VPN Director Source/Destination Port-Based Split-Tunneling Rules Not Possible?

[garycnew]

All:

I'm in the process of migrating from Asuswrt-Merlin 384 => 388 and noticed VPN Director as an option for VPN Source/Destination Address-Based Split-Tunneling.

In Asuswrt-Melrin 384, I configured my Source/Destination Port-Based VPN Split-Tunneling Rules in the nat-start script as follows:

   iptables -t mangle -I PREROUTING -i br0 -p udp -m multiport --sport 11111,22222,33333,44444,55555 -j MARK --set-mark 0x2000/0x2000
   iptables -t mangle -I PREROUTING -i br0 -p tcp -m multiport --sport 11111,22222,33333,44444,55555 -j MARK --set-mark 0x2000/0x2000
   iptables -t mangle -I PREROUTING -i br0 -p udp -m multiport --sport 10000:10999 -j MARK --set-mark 0x2000/0x2000
   iptables -t mangle -I PREROUTING -i br0 -p tcp -m multiport --sport 10000:10999 -j MARK --set-mark 0x2000/0x2000

I just want to confirm that VPN Director is only Source/Destination Address aware (NOT Source/Destination Port aware) and that I should continue using the nat-start script for my Source/Destination Port-Based Split-Tunneling Rules?

Thanks, again.


Gary

 

[ZebMcKayhan]

I just want to confirm that VPN Director is only Source/Destination Address aware (NOT Source/Destination Port aware)

No, Merlin uses ip rule which does not have sport/dport option compiled in (intentional?).
Usage of fwmarks have not been possible in fw due to ai-protect uses all bits already. But it's used in various addons, like x3mrouting, Wireguard manager et.c.

 

[ZebMcKayhan]

No, Merlin uses ip rule which does not have sport/dport option compiled in (intentional?).

Sorry, I need to retract this statement. Looks like this have changed in 388 fw:

admin@RT-AX86U_Pro:/tmp/home/root# ip rule add from 192.168.28.2 dport 1888 lookup 123
admin@RT-AX86U_Pro:/tmp/home/root# ip rule
0:      from all lookup local
89:     from 192.168.28.2 dport 1888 lookup 123
90:     from all to 192.168.100.128/25 lookup main
90:     from all to 192.168.100.2 lookup main
10010:  from all to 192.168.0.0/16 lookup main
11210:  from 192.168.100.0/24 lookup wgc1
11211:  from 192.168.128.1 lookup wgc1
11212:  from 192.168.128.100 lookup wgc1
11213:  from 192.168.128.120 lookup wgc1
11214:  from 192.168.128.110 lookup wgc1
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AX86U_Pro:/tmp/home/root#

Can't believe I didn't find this before, looks like you have a better option, but this is not exposed in vpndirector but I would recommend update your script to use this instead.