Thanks for your reply.
Never mind, it's a Firmware function. I'll go RTFM now. Thanks, Merlin!
Selective Routing with Asuswrt-Merlin
- Thread starter janosek
- Start date
Never mind, it's a Firmware function. I'll go RTFM now. Thanks, Merlin!
Merlin, is this set up correctly for rerouting all DNS requests to my specified servers? My Chromecast and Android TV still seem to be going through 8.8.8.8 as I'm getting blacked out of local mlb games. My roku is not being blacked out, but it uses the main DNS setting properly while the other two devices are hard-coded to 8.8.8.8. Thanks.
Attachments
No. You entered a custom DNS, but you didn't define any client below to use it.
Martineau
Part of the Furniture
There is a sample script on the wiki https://github.com/RMerl/asuswrt-merlin/wiki Networking How to Guide samples
My personal method involves modifying the DNSmasq /jffs/configs/dnsmasq.conf.add although in my experience I have noticed that if DNSmasq has already seen the guest device MAC and assigned an I/P address to the guest device, it doesn't always seem to allow the new subnet to be assigned, however it may be my method of implementation or due to my test guest devices.
Code:
e.g.
# 2.4GHz Guest #3 via VPN uses DHCP pool 10.88.243.2 - 10.88.243.20
interface=wl0.3
dhcp-range=wl0.3,10.88.243.2,10.88.243.20,255.255.255.0,21600s
dhcp-option=wl0.3,3,10.88.243.1
# 5Ghz Guest #3 via VPN uses DHCP pool 10.88.53.2 - 10.88.53.20
interface=wl1.3
dhcp-range=wl1.3,10.88.53.2,10.88.53.20,255.255.255.0,21600s
dhcp-option=wl1.3,3,10.88.53.1After DNSmasq has been restarted, /etc/dnsmasq.conf is then read by a separate (verbose!) SSID_VPN.sh script which configures the SSID VPN routing etc.
If you are using RMerlin firmware 378.53 with selective Policy Rules Routing enabled he will auto-define appropriate RPDB tables 111/112, then to isolate/force both Guest 2.4GHz and 5Ghz SSID #3 clients to use the VPN Client1:
issue
Code:
SSID_VPN.sh tun11 wl0.3 wl1.3The above can be specified in the custom 'VPN client configuration' options or called from wan-start etc.
Code:
#!/bin/sh
TUN_IF=$1
GUEST_IFS=$2
VPN_ID=`echo -n $TUN_IF | tail -c -1`
MY_VPNTAB ="11"$VPN_ID
# Validate the Guest SSID(s) to be forced to use this VPN
if [ "$GUEST_IFS" != "" ];then
for GUEST_IF in $GUEST_IFS
do
GUEST_IF_IP=`grep -i "dhcp-option=$GUEST_IF,3" /etc/dnsmasq.conf | awk 'BEGIN { FS = "," } {print $3}'` # Extract I/P from 'dhcp-option=$GUEST_IF,3,10.88.241.1'
GUEST_SUBNET_PREFIX=`echo $GUEST_IF_IP | awk 'BEGIN { FS = "." } {print $1"."$2"."$3}'` # Extract first three octets of I/P
logger -s -t "($(basename $0))" $$ "Lookup '$GUEST_IF' in DNSMASQ returned:>$GUEST_IF_IP< and Prefix >$GUEST_SUBNET_PREFIX<"
SSID=$(nvram get $GUEST_IF"_ssid")
logger -s -t "($(basename $0))" $$ "SSID $SSID being blocked to ONLY use OpenVPN Client....."
logger -s -t "($(basename $0))" $$ " CMD: ip rule add dev $GUEST_IF table $MY_VPNTAB"
ip rule add dev $GUEST_IF table $MY_VPNTAB
logger -s -t "($(basename $0))" $$ "SSID $SSID Blocked to ONLY use OpenVPN Client....."
#
# Guest wireless assignment
logger -s -t "($(basename $0))" $$ " CMD: ifconfig $GUEST_IF $GUEST_IF_IP netmask 255.255.255.0"
ifconfig $GUEST_IF $GUEST_IF_IP netmask 255.255.255.0
# Guest wireless bridge
logger -s -t "($(basename $0))" $$ " CMD: ebtables -t broute -I BROUTING -p ipv4 -i $GUEST_IF -j DROP"
ebtables -t broute -I BROUTING -p ipv4 -i $GUEST_IF -j DROP
logger -s -t "($(basename $0))" $$ " CMD: ebtables -t broute -I BROUTING -p arp -i $GUEST_IF -j DROP"
ebtables -t broute -I BROUTING -p arp -i $GUEST_IF -j DROP
# Guest wireless firewall. VPN kill switch is in built.
# Ensure isolation from LAN..
iptables -I FORWARD -i $GUEST_IF -d $LANIP/24 -j DROP
iptables -I INPUT -i $GUEST_IF -d $LANIP/24 -j DROP # Prevent access to Router
# Selectively allow certain ports DNS?
iptables -I INPUT -i $GUEST_IF -j DROP
logger -s -t "($(basename $0))" $$ " CMD: iptables -I INPUT -i $GUEST_IF -p udp --dport 53 -j ACCEPT"
iptables -I INPUT -i $GUEST_IF -p udp --dport 53 -j ACCEPT
logger -s -t "($(basename $0))" $$ " CMD: iptables -I INPUT -i $GUEST_IF -p tcp --dport 53 -j ACCEPT"
iptables -I INPUT -i $GUEST_IF -p tcp --dport 53 -j ACCEPT
logger -s -t "($(basename $0))" $$ " CMD: iptables -I INPUT -i $GUEST_IF -p udp --dport 67:68 -j ACCEPT"
iptables -I INPUT -i $GUEST_IF -p udp --dport 67:68 -j ACCEPT
logger -s -t "($(basename $0))" $$ " CMD: iptables -I INPUT -i $GUEST_IF -m state --state NEW -j ACCEPT"
iptables -I INPUT -i $GUEST_IF -m state --state NEW -j ACCEPT
logger -s -t "($(basename $0))" $$ " CMD: iptables -I FORWARD -i $GUEST_IF -o $TUN_IF -j ACCEPT"
iptables -I FORWARD -i $GUEST_IF -o $TUN_IF -j ACCEPT
logger -s -t "($(basename $0))" $$ " CMD: iptables -t nat -I POSTROUTING -s $GUEST_SUBNET_PREFIX.0/24 -o $TUN_IF -j MASQUERADE"
iptables -t nat -I POSTROUTING -s $GUEST_SUBNET_PREFIX.0/24 -o $TUN_IF -j MASQUERADE
# Optional: Block all ports on VPN except: dns(53),http(80),https(443)
#iptables -I FORWARD -i $GUEST_IF -s $GUEST_SUBNET_PREFIX.0/24 -o $TUN_IF -p tcp -m multiport ! --port 53,80,443 -j DROP
#iptables -I FORWARD -i $GUEST_IF -s $GUEST_SUBNET_PREFIX.0/24 -o $TUN_IF -p udp -m multiport ! --port 53,443 -j DROP
# Limit download speed
#tc qdisc add dev $GUEST_IF root handle 1: htb default 10
#tc class add dev $GUEST_IF parent 1: classid 1:1 htb rate 100mbit ceil 100mbit
#tc class add dev $GUEST_IF parent 1:1 classid 1:10 htb rate 10mbit ceil 10mbit
#tc filter add dev $GUEST_IF protocol ip parent 1:0 prio 1 u32 match ip dst 0.0.0.0 flowid 1:10
logger -s -t "($(basename $0))" $$ "SSID $SSID is configured to use OpenVPN Client."
done
fiEDIT: I mangled the calling args to the script
EDIT2: This script can no longer be considered reliable/stable. No idea why it fails.
Last edited:
Tried this, changed to wl0.1 just to try to separate guest network, when i connect to the guest im still getting IP from the 192.168.1.x range.
Martineau
Part of the Furniture
As my disclaimer states, if DNSmasq has already seen the MAC of the device and assigned a standard LAN address from the DHCP pool (or explicitly reserved) then it sometimes reluctantly doesn't assign the expected VPN subnet.
Usually if you use the 'forget Network' option on the laptop/phone etc., and then reboot the device, it should then work.
I am trying to route my pc through the vpn tunnel and rest of the devices through the isp. I selected the client as my PC addresss and destination as empty(0.0.0.0) as i want all pc traffic to go thru the tunnel . But my pc address is not going thru the tunnel. Can any one point me what i am doing wrong here. Please see the screen shot attached
Attachments
Martineau
Part of the Furniture
admin@RT-AC87U-1C70:/jffs/scripts# ip rule
0: from all lookup local
32765: from 192.168.1.2 lookup 111
32766: from all lookup main
32767: from all lookup default
admin@RT-AC87U-1C70:/jffs/scripts# ip route show table 111
default via 172.20.16.1 dev tun11
Is this ok ?
0: from all lookup local
32765: from 192.168.1.2 lookup 111
32766: from all lookup main
32767: from all lookup default
admin@RT-AC87U-1C70:/jffs/scripts# ip route show table 111
default via 172.20.16.1 dev tun11
Is this ok ?
Martineau
Part of the Furniture
Yes and you should see these messages in the log
Code:
user.warn openvpn-routing: Configuring policy rules for tun11
user.warn openvpn-routing: Removing route for 0.0.0.0/1 to tun11
user.warn openvpn-routing: Removing route for 128.0.0.0/1 to tun11
user.warn openvpn-routing: Added 192.168.1.2 through 0.0.0.0 to routing policy
user.warn openvpn-routing: Completed routing policy configurationNot sure how to display the statistics for the RPDB rule 32765, but I can't see any reason why the traffic from 192.168.1.2 shouldn't be routed.
How are you determining the fact that traffic isn't going via the VPN?
Usually I use http://www.iplocation.net/ on the routed device (if it is Web browser capable) to check the location.
my pc is working now ( i must have done something silly
ButAlso all other devices cannot connect to internet.Is there any other entries needed in the policy table. My understanding is if the device is not defined in the policy table it will route through my isp(not tunnel) Please correct me if i am wrong
my pc is working now ( i must have done something silly
Also all other devices cannot connect to internet.Is there any other entries needed in the policy table. My understanding is if the device is not defined in the policy table it will route through my isp(not tunnel) Please correct me if i am wrong
it looks like a dns issue
Looks like this issue is causing the problem (http://www.snbforums.com/threads/asuswrt-merlin-378-53-is-now-available.24172/page-12#post-181952)
Please see the attached image
Attachments
Last edited:
Tried that with 2 different phones, got a new ip, but it was still from the main subnet. I will try flashing the version you are using, clear nvram and start fresh see if i can that to work.
Martineau
Part of the Furniture
my pc is working now ( i must have done something silly
Also all other devices cannot connect to internet.Is there any other entries needed in the policy table. My understanding is if the device is not defined in the policy table it will route through my isp(not tunnel) Please correct me if i am wrong
If there are no routes to the VPN in any of the other routing tables then unless the VPN server is forcing a strange directive then I'm not sure what would prevent all non-specified devices thru the VPN.
Issue
ip route
and there should be no entries for 0.0.0.0/1 or 128.0.0.0/1 to the VPN tunnel.
can you spot any thing wrong here
admin@RT-AC87U-1C70:/tmp/home/root# ip route
216.151.180.6 via 85.91.2.237 dev ppp0
85.91.2.237 dev ppp0 proto kernel scope link src 87.198.10.237
208.76.111.154 via 85.91.2.237 dev ppp0
169.254.39.0/24 dev br0 proto kernel scope link src 169.254.39.57
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
172.20.16.0/22 dev tun11 proto kernel scope link src 172.20.16.164n you spot
127.0.0.0/8 dev lo scope link
default via 85.91.2.237 dev ppp0
admin@RT-AC87U-1C70:/tmp/home/root# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
216.151.180.6 85.91.2.237 255.255.255.255 UGH 0 0 0 ppp0
85.91.2.237 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
208.76.111.154 85.91.2.237 255.255.255.255 UGH 0 0 0 ppp0
169.254.39.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
172.20.16.0 0.0.0.0 255.255.252.0 U 0 0 0 tun11
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 85.91.2.237 0.0.0.0 UG 0 0 0 ppp0
admin@RT-AC87U-1C70:/tmp/home/root#
Martineau
Part of the Furniture
I haven't used the script in anger for quite a while - I find that a SMART DNS subscription meets my needs for viewing US content etc.
I have just tried the script and it only seems to acquire the new subnet after restarting DNSmasq etc. - however pinging the router seems to initially work then times out and then nothing.
I'm not sure what is causing it to be unstable, so I suggest you ignore this script in its current state.
Apologies for wasting your time.
Martineau
Part of the Furniture
Unusual to see 169.254.*.* not sure of the impact.
All I can suggest is that you perform a router reboot ensuring that the VPN does not auto-start, issue the ip and ip route commands to check their values, then start the VPN and Policy Rules and reissue the commands to see if the 169.254.*.* references return or if the problem is fixed, in much the same way your original issue magically resolved itself.
Sadly many issues (certainly in my case) are in the PEBKAC category.
Unusual to see 169.254.*.* not sure of the impact.
All I can suggest is that you perform a router reboot ensuring that the VPN does not auto-start, issue the ip and ip route commands to check their values, then start the VPN and Policy Rules and reissue the commands to see if the 169.254.*.* references return or if the problem is fixed, in much the same way your original issue magically resolved itself.
Sadly many issues (certainly in my case) are in the PEBKAC category.
Immediately after reboot
85.91.2.115 dev ppp0 proto kernel scope link src 87.198.6.136
169.254.39.0/24 dev br0 proto kernel scope link src 169.254.39.57
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
127.0.0.0/8 dev lo scope link
default via 85.91.2.115 dev ppp0
No worries, my backup plan was just using an old E2000 with DD-WRT that is collecting dust as the guest network provider + pushing opendns to its clients.
Similar threads
Similar threads
Similar threads
-
-
-
Routing my VPN Server through VPN Client 1 Having issues with Facetime
- Started by ComputerSteve
- Replies: 50
-
-
VPN Stays connected but Stops Routing after DoH Change- Started by CaptnDanLKW
- Replies: 2
-
[Solved]Configure Policy based routing for transparent proxy
- Started by tamasbalogh
- Replies: 6
-
OpenVPN / site to site with special security/routing constraints
- Started by MarkusI
- Replies: 7
-
Bug Report: nvram chilli_enable=1 when guest network is removed causes no routing to occur
- Started by Acru
- Replies: 2
-
[Help] Routing VPN server through VPN client (external VPN Provider)
- Started by GuardYaGrill
- Replies: 14
-