VPN Client routing for WAN not working

[xed]

I'm running 384.13 on an RT-AC1900P. At the moment I have one master rule for sending all LAN traffic "192.168.2.0/24" through the VPN and then I specify each LAN IP addresses that I want to to go directly to the WAN and skip the VPN. Here's what's weird.

If I specify a LAN IP to go straight to WAN then after I apply it works but only for about 20 seconds. On the machine I'm sending to the WAN I can have a browser open to a "where is my ip location" webpage and repeatedly hit refresh and watch when it kicks over from telling me my VPN provider's exit point to my real machine location. Then after about 20 seconds it's dead with no access. Its behaving like the router would be expected to behave if "Block routed clients if tunnel goes down"=Yes and there was no WAN rule and the VPN tunnel went down.

At first I thought it might be something to do with "Policy Rules" vs "Policy Rules (Stricte)" So I backed up a step and took all my VPN Client routing rules out except for just my one main LAN routing "192.168.2.0/24" to VPN and set "Block routed clients if tunnel goes down"=Yes. If VPN Client is on and connected then fine if not connected then all blocked. Ok so far, that's exactly as expected. Then I flipped "Block routed clients if tunnel goes down"=No. If VPN Client is on and connected then fine if not connected then that same 20 second thing happens again where all traffic is correctly routed to the WAN (because "Block routed clients if tunnel goes down"=No) but after about 20 seconds all traffic is suddenly blocked.

It's acting like it checks to see what traffic should be routed to the WAN (either all of it if "Block routed clients if tunnel goes down"=No or just some of it if I have my individual rules in) and it does it correctly (the change from VPN to WAN really does happen) but then 20 seconds later it slams the door.

Any help would be greatly appreciated; thank you.

 

[Xentrk]

You may want to try the common configuration where you want your entire LAN to go through the VPN, but not the router itself:

LAN_IPs    192.168.1.0/24    0.0.0.0    VPN
Router     192.168.1.1       0.0.0.0    WAN

You can use the command ip rule from an SSH session to see the RPDB rules. The lower priority numbers get the highest priority:

0:      from all lookup local
10104:  from 192.168.1.150 lookup ovpnc1
10105:  from 192.168.1.151 lookup ovpnc1
10106:  from 192.168.1.153 lookup ovpnc1
10107:  from 192.168.1.154 lookup ovpnc1
10301:  from 192.168.1.165 lookup ovpnc2
10302:  from 192.168.1.149 lookup ovpnc2
10303:  from 192.168.1.152 lookup ovpnc2
32766:  from all lookup main
32767:  from all lookup default

Devices defined to use the WAN won't appear in the list.

 

[xed]

I tried adding in a second rule for...

Router     192.168.2.1       0.0.0.0    WAN

... which was in addition to my ...

LAN_IPs    192.168.2.0/24    0.0.0.0    VPN

... but the same thing still happens. If I "Block routed clients if tunnel goes down"=No it still blocks when client isn't connected (and then of course also blocks for anything I have a rule for for local to go to WAN and bypass VPN if connected.

 

[xed]

I gave up and did a factory reset and then reinput my settings and everything went back to working as expected. Presumably something was quirky due to a prior firmware update and it took a factory reset to clear out whatever was making it act so strangely.