Technically yes...although can use the far easier VPN GUI option to set 'Accept DNS configuration=EXCLUSIVE' (depending on your requirements) to add entries to the DNSVPN? chain instead of using the fwmark technique.
Correct me if I am wrong, but if I set the option 'Accept DNS configuration=EXCLUSIVE', I will be using the DNS servers sent by my VPN service.
But with my configuration, where I am only tunneling outgoing traffic to port 8000, this will result in all the DNS queries to be unencrypted and clearly detected by my ISP.
However with fwmark techique the DNS queries will be sent within the VPN tunnel, encrypted and untraceable by anyone.
Correct me if I am wrong, but if I set the option 'Accept DNS configuration=EXCLUSIVE', I will be using the DNS servers sent by my VPN service.
But with my configuration, where I am only tunneling outgoing traffic to port 8000, this will result in all the DNS queries to be unencrypted and clearly detected by my ISP.
However with fwmark techique the DNS queries will be sent within the VPN tunnel, encrypted and untraceable by anyone.
I'm wondering how you can policy-route traffic generated by the router itself e.g. when running transmission on the router itself on the default port TCP 51413
I'm wondering how you can policy-route traffic generated by the router itself e.g. when running transmission on the router itself on the default port TCP 51413
I propose that the following technique addresses the custom edge case requirements of the OP.
Code:
# All LAN/WiFi device http/https requests will use the VPN, but device xxx.xxx.xxx.xxx will be excluded and use the WAN
ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9990
ip rule del fwmark 0x?000
ip rule add fwmark 0x?000 table 11? prio 999?
ip route flush cache
iptables -t mangle -D PREROUTING -i br0 ! -s $(nvram get lan_ipaddr) -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x?000/0x?000
iptables -t mangle -A PREROUTING -i br0 ! -s $(nvram get lan_ipaddr) -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x?000/0x?000
iptables -t mangle -D PREROUTING -i br0 -s xxx.xxx.xxx.xxx -p tcp -m multiport -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -s xxx.xxx.xxx.xxx -p tcp -m multiport -j MARK --set-mark 0x7000/0x7000
and FWMARK 0x7000 will use the WAN and FWMARK 0x?000 will use the VPN instance identified by '?'
I did consider inserting RPDB FWMARK rules within the individual VPN Client ranges as allocated by RMerlin's vpnrouting.sh script i.e. PRIO 1000-2000 (or lower 3000?) rather than using PRIO 9990-9005 which would then still allow use of the GUI Policy Rules for subnet/device selective routing as alluded to by @Xentrk but for my purposes I decided to make the Selective Port Routing have a higher priority than the Selective Routing Policy Rules.
Feeling a bit stupid here, but what pre-reqs should be in place to achieve this? And do i need all those rules (with different port of course) for my use case? Which is is fairly simple: my NAS is the only device that sits behind the VPN client, but as a result i can't reach it's GUI over the WAN so i'd like to make that working again with forwarding just 1 port.
Code:
iptables -t mangle -D PREROUTING -i br0 ! -s 192.168.1.1 -p tcp -m multiport --dport 8051 -j MARK --set-mark 0x1000/0x1000
iptables: No chain/target/match by that name.
Feeling a bit stupid here, but what pre-reqs should be in place to achieve this? And do i need all those rules (with different port of course) for my use case? Which is is fairly simple: my NAS is the only device that sits behind the VPN client, but as a result i can't reach it's GUI over the WAN so i'd like to make that working again with forwarding just 1 port.
Code:
iptables -t mangle -D PREROUTING -i br0 ! -s 192.168.1.1 -p tcp -m multiport --dport 8051 -j MARK --set-mark 0x1000/0x1000
iptables: No chain/target/match by that name.
The error message is because you are attempting to delete a rule that doesn't exist?
I suggest you follow Example 2 in the OpenVPN Selective Port routing Wiki article Selective Port Routing to get access to your NAS inbound from the WAN.
The error message is because you are attempting to delete a rule that doesn't exist?
I suggest you follow Example 2 in the OpenVPN Selective Port routing Wiki article Selective Port Routing to get access to your NAS inbound from the WAN.
Just a bit confused here 'cause you mentioned;
iptables -t mangle -A PREROUTING -i br0 ! -s $(nvram get lan_ipaddr) -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x?000/0x?000
iptables -t mangle -A PREROUTING -i br0 -s xxx.xxx.xxx.xxx -p tcp -m multiport -j MARK --set-mark 0x7000/0x7000
And the example contains just;
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.88 -p tcp -m multiport --sport 3389 -j MARK --set-mark 0x8000/0x8000
Am i missing something?
(According your instructions i changed 0x8000 to 0x1000 since i use VPN Client 1.)
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
