Selective Routing with Asuswrt-Merlin

[jesica]

Thanks RMerlin for the excellent wiki page

 

[Roy360]

Try this script VPN_Select.sh, and U will need to add the directives

route-nopull
script-security 2
route-up /jffs/scripts/VPN_Select.sh


to the Custom VPN dialog box

#!/bin/sh

MY_VPNTAB=101 # Now read from /jffs/configs/VPNSelect
TAG_MARK=1 # Now read from /jffs/configs/VPNSelect

# Use the OpenVPN environment variables
if [ "X$dev" = "X" ]; then
logger -s -t "($(basename $0))" $$ "*** ERROR not called by VPN Client route-up?...ABORTing!"
exit 1
fi

# Create new table to route VPN traffic when tagged with MARK. (Credit to SmallNetBuilder member DJR747)
# or to be associated with a WiFi Guest SSID.
ip route flush table $MY_VPNTAB
ip rule del fwmark $TAG_MARK
ip rule del table $MY_VPNTAB

ip route flush cache
iptables -t mangle -F PREROUTING

# Disable Reverse Path Filtering on current VPN network interface:
echo 0 > /proc/sys/net/ipv4/conf/$dev/rp_filter

ip route add default via $ifconfig_local dev $dev table $MY_VPNTAB
ip rule add fwmark $TAG_MARK table $MY_VPNTAB

# Everything via VPN except .227
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2-192.168.1.226 -j MARK --set-mark $TAG_MARK
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.228-192.168.1.254 -j MARK --set-mark $TAG_MARK

Thanks for the help,
but running this script makes everything including the VoIP bypass the VPN.

The VPN is running though,



At the very least, it looks like I am putting the scripts in the right place

System log: http://1drv.ms/1Ai4Lqz

if I remove
route-nopull
script-security 2
route-up /jffs/scripts/VPN_Select.sh

everything goes thru the VPN.

Could this be the cause of the problem?
Feb 17 10:48:04 openvpn[598]: WARNING: Failed running command (--route-up): could not execute external program

 

[Martineau]

Thanks for the help,
but running this script makes everything including the VoIP bypass the VPN.

The VPN is running though,



At the very least, it looks like I am putting the scripts in the right place

System log: 1drv.ms/1Ai4Lqz

if I remove
route-nopull
script-security 2
route-up /jffs/scripts/VPN_Select.sh

everything goes thru the VPN.

The log shows that the script did not execute

WARNING: Failed running command (--route-up): could not execute external program

so by default everything goes via the WAN even if the VPN is UP, which for most people is what they want as they only want to selectively route certain devices via the VPN, but in your case you want the opposite to be true!

Did you use Notepad under windows to create the file on the router? - if you did then this won't work you will need to use say Notepad++ and ensure that the EOL character is set to Unix format, or use WinSCP to open an SCP connection to the router and then cut'n'paste the code into the WinSCP editor window.

Also ensure that the script has 'execute' attributes....and the 1st line of the script is definitely

#!/bin/sh

 

[Roy360]

The log shows that the script did not execute

WARNING: Failed running command (--route-up): could not execute external program

so by default everything goes via the WAN even if the VPN is UP, which for most people is what they want as they only want to selectively route certain devices via the VPN, but in your case you want the opposite to be true!

Did you use Notepad under windows to create the file on the router? - if you did then this won't work you will need to use say Notepad++ and ensure that the EOL character is set to Unix format, or use WinSCP to open an SCP connection to the router and then cut'n'paste the code into the WinSCP editor window.

Also ensure that the script has 'execute' attributes....and the 1st line of the script is definitely

#!/bin/sh

Thanks, I just downloaded the script you posted, and forgot to remove the extra lines. This works now.

I saw this in another thread, but I can't find it now. If I want to connect to site without the VPN, can I do that with the current script? or will it get complicated?

 

[Martineau]

Thanks, I just downloaded the script you posted, and forgot to remove the extra lines. This works now.

I saw this in another thread, but I can't find it now. If I want to connect to site without the VPN, can I do that with the current script? or will it get complicated?

Simply add the appropriate 'un-tagging' lines for the source/destination I/P address or ports etc.

NOTE: You have elected to send ALL traffic except .227 via the VPN, so must explicitly create an entry to remove the tag for stuff you want to send via the WAN before the last two rules force all but one device via the VPN.

e.g.

# Site xxx.xxx.xxx.xxx via the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range xxx.xxx.xxx.xxx -j MARK --set-mark 0
# Everything else via VPN except .227
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2-192.168.1.226 -j MARK --set-mark $TAG_MARK
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.228-192.168.1.254 -j MARK --set-mark $TAG_MARK

P.S. The order of the rules is important so you should define the most explicit rules first if using '-A' or last if using '-I'

Also, remember, iptables work on static I/P addresses when specified, so if you specify say

iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range www.facebook.com -j MARK --set-mark 0

then the rule will not catch every alias I/P address used by Facebook.

Regards,

 

[chrisk]

To the best on my knowledge , in order to get the ddns to work you have 3 options;
1-add route-nopull, or
2- add a rule in the script to to bypass the ddns port used for updating.
# Ports 80 and 443 will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
# Although if Port 80 is excluded from the VPN then it will always show the local GEO ISP location!
#credit to Martineau fort the above. or
3- ask the vpn client provider to open the port in their side

I added the rule to open ports 80 and 443 to allow my DDNS to work but I still can't get it to work.

Is there a way to test that the script is actually working and that the open ports are in fact opened?

Thanks.
Chris

 

[scaramonga]

I know that someone had reported that when using 378.50, a previously working selective routing setup no longer works. I suggested that the VPN Client is not started automatically, then start the VPN Client manually to see if there is a timing issue

i.e. specify, after an appropriate delay, the manual start of the VPN Client in wan-start.

Ony differences in the VPN configuration panel; I have 'Accept DNS=DISABLED' which shouldn't affect the ability to perform the selective routing and I use HMA rather than PIA.

Also I'm not sure how you verify if a device is actually using the VPN?...I use the ip2location webpage.

Not sure if this helps


Regards,

Just wanna say that your script is actually working fine, and that it was I who failed to save the file correctly Martineau.

All good now!

Thank you very much for this, it really is much appreciated. Your a star

I do notice these errors in log now though, although I'm not bothered as its working how I want lol. Any ideas?

Feb 26 18:03:40 openvpn[724]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Feb 26 18:03:45 openvpn[724]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Feb 26 18:03:45 openvpn[724]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Feb 26 18:03:45 openvpn[724]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Feb 26 18:03:45 openvpn[724]: Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])

 

[Martineau]

Just wanna say that your script is actually working fine, and that it was I who failed to save the file correctly Martineau.

All good now!

Thank you very much for this, it really is much appreciated. Your a star

I do notice these errors in log now though, although I'm not bothered as its working how I want lol. Any ideas?

Déjà Vu

http://forums.smallnetbuilder.com/showpost.php?p=111843&postcount=139

 

[hvluu]

Hi, I'm new to this forum and also new to OpenVPN script
I got a RT-AC68U router that is originally Tmo branded with Tmo firmware on it. I managed to flash it to newest Merlin firmware and ran VPN through it. I want to have VPN for all my devices that are running through my router.

However, I'd like to keep some of the ports used by Apple for FaceTime and Hulu off the VPN (as Hulu's starting to block VPN user). Below is the script that I used (credit to several users on SNB here and somewhere else, I forgot)

#!/bin/sh

sleep 2

touch /tmp/000wanstarted

# This code goes in the WAN UP section of the Tomato GUI.
# This code based on the contributions from this thread:
#  http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
#
# And from material in these articles:
#  http://linux-ip.net/html/adv-multi-internet.html
#  http://fedorasolved.org/Members/kanarip/iptables-howto
#
# This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#


#  To list the current rules on the router, issue the command:
#      iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#      iptables -t mangle -F PREROUTING
#
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#



for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done
#
# Delete and table 10 & 12 and flush any existing rules if they exist.
#

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
# By default all traffic goes through the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 10

# Spotify explicitly by passes the VPN
#  All traffic from a particular computer on the LAN will use the VPN

#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 12

iptables -t mangle -A PREROUTING -i br0 -m iprange —-dst-range 72.247.8.235 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -m iprange —-dst-range 72.247.8.194 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -m iprange —-dst-range 23.212.109.42 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -m iprange —-dst-range 23.212.109.56 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -m iprange —-dst-range 208.91.157.66 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -m iprange —-dst-range 173.222.211.42 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -m iprange —-dst-range 173.222.211.66 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 3478:3497 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p udp --dport 443 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 5223 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p udp --dport 16384:16387 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p udp --dport 16393:16402 -j MARK --set-mark 12

exit

The IP 192.168.1.10 is the AppleTV that I have to set it exclusively bypass VPN in order to access Hulu and ABC on it. But it's somewhat inconvenience as I can only watch Hulu on AppleTV with this setup. Is there a way to bypass Hulu for every other devices on my router?

 

[onnyloh]

Did your guy experience tables "mangle" are periodically being flushed?
My side I delay my script by 90 seconds in order to avoid being flush out.
Nevertheless table "mangle" will still gone in 1 or 2 days and I have not figure out any solution. Atm I run the script manually whenever table "mangle" is empty. You guys have better idea?

 

[bilboSNB]

hello


I am using the route no-pull option which works great.


I have an ip set to for all traffic to go over the vpn:

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.0.2 -j MARK --set-mark 10



However I want certain ports from only this ip only to not go over the vpn, eg I have been trying with little success eg:


iptables -t mangle -I PREROUTING -i br0 -m iprange --src-range 192.168.0.2 -p tcp -m multiport --dport 0:2000 -j MARK --set-mark 12


Maybe something like:


iptables -t mangle -I PREROUTING -i br0 -m iprange --src-range 192.168.0.2 -p tcp -m multiport –dport ! 0:2000 -j MARK --set-mark 10



Am I on the right path, guessing order –I, -A is critical? Calling Martineau….

 

[Martineau]

hello


I am using the route no-pull option which works great.


I have an ip set to for all traffic to go over the vpn:

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.0.2 -j MARK --set-mark 10



However I want certain ports from only this ip only to not go over the vpn, eg I have been trying with little success eg:


iptables -t mangle -I PREROUTING -i br0 -m iprange --src-range 192.168.0.2 -p tcp -m multiport --dport 0:2000 -j MARK --set-mark 12


Maybe something like:


iptables -t mangle -I PREROUTING -i br0 -m iprange --src-range 192.168.0.2 -p tcp -m multiport –dport ! 0:2000 -j MARK --set-mark 10



Am I on the right path, guessing order –I, -A is critical? Calling Martineau….

Yes the rule order is critical, so have you checked the hit count for the rule?

e.g. I created a couple of dummy rules, and when tested they generated hits, if you observe pkts hits then check the fwmark value you apply.


iptables -t mangle -nv -L

admin@RT-AC56U:/tmp/home/root# iptables -t mangle -nv -L
Chain PREROUTING (policy ACCEPT 517 packets, 85728 bytes)
pkts bytes target prot opt in out source destination
83 5669 MARK all -- !eth0 * 0.0.0.0/0 xxx.xxx.xxx.xxx MARK set 0xb400
35 8224 tcp -- br0 * 10.88.8.113 0.0.0.0/0 multiport dports 22,80,6000:6100
4 208 tcp -- br0 * 10.88.8.113 0.0.0.0/0 multiport dports 7000:7001

 

[ryzhov_al]

Who wrote this article? fwmarks isn't working on MIPS routers, something wrong with kernel I suppose. You may check that fwmarks is used for ARM devices only.

-A PREROUTING -m set --set youtube dst,src -j MARK --set-mark 0x9
-A PREROUTING -m set --set youtube dst,src -j LOG --log-prefix "MARK check "

gives no traces of "MARK=0x9" in the syslog. H/W NAT was turned off.

I discovered it earlier, when tried ipset-dns.

 

[Martineau]

Who wrote this article? fwmarks isn't working on MIPS routers, something wrong with kernel I suppose. You may check that fwmarks is used for ARM devices only.

-A PREROUTING -m set --set youtube dst,src -j MARK --set-mark 0x9
-A PREROUTING -m set --set youtube dst,src -j LOG --log-prefix "MARK check "

gives no traces of "MARK=0x9" in the syslog. H/W NAT was turned off.

I discovered it earlier, when tried ipset-dns.

Not sure if I completely understand your statement - are you saying that MIPS routers have never been able to use FWMARKS for selective routing, or simply highlighting the fact that it is now broken in the latest release 37x.xx of the MIPS firmware?

I understand that in 378,50, ASUS will now flush the '-t mangle PREROUTING' entries (Trend Micro DPI?), and when using DUAL WAN, table 100 is now reserved (which may only affect a limited number of users who use the original script).

 

[ryzhov_al]

There is no DPI engine on MIPS builds.

Not sure if I completely understand your statement - are you saying that MIPS routers have never been able to use FWMARKS for selective routing, or simply highlighting the fact that it is now broken in the latest release 37x.xx of the MIPS firmware?

Tried on RT-N66U, f\w 378.50.

 

[Dubwize]

Ok so I've been banging my head against this all day. Figured I would ask for some help.

I would like to pass all traffic to the VPN, except one local IP that I need to go straight out.
Router: RT-AC68U
FW: Merlin 376.49_5


I have set my vpn extra options with

route-nopull
script-security 2
route-up /jffs/scripts/vpn_passthrough.sh

and my vpn_passthrough.sh file is as followed.

#!/bin/sh

MY_VPNTAB=101 # Now read from /jffs/configs/VPNSelect
TAG_MARK=1 # Now read from /jffs/configs/VPNSelect

# Use the OpenVPN environment variables
if [ "X$dev" = "X" ]; then
logger -s -t "($(basename $0))" $$ "*** ERROR not called by VPN Client route-up?...ABORTing!"
exit 1
fi

# Create new table to route VPN traffic when tagged with MARK. (Credit to SmallNetBuilder member DJR747)
# or to be associated with a WiFi Guest SSID.
ip route flush table $MY_VPNTAB
ip rule del fwmark $TAG_MARK
ip rule del table $MY_VPNTAB

ip route flush cache
iptables -t mangle -F PREROUTING

# Disable Reverse Path Filtering on current VPN network interface:
echo 0 > /proc/sys/net/ipv4/conf/$dev/rp_filter

ip route add default via $ifconfig_local dev $dev table $MY_VPNTAB
ip rule add fwmark $TAG_MARK table $MY_VPNTAB


iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.1.100 -j MARK 0


iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.1.2-10.10.1.99 -j MARK --set-mark $TAG_MARK
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.1.101-10.10.1.254 -j MARK --set-mark $TAG_MARK

exit

As it stands now everything is sent though the VPN, the machine at 10.10.1.100 is also still routed through the VPN.

Any help would be great, thanks.

 

[bilboSNB]

fw mark works okay here on 378.51 beta1.

Martineau thanks, that is coming in handy.

Looks like all rules in mangle are processed and later matches override previous matches so I add rule for whole ip before the port specific rule.

 

[Martineau]

Ok so I've been banging my head against this all day. Figured I would ask for some help.

I would like to pass all traffic to the VPN, except one local IP that I need to go straight out.
Router: RT-AC68U
FW: Merlin 376.49_5


I have set my vpn extra options with

route-nopull
script-security 2
route-up /jffs/scripts/vpn_passthrough.sh

and my vpn_passthrough.sh file is as followed.

#!/bin/sh

MY_VPNTAB=101 # Now read from /jffs/configs/VPNSelect
TAG_MARK=1 # Now read from /jffs/configs/VPNSelect

# Use the OpenVPN environment variables
if [ "X$dev" = "X" ]; then
logger -s -t "($(basename $0))" $$ "*** ERROR not called by VPN Client route-up?...ABORTing!"
exit 1
fi

# Create new table to route VPN traffic when tagged with MARK. (Credit to SmallNetBuilder member DJR747)
# or to be associated with a WiFi Guest SSID.
ip route flush table $MY_VPNTAB
ip rule del fwmark $TAG_MARK
ip rule del table $MY_VPNTAB

ip route flush cache
iptables -t mangle -F PREROUTING

# Disable Reverse Path Filtering on current VPN network interface:
echo 0 > /proc/sys/net/ipv4/conf/$dev/rp_filter

ip route add default via $ifconfig_local dev $dev table $MY_VPNTAB
ip rule add fwmark $TAG_MARK table $MY_VPNTAB


iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.1.100 -j MARK 0


iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.1.2-10.10.1.99 -j MARK --set-mark $TAG_MARK
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.1.101-10.10.1.254 -j MARK --set-mark $TAG_MARK

exit

As it stands now everything is sent though the VPN, the machine at 10.10.1.100 is also still routed through the VPN.

Any help would be great, thanks.

By default using this version of the selective routing script nothing goes via the VPN unless explicitly defined.

So if you were to remove ALL three of the tagging rules this this should be the case...if it isn't then you will need to look at the log to see if there are any errors.

However

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.1.100 -j MARK 0

shouldn't this be in the same format as the two rules below?

i.e.

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.1.100 -j MARK --set-mark 0

although it should be tagged to the WAN by default anyway.

I suggest you dump the tables/rules using

ip rule

iptables -t mangle -L -nv --line

ip route show table 101

 

[Martineau]

There is no DPI engine on MIPS builds.
Tried on RT-N66U, f\w 378.50.

In keeping with stating the obvious, there is no DPI engine on the ARM RT-AC56U using build 378.50B1 but I can still force the '-t mangle PREROUTING' entries to be 'accidentally' flushed when I use the GUI , which then breaks the selective routing.

 

[RMerlin]

In keeping with stating the obvious, there is no DPI engine on the ARM RT-AC56U using build 378.50B1 but I can still force the '-t mangle PREROUTING' entries to be 'accidentally' flushed when I use the GUI , which then breaks the selective routing.

Anything that restarts the firewall rules (especially within nat_settings() in the rc/firewall.c code) will flush the mangle chain. You need to use the nat-start script to handle these.

The DPI engine issue is on top of that, the engine will flush out that chain on its own whenever it restarts itself.