-line-number-here -t mangle
#
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
#
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING

#
# Disable Reverse Path Filtering on all current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
tun_if="tun11"

ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
| while read ROUTE ; do
ip route add table 100 $ROUTE
logger -t "($(basename $0))" $$ ExpressVPN Table 100 added entry: $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# By default all traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

logger -t "($(basename $0))" $$ Selective customisation for: "$"Synology_NAS $Synology_NAS
# By default Synology uses the VPN, and FORCES the use of the VPN tunnel except for port 9091, 5000 and 5001
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $Synology_NAS -j MARK --set-mark 0
iptables -I FORWARD -i br0 -s $Synology_NAS -o eth0 -j DROP
iptables -I FORWARD -i br0 -s $Synology_NAS -o eth0 -p tcp -m multiport --port 9091,5000,5001 -j ACCEPT

# Ports 22 (SSH), 9091 (Torrent RPC/WebUI) and 32400 (Plex) will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --port 22,9091,5000,5001 -j MARK --set-mark 1

logger -t "($(basename $0))" $$ ExpressVPN Selective Customization completed.

</code>
 
Ok i did it ! It finally works. I changes the 2 lines "iptables - I FORWARD -o eth0" with "iptables -I FORWARD ! -o tun11" and it's perfect, i don't really understand why...

Here's the final script that works :


logger -t "($(basename $0))" $$ ExpressVPN Selective Customization Starting... " $0${*:+ $*}."

Synology_NAS="192.168.0.2"


for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"

ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
| while read ROUTE ; do
ip route add table 100 $ROUTE
logger -t "($(basename $0))" $$ ExpressVPN Table 100 added entry: $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache


# By default all traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

logger -t "($(basename $0))" $$ Selective customisation for: "$"Synology_NAS $Synology_NAS
# By default Synology uses the VPN, and FORCES the use of the VPN tunnel except for port 9091, 5000 and 5001
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $Synology_NAS -j MARK --set-mark 0
iptables -I FORWARD ! -o tun11 -s $Synology_NAS -j DROP
iptables -I FORWARD ! -o tun11 -s $Synology_NAS -p tcp -m multiport --port 5000,5001 -j ACCEPT

# Ports 22 (SSH), 9091 (Torrent RPC/WebUI) and 32400 (Plex) will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --port 22,5000,5001 -j MARK --set-mark 1

logger -t "($(basename $0))" $$ ExpressVPN Selective Customization completed.
 
You must log in or register to reply here.

Similar threads

A
Policy-based port routing to bypass NordVPN client
Replies
10
Views
2K
Don->
D
GShlomi
Sharing my DualWan with port forwarding and DDNS experience
Replies
0
Views
413
GShlomi
GShlomi
deefour
Forcing device-specific port-range through VPN
Replies
9
Views
964
ZebMcKayhan
Z
grogi
Issue 386.7_2: iptables rules created by VPN Director get lost
Replies
8
Views
2K
eibgrad
eibgrad
kevinkey619
Route only specific ports and hosts via VPN. All other traffic via WAN. (Asuswrt-Merlin)
Replies
0
Views
1K
kevinkey619
kevinkey619
Similar threads
Thread starter Title Forum Replies Date
C DSL-AC68U - Configuration panels on GUI have disappeared Asuswrt-Merlin 1
David Cavalli RT-AX88U Pro installation from RT-AC68U config files Asuswrt-Merlin 12
M AC68U - RTL2832U and Entware Asuswrt-Merlin 5
bl4ckjupiter AC68u Kernel Update Asuswrt-Merlin 13
P WPS functionality RT-AC68U Asuswrt-Merlin 20
D RT-AC68U 13.2 update fails almost immediately... Asuswrt-Merlin 3
brocellous RT-AC68U 802.11 DSCP QoS issue? Asuswrt-Merlin 3
H changed AC68U to AX86U Pro, same guest network setting but all devices gone? Asuswrt-Merlin 11
S Help Required AC68U (TM-AC1900) troubleshooting after power outage Asuswrt-Merlin 3
A Help Required Upgrading AC68U from Stock FW to Merlin Please? Asuswrt-Merlin 15

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 821 (members: 41, guests: 780)
Top