Selective Routing with Asuswrt-Merlin

[Mikeyy]

Then you are overdoing it and got lost on all modification.

1. Delete all scripts.
2. Use VPN Client 1
3. In router GUI for VPN Client 1 set policy rules to use VPN on certain LAN IP's, rest is WAN.
4. Create new "openvpn-event" script from post #6 and change last lines with your IP's and ports. This is for WAN access to VPN only devices.
5. Port forward those ports in router GUI.
6. Add rules from post #2 to same openvpn-event script, on script end, and change IP's / ports to match needed ports. You need 4 rules for every port if you want to use both UDP and TCP. If you want to use more then 1 port on one IP, you can't use those rules, you need to change them and use muli IP rule in 1 line. This is for access trough VPN exit server. DON'T PORT FORWARD THOSE PORTS ON ROUTER GUI. Also, your VPN provider MUST provide port forwarding for those same ports to your machine or it won't work at all.
7. Chmod "openvpn-event" script to be executable.
8. If you are working with windows machine, be sure file isn't saved with non-unix letters.
9. Restart router.
10. Wait for everything to start, cca 2 min, and if you set everything right, it should work.

 

[canufrank]

@Mikeyy, in that thread you keep posting links to, you variously say that you don't really understand what the script does and proceed to talk about how it intermittently stops working. I don't know why you're even endorsing it.

You seem not to have read my last post and just iterated your first. As I said, post #2 does not address port redirection and I don't know why it's failing when I incorporate it. I have a specific issue that @janosek and @Bogey seem also to have encountered and it remains unsolved. Thanks for your efforts though.

 

[Martineau]

@Mikeyy, in that thread you keep posting links to, you variously say that you don't really understand what the script does and proceed to talk about how it intermittently stops working. I don't know why you're even endorsing it.

You seem not to have read my last post and just iterated your first. As I said, post #2 does not address port redirection and I don't know why it's failing when I incorporate it. I have a specific issue that @janosek and @Bogey seem also to have encountered and it remains unsolved. Thanks for your efforts though.

Most of the original Selective Routing scripts may still work by 'accident', as both ASUS and RMerlin have altered the way the underlying iptables and Kernel process the routing of traffic, but thanks to RMerlin, RPDB Selective routing for devices/subnets can now be easily achieved via the GUI. This definitely certainly works for a single VPN Client, but I don't believe it still works for multiple concurrent VPN clients as still experienced by @Bogey ?

Disclaimer: I don't run PLEX nor TORRENTBT but you could try this.....

So since RMerlin creates the necessary Selective Routing RPDB tables, why not simply use his rather than create your own? .....although @Mikeyy is clearly also correct as the legacy script techniques do still work, but you have to be aware that ASUS apparently now reserves tables 100,200 when DUAL WAN is in use?

e.g. Perhaps even my (obsolete) custom script that I posted back in Feb last year may still work!

http://pastebin.com/kW4RxK78

So since RMerlin's Routing Policy GUI does not support Selective port routing, you should be able to create a custom script to exploit his table(s). (Call it something like 'VPN_PortSelect.sh' so you have control of when it is called, either via the VPN Client route-up directive or from say nat-start etc.)

#!/bin/sh

TAG_MARK=8
ip rule  del  fwmark  $TAG_MARK  2>  /dev/null > /dev/null
ip rule  add  fwmark  $TAG_MARK  table  111  prio 11
ip route  flush  cache

and then add the appropriate iptable rule(s) to tag your ports that explicitly need to go via the VPN - everything else should go via the WAN by DEFAULT.

e.g.

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.xxx -p tcp --dport n001:n005 -j MARK --set-mark $TAG_MARK

However, if you have explicitly in the Policy Rules GUI forced everything for xxx.xxx.xxx.xxx via the VPN Client, but want to selectively route xxx.xxx.xxx.xxx ports via the WAN, in which case the script should look like this

#!/bin/sh

TAG_MARK=8
ip rule  del  fwmark  $TAG_MARK  2>  /dev/null > /dev/null
ip rule  add  fwmark  $TAG_MARK  table  main  prio 1100
ip route  flush  cache

Use of the following commands should allow you to investigate if the Selective Routing rules are being processed as you expect in the correct order:

ip  route

ip  rule

ip  route  show  table  111

iptables  -t  mangle  -L  -nv  --line

P.S. I too undoubtedly don't understand any of this!

 

[john9527]

Just a quick caution.....you should stay away from using marks that would bit XOR modify marks of 1-6, 101-106 decimal (these are reserved for QoS) and B400 (used for NAT Loopback).

 

[netguru]

Hi guys,

i started with 380.57 and all incl. selective routing and port forwarding works fine, WITHOUT using the "complicate" script.
To do potforwarding to access clients behind the VPN-Client:

- connect via ssh and go to /jffs/scripts/.
- save a script named "nat-start" with your ports(s), xxxx and IPs:
--------------------
#!/bin/sh
sleep 4
iptables -t nat -I PREROUTING -i tunXX -p tcp --dport xxxx -j DNAT --to destination 192.168.1.XXX

chmod a+rx /jffs/scripts/nat-start
---------------------
Give the script the rights via "chmod 777 nat-start"

"System Log / Portforwarding" now shows the selective routing: "CHAIN" - VServer

 

[canufrank]

Just a quick caution.....you should stay away from using marks that would bit XOR modify marks of 1-6, 101-106 decimal (these are reserved for QoS) and B400 (used for NAT Loopback).

So, 16 or >= 128?

 

[Goobi]

Is it possible to forward/direct specific traffic from an OpenVPN server to an OpenVPN client?
I'm running both a server and client on my AC68U router (378.53) and traffic to specific IPs (e.g. 216.146.38.70 This is a 'what is my ip' site) goes through the VPN client when accessing the site on the LAN. However when connected through the VPN server, the connection is dropped due to a firewall rule: Disabling this command in firewall-start allows traffic on the VPN server to access the site but the IP is of my ISP, not the VPN client. This means that traffic from the VPN server is not being redirected to the VPN client. Is there an iptables rule to do this?

I looked throughout the thread but do not see where this was answered. Any ideas out there how to achieve this? I tried selective routing specifying the OpenVPN client IP address then routing that to the OpenVPN client tunnel on the router but the traffic is not being routed. I still see the IP address of my OpenVPN server when connected to it. Any suggestions would be much appreciated. Thanks in advance.

 

[enrysan0]

Hi,

My configuration is:
Lan: 192.168.0.0
VPN out (client): 10.x.0.0
VPN in (server): 10.8.0.0
Traffic by default using WAN (no VPN)

I have a web server (IP 192.168.0.100 port:8080) on a machine marked to use the VPN out. I can access this web server from the Lan without problem.

The problem is that if I connect with a client to VPN in I can't access the web server on 192.168.0.100:8080 (server marked to use VPN out).

Hovewer If I connect to VPN in I can access without problem all the other machines (like 192.168.0.150 samba service) not marked to go out with VPN out.

I didn't know if i explained well the problem, so i did a scheme:

These are my configuration:

I'm using selective routing with the old script modded by me:

ip route flush table 10                                                                                           
ip rule del  table 10                                                                                             
ip rule del fwmark 10 table 10                                                                                    
ip route flush table 12                                                                                           
ip rule del table 12                                                                                              
ip rule del fwmark 12 table 12                                                                                    
ip route flush cache                                                                                              
iptables -t mangle -F PREROUTING                                                                                  
                                                                                                                  
tun_if="tun11"                                                                                                    
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')                                   
eth_if="eth0"                                                                                                     
eth_ip=$(ifconfig $eth_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')                                   
                                                                                                                  
logger -t "($(basename $0))" $$ "CMD: ip route add default via $tun_ip dev $tun_if table 10"                      
logger -t "($(basename $0))" $$ "CMD: ip route add default via $(nvram get wan_gateway) dev eth0 table 12"        
                                                                                                                  
ip route add default via $tun_ip dev $tun_if table 10                                                             
ip rule add fwmark 10 table 10                                                                                    
ip route add default via $(nvram get wan_gateway) dev eth0 table 12                                               
ip rule add fwmark 12 table 12                                                                                    
                                                                                                                  
echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter                                                                
                                                                                                                  
# VPN --> table10                                                                                                 
# WAN --> table12                                                                                                 
#                                                                                                                 
# By default All Traffic direct to WAN                                                                            
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 12                                                    
#                                                                                                                 
# All traffic from a particular computer on the LAN will use the VPN                                              
#
VPNIPList=“192.168.0.100"                                                                                                                                                                                                                                                                                                           
VPNMaCList=“AA:AA:AA:AA:AA BB:BB:BB:BB:BB"
#                                                                                                   
PRList="D I"                                                                                                      
#                                                                                                                 
#RULES                                                                                                           
#1.tell IP from VPNIPList to use the VPN (table10)
#2.block IP from VPNIPList to use WAN                     
for PR in $PRList                                                                                                 
do                                                                                                                
        for VPNIP in $VPNIPList                                                                          
        do                                                                                               
                iptables -t mangle -$PR PREROUTING -i br0 -m iprange --src-range $VPNIP -j MARK --set-mark 10 
                iptables -$PR FORWARD -i br0 -s $VPNIP -o eth0 -j DROP                                          
        done                                                                                                    
done                                     
#3.tell MAC from MACList to use only DNS from VPN (to avoid DNS leakage)                                                                    
for PR in $PRList                                                                                                 
do                                                                                                                
        for VPNMaC in $VPNMaCList                                                                                 
        do                                                                                                        
                iptables -t nat -$PR DNSFILTER -m mac --mac-source $VPNMaC -j DNAT --to-destination z.z.z.z      
        done                                                                                                      
done

VPN Server configuration:


what I'm doing wrong? any tips to solve the issue? Thanks

EDIT:
it was a problem of routing, so I solved adding this line:

ip route add 10.8.0.0/24 dev tun21 table 10

 

[teho]

I manged to setup OpenVPN policy rules to work for the selected devices through static IP.
I have a problem where other devices that I want connected straight to the ISP, end up tapping on the IP set for VPN.

I end up setting a fixed IP for each devices mac address in DHCP to connect VPN or to ISP.

It works...but it's too troublesome to manually manage each device that the household members have.

I did come across an alternate method: https://github.com/RMerl/asuswrt-me...or-VPN-and-SSID-for-Regular-ISP-using-OpenVPN
but it's a little complicated for me.

Is there a better workaround where IPs that are reserved for VPN will be bypassed when a device connects and receive a random IP from the DHCP range?

 

[nfshp253]

Hi, sorry for being a noob at this but does the script on the first page still work? If so, all I need to do is to change the IP addresses for the devices I want to pass through the VPN, right? I've put the script into the jffs/scripts and rebooted the router but now everything runs through the VPN and the exception I put in the openvpn-event file doesn't seem to work. Can someone give me some advice?

 

[Hakon_H]

Hello.
I have a ac68u running firmware 380.57 and OpenVPN + PIA just fine.
My problem is when VPN is running it kills the NAT loopback. I can no longer access my ddns adress from LAN, but there is no problem when not on home network.
Is there a work around for this problem?

 

[L&LD]

Hello.
I have a ac68u running firmware 380.57 and OpenVPN + PIA just fine.
My problem is when VPN is running it kills the NAT loopback. I can no longer access my ddns adress from LAN, but there is no problem when not on home network.
Is there a work around for this problem?

Did you try the different loopback options (and rebooted the router) to test?

 

[Mikeyy]

Hello.
I have a ac68u running firmware 380.57 and OpenVPN + PIA just fine.
My problem is when VPN is running it kills the NAT loopback. I can no longer access my ddns adress from LAN, but there is no problem when not on home network.
Is there a work around for this problem?

http://www.snbforums.com/threads/port-forward-while-using-vpn-client.28014/page-2#post-219168
http://www.snbforums.com/threads/port-forward-while-using-vpn-client.28014/page-2#post-219502

 

[Hakon_H]

Did you try the different loopback options (and rebooted the router) to test?

Hi.
I have tried both asus and merlin loopback with no luck.

 

[Hakon_H]

http://www.snbforums.com/threads/port-forward-while-using-vpn-client.28014/page-2#post-219168
http://www.snbforums.com/threads/port-forward-while-using-vpn-client.28014/page-2#post-219502

Hi just tried disabling "iptables -t mangle -F PREROUTING" in my script. Now traffic from specified pc is no longer using vpn!

Have you done anything else?

 

[Mikeyy]

No. I have VPN defined in GUI with LAN IP's which go over VPN, rest use WAN. All defined in router GUI.
Then I use this script for port forwarding WANtoVPN:

#!/bin/sh
sleep 10
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

# Delete table 100 and flush any existing rules if they exist.

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
#iptables -t mangle -F PREROUTING
# This line breaks connection from LAN to VPN LAN address via ddns.

# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".

ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.

iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 1234 --match iprange --src-range 192.168.1.200 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp --match multiport --sports 1234:5678 --match iprange --src-range 192.168.1.201 -j MARK --set-mark 1

 

[ASAT]

you should stay away from using marks that would bit XOR modify marks of 1-6, 101-106 decimal (these are reserved for QoS) and B400 (used for NAT Loopback).

Bitwise OR'ing all the QOS and NAT Loopback marks together yields 46191. Does this mean I should avoid using this bit pattern in my custom marks?

0000000000000001 = 1
0000000000000010 = 2
0000000000000011 = 3
0000000000000100 = 4
0000000000000101 = 5
0000000000000110 = 6
0000000001100101 = 101
0000000001100110 = 102
0000000001100111 = 103
0000000001101000 = 104
0000000001101001 = 105
0000000001101010 = 106
1011010000000000 = 46080
----------------
1011010001101111 = 46191

 

[RMerlin]

Bitwise OR'ing all the QOS and NAT Loopback marks together yields 46191. Does this mean I should avoid using this bit pattern in my custom marks?

0000000000000001 = 1
0000000000000010 = 2
0000000000000011 = 3
0000000000000100 = 4
0000000000000101 = 5
0000000000000110 = 6
0000000001100101 = 101
0000000001100110 = 102
0000000001100111 = 103
0000000001101000 = 104
0000000001101001 = 105
0000000001101010 = 106
1011010000000000 = 46080
----------------
1011010001101111 = 46191

I admit I picked a silly bitmask for the NAT loopback. I wanted to remain as creative as phuzi0n's d001 (which is "loop" when flipped in a mirror), but didn't consider the fact that this might make things harder to handle as Asus (or users) start using bitmasks. (I used b400 as in "before"). I might change that to a single (or a pair of) bits in the future. Possibly 0x8000 or 0x0800.

(EDIT: another reason for using such a weird mark value was it made it easy for me to track down all my loopback code by searching for this specific value )

 

[ASAT]

I might change that to a single (or a pair of) bits in the future. Possibly 0x8000 or 0x0800.

Here's what that looks like.

0000000001111111 = 0x007F = 127    ASUS QoS and bandwidth limiter
0000000010000000 = 0x0080 = 128    OK
0000000100000000 = 0x0100 = 256    OK
0000001000000000 = 0x0200 = 512    OK
0000010000000000 = 0x0400 = 1024   OK
0000100000000000 = 0x0800 = 2048   Merlin NAT Loopback
0001000000000000 = 0x1000 = 4096   OK
0010000000000000 = 0x2000 = 8192   OK
0100000000000000 = 0x4000 = 16384  OK
1000000000000000 = 0x8000 = 32768  Merlin NAT Loopback

CORRECTED

 

[john9527]

Here's what that looks like.

0000000001101111 = 0x006F = 111    ASUS QoS
0000000000010000 = 0x0010 = 16     OK ???
0000000010000000 = 0x0080 = 128    OK
0000000100000000 = 0x0100 = 256    OK
0000001000000000 = 0x0200 = 512    OK
0000010000000000 = 0x0400 = 1024   OK
0000100000000000 = 0x0800 = 2048   Merlin NAT Loopback
0001000000000000 = 0x1000 = 4096   OK
0010000000000000 = 0x2000 = 8192   OK
0100000000000000 = 0x4000 = 16384  OK
1000000000000000 = 0x8000 = 32768  Merlin NAT Loopback

Scratch the 0x0010.....If I remember correctly, they used 10-16 for the bandwidth limiter QoS.

looks like 0x8000 is the way to go for a new loopback value.