What's new

Selective Routing with Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I've changed the vpn_route_up script and made it so it only has lines pertinent to table 10 and table 14, however when I run ip route show table 14 I get nothing, so I'm not sure where it happens but table 14 is not getting populated whereas table 10 is.

You have a typo

Code:
ip route add default via tun_ips dev tun12 table 14

should be

Code:
ip route add default via $tun_ips dev tun12 table 14
 
Ok

This seems to be working, at least when I check devices within tun11 and tun12 ip range they are reporting to be from the server area I'm connected to, however I'm curious why in the OpenVpn Status page on the gui client 2 basically says its not sending or receiving any data. TUN/TAP read and write TCP/UDP read and write are all reporting 0 for tun12 whereas tun11 reports much much higher numbers, connectivity is available so its not for some reason reporting to the OpenVPN status Client 2 ???
 
This seems to be working, at least when I check devices within tun11 and tun12 ip range they are reporting to be from the server area I'm connected to, however I'm curious why in the OpenVpn Status page on the gui client 2 basically says its not sending or receiving any data. TUN/TAP read and write TCP/UDP read and write are all reporting 0 for tun12 whereas tun11 reports much much higher numbers, connectivity is available so its not for some reason reporting to the OpenVPN status Client 2 ???

Use of the IPTables commands from my earlier post should allow you to see if there are packets being tracked for tun11 and tun12.

You could try reversing the two VPN client configurations, or simply stop tun11 to see if clients routed via tun12 still work whilst again checking the TUN GUI figures against the IPTables statistics.

If physically your VPN clients are indeed being correctly routed then maybe you can also check with your VPN provider to see if they have internal traffic statistics?

I just started both VPN clients on my router and attached a screenshot:




Regards,
 

Attachments

  • 2014-10-04_08-40-03.jpg
    2014-10-04_08-40-03.jpg
    55.7 KB · Views: 582
Last edited:
Tagging OK, but no outgoing traffic

Hello,

I have an nzbget client running in a dedicated machine in my LAN, which is configured to use one of the Usenet news servers over nntps (snews, that is, port 563). Without selectively routing traffic from this machine thru an IPVanish VPN, everything works like a charm.

Now, as many of you, I'd like to configure my router (AC66U running latest Merlin firmware) to redirect snews traffic originating from my machine to my IPVanish VPN that is up and running, and let all other traffic going thru my regular WAN interface. To this end, I have used the same approach as post #163. Extract from script:

Code:
#!/bin/sh

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -p tcp --dport nntp -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport snews -j MARK --set-mark 10

Dump of my VPN custom configuration is shown in attachment #1:
2014-10-05 15_07_53-ASUS Wireless Router RT-AC66U - OpenVPN Client Settings.png

When I start my nzbclient, I can see on my ASUS that traffic going to port 563 is correctly tagged:
2014-10-05 15_15_55-192.168.1.1 - PuTTY.jpg

However, no data collected from nzbget:
2014-10-05 15_17_14-NZBGet.png

And lots of dropped packets.
Now, if I delete the routing table 10 (ip route del table 10), nzbget works again.

I am a bit lost... What am I missing here? Is there another rule I should configure in my firewall to accept traffic back from the VPN, or something similar?
Thanks for your tips!

Fred
 
Last edited:
oddly enough

oddly enough, today it started reporting the statistics normally for both tun11 and tun12, not sure what happened as I didn't change anything in the settings.
 
I made a new thread the other day thinking this was different, but I afterwards that it would be more appropriate to post my questions here. I will post my solution in my other thread when it's complete so it's not abandoned.

I am running an Asus RT-N66U with Merlin 376.47. I have the OpenVPN client set for my PIA account and everything works fine. I use Asus's dyndns for the WAN address.

I want all internet traffic going through the VPN. This appears to be working at this point. I want a few ports to go through the WAN and be forwarded for remote administration. My problem is that the open ports do not appear to be forwarding.

I have the following lines in the custom configuration for the OpenVPN. The last 3 were added to support the selective routing while the ones above that were for the PIA setup.
Code:
persist-key
persist-tun
tls-client
comp-lzo
verb 1
route-nopull
script-security 2
route-up /jffs/scripts/vpn_route_up.sh

My vpn_route_up.sh file is as shown here.
Code:
#!/bin/sh

touch /tmp/000vpn_route_up.ran
logger -t "($(basename $0))" $$ "Starting vpn_route_up.sh"

ip route flush table 10
ip rule del table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip rule del table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

logger -t "($(basename $0))" $$ "CMD: ip route add default via $tun_ip dev $tun_if table 10"
logger -t "($(basename $0))" $$ "CMD: ip route add default via $(nvram get wan_gateway) dev eth0 table 12"

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2-192.168.1.254 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 22 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 3389 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 8080 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 8081 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 8082 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 8083 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 8084 -j MARK --set-mark 12
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 3389 -j DNAT --to 192.168.1.2:3389
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8081 -j DNAT --to 192.168.1.2:8081
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8082 -j DNAT --to 192.168.1.2:8082
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8083 -j DNAT --to 192.168.1.2:8083
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8084 -j DNAT --to 192.168.1.2:8084
iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 3389 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 8081 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 8082 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 8083 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 8084 -j ACCEPT

exit

Originally, I didn't have anything after the last line ending in mark 12. The main routing was working, but I was still unable to access the needed ports remotely. I added these two lines and I think the port started forwarding properly.

Code:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8081 -j DNAT --to 192.168.1.2:8081
iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 8081 -j ACCEPT

I added the lines for the other ports but no of the ports are now accessible remotely except 8080 which obviously isn't forwarded. Running an online port scanner shows the ports are closed.

Any suggestions to fix this script? Also, can something be added to cut off internet access to 192.168.1.2 if the vpn goes down?
 
Last edited:
I made a new thread the other day thinking this was different, but I afterwards that it would be more appropriate to post my questions here. I will post my solution in my other thread when it's complete so it's not abandoned.

...

Any suggestions to fix this script? Also, can something be added to cut off internet access to 192.168.1.2 if the vpn goes down?

I finally figured this out. I don't understand enough to explain anything to other noobs like myself, but I'll share my code in case it helps. I had to change the dport to sport for my port forwarding to work correctly. For those like me (at least yesterday) that don't already know, this is changing from destination port to the source port. The ports that are forwarded to the router (unsure if needed but it solved someone else's problem and was easy to add just in case), I left as dport because they were already working. Here is my new vpn_route_up.sh file.

Code:
#!/bin/sh

touch /tmp/000vpn_route_up.ran
logger -t "($(basename $0))" $$ "Starting vpn_route_up.sh"
echo "($(basename $0))" $$ "Starting vpn_route_up.sh"

ip route flush table 10
ip rule del table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip rule del table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

echo "($(basename $0))" $$ "RTNETLINK errors are from deleting tables that don't exist yet and can be ignored."

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

logger -t "($(basename $0))" $$ "CMD: ip route add default via $tun_ip dev $tun_if table 10"
logger -t "($(basename $0))" $$ "CMD: ip route add default via $(nvram get wan_gateway) dev eth0 table 12"

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2-192.168.1.254 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 22 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 3389 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 8080 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 8081 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 8082 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 8083 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 8084 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 8443 -j MARK --set-mark 12

exit

I still need to stop internet access to a specific server if the vpn drops. The suggestions I've tried have resulted in the server not having access even when the VPN is up. Any suggestions where to put this?

I would also like to know if it's possible to get an email when OpenVPN drops? I can follow the wiki posts that describe how to script the email, but I don't know what event to start the script with.
 
Dual wan and VPN bonding

Hello everyone,

I have been successfully using the selective routing script for months thanks to the awesomeness of is thread.

In my search for troubles, I have enabled dual WAN on my AC56U and set rules using the GUI to split my private IPs between primary WAN and Secondary WAN, 192.168.1.1/25 and 192.168.1.128/25 respectively.

The VPN is established and I believe is connecting through the main WAN (wan0)

The selective routing script runs to route range 192.168.1.80-192.168.1.120 through the VPN tunnel.

At the end, this configuration seems to work very well.

However, if the main WAN (wan0) goes down the VPN is dropped and re-initiated, only this time the VPN is connected through the secondary WAN (wan1), which is not desired. In fact this route will be in conflict with the dual wan routing rules, and yet the route still works but with a big drop in bandwith though.

Is there a way to prevent this behavior?
Can the tun_if be bonded to wan0? :confused:

I would appreciate any guidance and related comments.

Thank you all in advanced.
 
I finally figured this out. I don't understand enough to explain anything to other noobs like myself, but I'll share my code in case it helps. I had to change the dport to sport for my port forwarding to work correctly. For those like me (at least yesterday) that don't already know, this is changing from destination port to the source port. The ports that are forwarded to the router (unsure if needed but it solved someone else's problem and was easy to add just in case), I left as dport because they were already working. Here is my new vpn_route_up.sh file.

Code:
#!/bin/sh

touch /tmp/000vpn_route_up.ran
logger -t "($(basename $0))" $$ "Starting vpn_route_up.sh"
echo "($(basename $0))" $$ "Starting vpn_route_up.sh"

ip route flush table 10
ip rule del table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip rule del table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

echo "($(basename $0))" $$ "RTNETLINK errors are from deleting tables that don't exist yet and can be ignored."

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

logger -t "($(basename $0))" $$ "CMD: ip route add default via $tun_ip dev $tun_if table 10"
logger -t "($(basename $0))" $$ "CMD: ip route add default via $(nvram get wan_gateway) dev eth0 table 12"

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2-192.168.1.254 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 22 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 3389 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 8080 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 8081 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 8082 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 8083 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 8084 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 8443 -j MARK --set-mark 12

exit

I still need to stop internet access to a specific server if the vpn drops. The suggestions I've tried have resulted in the server not having access even when the VPN is up. Any suggestions where to put this?

I would also like to know if it's possible to get an email when OpenVPN drops? I can follow the wiki posts that describe how to script the email, but I don't know what event to start the script with.
HI I would like to thank you for posting your script, I can now acess my router services Including my vpn server from WAN thanks to you!
Once again many thanks.
 
I was wondering if anyone in this thread could help me with a script to solve my problem. From reading through the thread what I want is very similar but just in regards to dual wan and not vpn.

I have dual wan enabled (but not OpenVPN).
My primary PC uses the primary wan, all other computers on the network use the secondary wan. This is configured on a per IP basis using the routing section under Dual Wan in Merlin's latest firmware.

I would like to forward specific port ranges from my primary computer to use the secondary wan instead so I can have steam downloads / windows update etc running without affecting performance of the primary wan.

Thanks!

EDIT: Here's what I have so far... I'm very much a novice at this. I wanted to try forwarding port 80 and testing an http download in chrome as a test before i tackled more advanced things like steam... but I'm not having any luck yet. Where am I going wrong? Big thanks to the previous posters for the useful scripts!

Code:
#!/bin/sh

#Run script when wan connected?
touch /tmp/000wanstarted

#Unsure what this does...
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#Flush our temp route table
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#Add route to second gateway
ip route add default table 100 via $(nvram get wan1_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

#Default all traffic ignores route
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

#This port range gets routed
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 80 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 443 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 8080 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 8443 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport 38000,39999 -j MARK --set-mark 0

exit 0

EDIT: Actually the following seems to be working... am I on the right track?
Code:
#!/bin/sh

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip rule add fwmark 1 table 100 via $(nvram get wan1_gateway)
ip route flush cache

iptables -t mangle -A PREROUTING -p tcp -i br0 -m multiport --sports 80,20,21,443,8080,8443 -d 192.168.1.2 -j MARK --set-mark 1
 
Last edited:
Hi Guys,

I have a small problem that maybe one of the more in tune posters could help me with if you would be so kind.

I have had selected routing up and running for some time now but it recently seems to have stopped for some reason. That's if I'm reading the log correctly

How can I post my code and logs so they're scrollable?

Thanks hosh
 
Here is the original script. This adding 1 table script is more reliable than adding 2 tables script that was recently introduced. It also doesn't require route-nopull.

Note that some ppl are having problems with firewall marks because they are in hex (1 = 0x01, 10 = 0x0A) and not decimal.

Code:
#!/bin/sh
#
# This code goes in /jffs/scripts/openvpn-event in Merlin.
#
# Original code at http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/#post-205781
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done
 
#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
 
#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
 
 
#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will go through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

#  Ports 80 and 443 will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dports 80,443 -j MARK --set-mark 1

#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0

#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0

#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
 
 
# By default all traffic bypasses the VPN
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1


I'm more interested in routing with both vpn clients working. Has anyone successfully routed with both tun11 and tun12 up?
Edit: got vpn clients working on their own wireless ssid's. http://www.smallnetbuilder.com/forums/showpost.php?p=150098&postcount=22
 
Last edited:
Well after many hours of gining around I have selective routing setup and running on a rt-68u. I only have one issue now.

When I check or refresh Statistics in the running client tab I get this error, (event_wait : Interrupted system call (code=4)) before the stats are listed. I might add the VPN stays up, doesn't drop any connections and reports the correct stats.

My openvpn script is

#!/bin/sh


sleep 2

touch /tmp/000openvpn-event,ran


logger -t "($(basename $0))" $$ "Startin openvpn-event.sh"
echo "($(basename $0))" $$ "Starting openvpn-event.sh"


#US VPN

#
# Delete and table 10 and flush any existing rules if they exist.
#
ip route flush table 10
ip rule del table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip rule del table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

echo "($(basename $0))" $$ "RTNETLINK errors are from deleting tables that don't exist yet and can be ignored."



#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

logger -t "($(basename $0))" $$ "CMD: ip route add default via $tun_ip dev $tun_if table 10"
logger -t "($(basename $0))" $$ "CMD: ip route add default via $(nvram get wan_gateway) dev eth0 table 12"

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter



#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#




# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1


# All traffic from Qnap will use VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.x.xxx -j MARK --set-mark 10


# All traffic from Mede8er will use the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.x.xxx -j MARK --set-mark 10



exit 0


My custom config is

persist-key
persist-tun
tls-client
comp-lzo
verb 1
route-nopull
script-security 2
route-up /jffs/scripts/openvpn-event.sh


Any help or advice would be greatly appreciated

Sorry about the length of the post. I can't figure out how you guys do the scrolling boxes:confused:
 
Last edited:
How can I post my code and logs so they're scrollable?

Sorry about the length of the post. I can't figure out how you guys do the scrolling boxes:confused:

For the scrolling boxes, use the post reply button and not quick reply. You will see a line to change the text to bold, italic, etc. The last button on this row is a hashtag. Click the hashtag and paste your code between the ["CODE"] and ["/CODE"] boxes. Note that the quotation marks are not used. I put them in this example to keep the code box from being created.
 
I need help to selective route just one device to not use my vpn connection.

It's a raspi with a openvpn server running on it. I gave up trying to run both server and client together on the router. I got the RasPI server running great. I can connect to it from outside if my router vpn client is off. As soon as the routers vpn client connects (PIA) it blocks all incoming connections outside. Someone posted earlier of of trying to reach his plex server from the outside, but was having issues. I want to do the similar.

My local network is @ 192.168.44.0/24, the raspi device I want to not use the vpn connection is @ 192.168.44.200.

I think if I re-read this awesome topic 20 more times I might get half of it because I am amateur. Anybody know what script I should use, I think there is more then a couple on this thread.
 
Hello !

I've read this topic a lot of time and it makes me understand a lot of things about what I want to do and how to do it.

I'm a total amateur in networking, so I'm just self-learning it as I'm using it.

Anyway here is my setup and what I want to achieve (and what I already achived) :

1 Fritzbox (router+modem) from my ISP connected from ethernet port 1 to WAN port Asus RT-N66U (router) installed with ASUSWRT-Merlin (RT-N66U_3.0.0.4_376.48_1)

Asus Router Wan port is configured in the Fritzbox network (192.168.0.0/24)
DHCP activated on 192.168.1.1/24) I actually don't care if the first network can't communicate with the second one.. The job of the fritzbox is just to give Internet to the router.

Ok so, I'm French and live in Germany with an English speaker Girlfriend - I know you don't care, it's just a nice introduction to what come next :)

-I want to watch French TV through a French VPN (setup in Asus gui as OPENVPN using interface tun11)

-With my girlfriend we watch Netflix/Hulu through an American VPN (setup in Asus gui as OPENVPN using interface tun12)

As in front of the TV it's not something easy/nice to go on a computer open a SSH session or whatever and change the VPN mode, I was interested in selective routing with 2 VPN running and the possibility of using 1 wifi SSID for VPN1 and a second wifi SSID for VPN2.

What I actually managed to get is :

Setup the 2 VPN, all network bypass the VPN by default and the devices in a specific IP range go on the VPN2 (those are DHCP reservation)

Playing in a SSH console allow me to easily place a Mark on interface BR0 or my IP range to switch the full traffic to ISP, VPN1 or VPN2.

Here is the actual code working :

Code:
#!/bin/sh

# This script goes in /jffs/scripts/vpn-route-up.sh

# Add the following to the OpenVPN configs
# route-nopull (Don't accept routes from server)
# route-up /jffs/scripts/vpn-route-up.sh

#Flush of all existing rules and marks
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush table 14
ip route del default table 14
ip rule del fwmark 14 table 14

ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ifs="tun12"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')
tun_ips=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $(nvram get wan_gateway) dev eth0 table 10
ip rule add fwmark 10 table 10
ip route add default via $tun_ip dev $tun_if table 12
ip rule add fwmark 12 table 12
ip route add default via $tun_ips dev $tun_ifs table 14
ip rule add fwmark 14 table 14

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/$tun_ifs/rp_filter

#Set all traffic to bypass VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 10

#Set specific IP range traffic to go through USA VPN tun12
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.150-192.168.1.199 -j MARK --set-mark 14

exit

In my environment all my Ethernet network is in the ISP traffic. My IPAD and Chromecast are fixed IP with the DHCP reservation.

What I tried to achive was to setup a total of 3 DHCP scopes, the normal one and 1 for wl0.1 interface and one for 5Ghz wifi (eth02 I guess?)

But I'm quite sure it's impossible to do so. I tried first with wl0.1 - Put it out of br0, setup an IP and add the DHCP for it in dnsmasq.conf (even dnsmasq.conf.add with a reboot of course)

Is there a way to do what I would like ?

Is there any way to put the WIFI interface out of the grouped interface? and then get a dhcp scope for each ones so I can easily use the selective routes ?

I don't mind at all the my WIFI SSID 1, 2 and regular lan network can't communicate between each other.

Thank you by advance, and if something is not clear or if I forgot to give you an important information, just ask me :)
 
Re-reading this thread a few times, I got what I needed, well mostly. I still have one issue, its not a deal breaker though.
Here is my script I used to access a openvpn server running on my home network while the router is routing everything except that raspi/port 1194 through the a vpn (pia). I am double NAT'd so I have port forwarding setup on both routers.

On the web GUI of router:

Redirect Internet traffic-NO
Custom Config box (added)-
route-nopull
script-security 2
route-up /jffs/scripts/vpn_route_up.sh

vpn_route_up.sh
Code:
#!/bin/sh
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.44.99-192.168.44.199 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s 192.168.44.200 -p udp --dport 1194 -j MARK --set-mark 12
exit
Don't forget to: chmod a+rx /jffs/scripts/vpn_route_up.sh

The raspi (my home server, etc... is @ 192.168.44.200. So far I can now access it from outside using the ip address of the isp modem (first NAT). yeah!
Only one issue I have now is I can not access the isp/modem config page @ 192.168.101.1 anymore. I have to turn off the router's vpn client to get access again. Haven't tested this all out thoroughly, but it seems to be working.
To test the pi (ssh) I used:
Code:
curl -s checkip.dyndns.org|sed -e 's/.*Current IP Address://' -e 's/<.*$//'

I am very grateful to the others on this thread for posting their code! If you see a glaring error, let me know because I mostly copy and pasted bits together.
 
Last edited:
Use of a destination flag (-d)

Only one issue I have now is I can not access the isp/modem config page @ 192.168.101.1 anymore. I have to turn off the router's vpn client to get access again.

Try:

iptables -t mangle -A PREROUTING -i br0 -d 192.168.101.1/24 -j MARK --set-mark 12

In theory, this rule should route all request to that network through the WAN instead of the VPN. Let me know howit goes!
 
lol
I need skills like you guys!
Thanks Alfsu, I get the webui of the isp/modem now from inside lan.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top