What's new

Selective Routing with Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Thanks for your reply. Sorry for my noobness, is DNSFilter a program or a terminal command? Google wasn't much help.

Never mind, it's a Firmware function. I'll go RTFM now. Thanks, Merlin!
Merlin, is this set up correctly for rerouting all DNS requests to my specified servers? My Chromecast and Android TV still seem to be going through 8.8.8.8 as I'm getting blacked out of local mlb games. My roku is not being blacked out, but it uses the main DNS setting properly while the other two devices are hard-coded to 8.8.8.8. Thanks.
 

Attachments

  • Screenshot_2015-05-12-18-59-11~2.jpg
    Screenshot_2015-05-12-18-59-11~2.jpg
    81.9 KB · Views: 574
Merlin, is this set up correctly for rerouting all DNS requests to my specified servers? My Chromecast and Android TV still seem to be going through 8.8.8.8 as I'm getting blacked out of local mlb games. My roku is not being blacked out, but it uses the main DNS setting properly while the other two devices are hard-coded to 8.8.8.8. Thanks.

No. You entered a custom DNS, but you didn't define any client below to use it.
 
Is there a way to restrict or change subnet of the guest network? I would like to route all guest network traffic thru the VPN.
 
Is there a way to restrict or change subnet of the guest network? I would like to route all guest network traffic thru the VPN.


There is a sample script on the wiki https://github.com/RMerl/asuswrt-merlin/wiki Networking How to Guide samples

My personal method involves modifying the DNSmasq /jffs/configs/dnsmasq.conf.add although in my experience I have noticed that if DNSmasq has already seen the guest device MAC and assigned an I/P address to the guest device, it doesn't always seem to allow the new subnet to be assigned, however it may be my method of implementation or due to my test guest devices.

Code:
e.g.

# 2.4GHz Guest #3 via VPN uses DHCP pool 10.88.243.2 - 10.88.243.20
interface=wl0.3
dhcp-range=wl0.3,10.88.243.2,10.88.243.20,255.255.255.0,21600s
dhcp-option=wl0.3,3,10.88.243.1

# 5Ghz Guest #3 via VPN uses DHCP pool 10.88.53.2 - 10.88.53.20
interface=wl1.3
dhcp-range=wl1.3,10.88.53.2,10.88.53.20,255.255.255.0,21600s
dhcp-option=wl1.3,3,10.88.53.1


After DNSmasq has been restarted, /etc/dnsmasq.conf is then read by a separate (verbose!) SSID_VPN.sh script which configures the SSID VPN routing etc.

If you are using RMerlin firmware 378.53 with selective Policy Rules Routing enabled he will auto-define appropriate RPDB tables 111/112, then to isolate/force both Guest 2.4GHz and 5Ghz SSID #3 clients to use the VPN Client1:

issue
Code:
SSID_VPN.sh    tun11    wl0.3   wl1.3

The above can be specified in the custom 'VPN client configuration' options or called from wan-start etc.

Code:
#!/bin/sh

TUN_IF=$1
GUEST_IFS=$2
VPN_ID=`echo -n $TUN_IF | tail -c -1`
MY_VPNTAB ="11"$VPN_ID


# Validate the Guest SSID(s) to be forced to use this VPN
if [ "$GUEST_IFS" != "" ];then
   for GUEST_IF in $GUEST_IFS
   do
      GUEST_IF_IP=`grep -i "dhcp-option=$GUEST_IF,3" /etc/dnsmasq.conf  | awk 'BEGIN { FS = "," } {print $3}'`        # Extract I/P from 'dhcp-option=$GUEST_IF,3,10.88.241.1'
      GUEST_SUBNET_PREFIX=`echo $GUEST_IF_IP | awk 'BEGIN { FS = "." } {print $1"."$2"."$3}'`                        # Extract first three octets of I/P
      logger -s -t "($(basename $0))" $$ "Lookup '$GUEST_IF' in DNSMASQ returned:>$GUEST_IF_IP< and Prefix >$GUEST_SUBNET_PREFIX<"

      SSID=$(nvram get $GUEST_IF"_ssid")

      logger -s -t "($(basename $0))" $$ "SSID $SSID being blocked to ONLY use OpenVPN Client....."
      logger -s -t "($(basename $0))" $$ "     CMD: ip rule add dev $GUEST_IF table $MY_VPNTAB"
      ip rule add dev $GUEST_IF table $MY_VPNTAB
      logger -s -t "($(basename $0))" $$ "SSID $SSID Blocked to ONLY use OpenVPN Client....."
      #
      # Guest wireless assignment
      logger -s -t "($(basename $0))" $$ "     CMD: ifconfig $GUEST_IF $GUEST_IF_IP netmask 255.255.255.0"
      ifconfig $GUEST_IF $GUEST_IF_IP netmask 255.255.255.0
      # Guest wireless bridge
      logger -s -t "($(basename $0))" $$ "     CMD: ebtables -t broute -I BROUTING -p ipv4 -i $GUEST_IF -j DROP"
      ebtables -t broute -I BROUTING -p ipv4 -i $GUEST_IF -j DROP
      logger -s -t "($(basename $0))" $$ "     CMD: ebtables -t broute -I BROUTING -p arp -i $GUEST_IF -j DROP"
      ebtables -t broute -I BROUTING -p arp -i $GUEST_IF -j DROP

      # Guest wireless firewall. VPN kill switch is in built.
      # Ensure isolation from LAN..
      iptables -I FORWARD -i $GUEST_IF -d $LANIP/24 -j DROP
      iptables -I INPUT -i $GUEST_IF -d $LANIP/24 -j DROP                # Prevent access to Router

      # Selectively allow certain ports DNS?
      iptables -I INPUT -i $GUEST_IF -j DROP
      logger -s -t "($(basename $0))" $$ "     CMD: iptables -I INPUT -i $GUEST_IF -p udp --dport 53 -j ACCEPT"
      iptables -I INPUT -i $GUEST_IF -p udp --dport 53 -j ACCEPT
      logger -s -t "($(basename $0))" $$ "     CMD: iptables -I INPUT -i $GUEST_IF -p tcp --dport 53 -j ACCEPT"
      iptables -I INPUT -i $GUEST_IF -p tcp --dport 53 -j ACCEPT
      logger -s -t "($(basename $0))" $$ "     CMD: iptables -I INPUT -i $GUEST_IF -p udp --dport 67:68 -j ACCEPT"
      iptables -I INPUT -i $GUEST_IF -p udp --dport 67:68 -j ACCEPT
      logger -s -t "($(basename $0))" $$ "     CMD: iptables -I INPUT -i $GUEST_IF -m state --state NEW -j ACCEPT"
      iptables -I INPUT -i $GUEST_IF -m state --state NEW -j ACCEPT
      logger -s -t "($(basename $0))" $$ "     CMD: iptables -I FORWARD -i $GUEST_IF -o $TUN_IF -j ACCEPT"
      iptables -I FORWARD -i $GUEST_IF -o $TUN_IF -j ACCEPT
      logger -s -t "($(basename $0))" $$ "     CMD: iptables -t nat -I POSTROUTING -s $GUEST_SUBNET_PREFIX.0/24 -o $TUN_IF -j MASQUERADE"
      iptables -t nat -I POSTROUTING -s $GUEST_SUBNET_PREFIX.0/24 -o $TUN_IF -j MASQUERADE


      # Optional: Block all ports on VPN except: dns(53),http(80),https(443)
      #iptables -I FORWARD -i $GUEST_IF -s $GUEST_SUBNET_PREFIX.0/24 -o $TUN_IF -p tcp -m multiport ! --port 53,80,443 -j DROP
      #iptables -I FORWARD -i $GUEST_IF -s $GUEST_SUBNET_PREFIX.0/24 -o $TUN_IF -p udp -m multiport ! --port 53,443 -j DROP


      # Limit download speed
      #tc qdisc add dev $GUEST_IF root handle 1: htb default 10
      #tc class add dev $GUEST_IF parent 1: classid 1:1 htb rate 100mbit ceil 100mbit
      #tc class add dev $GUEST_IF parent 1:1 classid 1:10 htb rate 10mbit ceil 10mbit
      #tc filter add dev $GUEST_IF protocol ip parent 1:0 prio 1 u32 match ip dst 0.0.0.0 flowid 1:10

      logger -s -t "($(basename $0))" $$ "SSID $SSID is configured to use OpenVPN Client."
   done
fi

EDIT: I mangled the calling args to the script:oops:
EDIT2: This script can no longer be considered reliable/stable. No idea why it fails.
 
Last edited:
Code:
e.g.

# 2.4GHz Guest #3 via VPN uses DHCP pool 10.88.243.2 - 10.88.243.20
interface=wl0.3
dhcp-range=wl0.3,10.88.243.2,10.88.243.20,255.255.255.0,21600s
dhcp-option=wl0.3,3,10.88.243.1

Tried this, changed to wl0.1 just to try to separate guest network, when i connect to the guest im still getting IP from the 192.168.1.x range.
 
Tried this, changed to wl0.1 just to try to separate guest network, when i connect to the guest im still getting IP from the 192.168.1.x range.

As my disclaimer states, if DNSmasq has already seen the MAC of the device and assigned a standard LAN address from the DHCP pool (or explicitly reserved) then it sometimes reluctantly doesn't assign the expected VPN subnet.

Usually if you use the 'forget Network' option on the laptop/phone etc., and then reboot the device, it should then work.
 
I am trying to route my pc through the vpn tunnel and rest of the devices through the isp. I selected the client as my PC addresss and destination as empty(0.0.0.0) as i want all pc traffic to go thru the tunnel . But my pc address is not going thru the tunnel. Can any one point me what i am doing wrong here. Please see the screen shot attached
 

Attachments

  • Selection_002.png
    Selection_002.png
    139.9 KB · Views: 557
I am trying to route my pc through the vpn tunnel and rest of the devices through the isp. I selected the client as my PC addresss and destination as empty(0.0.0.0) as i want all pc traffic to go thru the tunnel . But my pc address is not going thru the tunnel. Can any one point me what i am doing wrong here. Please see the screen shot attached

Issue the two commands and check the output

ip rule

ip route show table 111
 
admin@RT-AC87U-1C70:/jffs/scripts# ip rule
0: from all lookup local
32765: from 192.168.1.2 lookup 111
32766: from all lookup main
32767: from all lookup default
admin@RT-AC87U-1C70:/jffs/scripts# ip route show table 111
default via 172.20.16.1 dev tun11

Is this ok ?
 
admin@RT-AC87U-1C70:/jffs/scripts# ip rule
0: from all lookup local
32765: from 192.168.1.2 lookup 111
32766: from all lookup main
32767: from all lookup default
admin@RT-AC87U-1C70:/jffs/scripts# ip route show table 111
default via 172.20.16.1 dev tun11

Is this ok ?

Yes and you should see these messages in the log

Code:
user.warn openvpn-routing: Configuring policy rules for tun11
user.warn openvpn-routing: Removing route for 0.0.0.0/1 to tun11
user.warn openvpn-routing: Removing route for 128.0.0.0/1 to tun11
user.warn openvpn-routing: Added 192.168.1.2 through 0.0.0.0 to routing policy
user.warn openvpn-routing: Completed routing policy configuration

Not sure how to display the statistics for the RPDB rule 32765, but I can't see any reason why the traffic from 192.168.1.2 shouldn't be routed.

How are you determining the fact that traffic isn't going via the VPN?

Usually I use http://www.iplocation.net/ on the routed device (if it is Web browser capable) to check the location.
 
Yes and you should see these messages in the log

Code:
user.warn openvpn-routing: Configuring policy rules for tun11
user.warn openvpn-routing: Removing route for 0.0.0.0/1 to tun11
user.warn openvpn-routing: Removing route for 128.0.0.0/1 to tun11
user.warn openvpn-routing: Added 192.168.1.2 through 0.0.0.0 to routing policy
user.warn openvpn-routing: Completed routing policy configuration

Not sure how to display the statistics for the RPDB rule 32765, but I can't see any reason why the traffic from 192.168.1.2 shouldn't be routed.

How are you determining the fact that traffic isn't going via the VPN?

Usually I use http://www.iplocation.net/ on the routed device (if it is Web browser capable) to check the location.

my pc is working now ( i must have done something silly :) But
Also all other devices cannot connect to internet.Is there any other entries needed in the policy table. My understanding is if the device is not defined in the policy table it will route through my isp(not tunnel) Please correct me if i am wrong
 
my pc is working now ( i must have done something silly :) But
Also all other devices cannot connect to internet.Is there any other entries needed in the policy table. My understanding is if the device is not defined in the policy table it will route through my isp(not tunnel) Please correct me if i am wrong


it looks like a dns issue
Looks like this issue is causing the problem (http://www.snbforums.com/threads/asuswrt-merlin-378-53-is-now-available.24172/page-12#post-181952)

Please see the attached image
 

Attachments

  • Capture.JPG
    Capture.JPG
    37.5 KB · Views: 322
Last edited:
As my disclaimer states, if DNSmasq has already seen the MAC of the device and assigned a standard LAN address from the DHCP pool (or explicitly reserved) then it sometimes reluctantly doesn't assign the expected VPN subnet.

Usually if you use the 'forget Network' option on the laptop/phone etc., and then reboot the device, it should then work.

Tried that with 2 different phones, got a new ip, but it was still from the main subnet. I will try flashing the version you are using, clear nvram and start fresh see if i can that to work.
 
my pc is working now ( i must have done something silly :) But
Also all other devices cannot connect to internet.Is there any other entries needed in the policy table. My understanding is if the device is not defined in the policy table it will route through my isp(not tunnel) Please correct me if i am wrong

If there are no routes to the VPN in any of the other routing tables then unless the VPN server is forcing a strange directive then I'm not sure what would prevent all non-specified devices thru the VPN.

Issue

ip route

and there should be no entries for 0.0.0.0/1 or 128.0.0.0/1 to the VPN tunnel.
 
If there are no routes to the VPN in any of the other routing tables then unless the VPN server is forcing a strange directive then I'm not sure what would prevent all non-specified devices thru the VPN.

Issue

ip route

and there should be no entries for 0.0.0.0/1 or 128.0.0.0/1 to the VPN tunnel.

can you spot any thing wrong here

admin@RT-AC87U-1C70:/tmp/home/root# ip route
216.151.180.6 via 85.91.2.237 dev ppp0
85.91.2.237 dev ppp0 proto kernel scope link src 87.198.10.237
208.76.111.154 via 85.91.2.237 dev ppp0
169.254.39.0/24 dev br0 proto kernel scope link src 169.254.39.57
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
172.20.16.0/22 dev tun11 proto kernel scope link src 172.20.16.164n you spot
127.0.0.0/8 dev lo scope link
default via 85.91.2.237 dev ppp0
admin@RT-AC87U-1C70:/tmp/home/root# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
216.151.180.6 85.91.2.237 255.255.255.255 UGH 0 0 0 ppp0
85.91.2.237 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
208.76.111.154 85.91.2.237 255.255.255.255 UGH 0 0 0 ppp0
169.254.39.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
172.20.16.0 0.0.0.0 255.255.252.0 U 0 0 0 tun11
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 85.91.2.237 0.0.0.0 UG 0 0 0 ppp0
admin@RT-AC87U-1C70:/tmp/home/root#
 
Tried that with 2 different phones, got a new ip, but it was still from the main subnet. I will try flashing the version you are using, clear nvram and start fresh see if i can that to work.

I haven't used the script in anger for quite a while - I find that a SMART DNS subscription meets my needs for viewing US content etc.

I have just tried the script and it only seems to acquire the new subnet after restarting DNSmasq etc. - however pinging the router seems to initially work then times out and then nothing.

I'm not sure what is causing it to be unstable, so I suggest you ignore this script in its current state.

Apologies for wasting your time.
 
can you spot any thing wrong here

admin@RT-AC87U-1C70:/tmp/home/root# ip route
216.151.180.6 via 85.91.2.237 dev ppp0
85.91.2.237 dev ppp0 proto kernel scope link src 87.198.10.237
208.76.111.154 via 85.91.2.237 dev ppp0
169.254.39.0/24 dev br0 proto kernel scope link src 169.254.39.57
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
172.20.16.0/22 dev tun11 proto kernel scope link src 172.20.16.164n you spot
127.0.0.0/8 dev lo scope link
default via 85.91.2.237 dev ppp0
admin@RT-AC87U-1C70:/tmp/home/root# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
216.151.180.6 85.91.2.237 255.255.255.255 UGH 0 0 0 ppp0
85.91.2.237 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
208.76.111.154 85.91.2.237 255.255.255.255 UGH 0 0 0 ppp0
169.254.39.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
172.20.16.0 0.0.0.0 255.255.252.0 U 0 0 0 tun11
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 85.91.2.237 0.0.0.0 UG 0 0 0 ppp0
admin@RT-AC87U-1C70:/tmp/home/root#

Unusual to see 169.254.*.* not sure of the impact.
All I can suggest is that you perform a router reboot ensuring that the VPN does not auto-start, issue the ip and ip route commands to check their values, then start the VPN and Policy Rules and reissue the commands to see if the 169.254.*.* references return or if the problem is fixed, in much the same way your original issue magically resolved itself.

Sadly many issues (certainly in my case) are in the PEBKAC category. :eek:
 
Unusual to see 169.254.*.* not sure of the impact.
All I can suggest is that you perform a router reboot ensuring that the VPN does not auto-start, issue the ip and ip route commands to check their values, then start the VPN and Policy Rules and reissue the commands to see if the 169.254.*.* references return or if the problem is fixed, in much the same way your original issue magically resolved itself.

Sadly many issues (certainly in my case) are in the PEBKAC category. :eek:


Immediately after reboot
85.91.2.115 dev ppp0 proto kernel scope link src 87.198.6.136
169.254.39.0/24 dev br0 proto kernel scope link src 169.254.39.57
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
127.0.0.0/8 dev lo scope link
default via 85.91.2.115 dev ppp0
 
I haven't used the script in anger for quite a while - I find that a SMART DNS subscription meets my needs for viewing US content etc.

I have just tried the script and it only seems to acquire the new subnet after restarting DNSmasq etc. - however pinging the router seems to initially work then times out and then nothing.

I'm not sure what is causing it to be unstable, so I suggest you ignore this script in its current state.

Apologies for wasting your time.

No worries, my backup plan was just using an old E2000 with DD-WRT that is collecting dust as the guest network provider + pushing opendns to its clients.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top