1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Another selective VPN routing thread

Discussion in 'Tomato Firmware' started by stiebs, Mar 5, 2013.

  1. stiebs

    stiebs Serious Server Member

    Before I get started, I've read a number of threads across multiple forums, including another thread on these forums, and I've got basic source based routing working nicely. But not quite nice enough.

    I posted this same question on the tomatousb forums, but these seem to be more active, so I'll cross post here too.

    (well, I was going to cross-post here, but in creating the thread, it kept telling me I was trying to get sneaky looking URLs into my post. I couldn't see any!)

    Essentially, what I'm trying to do is:
    Create a second VLAN on a different subnet, which redirects all internet traffic through the VPN but can still access the main VLAN
    Create a virtual WLAN which connects to the above VLAN
    Plug my main switch into the first physical router port (ie, main VLAN)
    Plug a secondary "VPN" switch into the second physical router port (ie, VPN VLAN)
    For wired devices, I can select whether or not they are on the VPN by plugging into a different router. For wireless devices, I can select whether or not they are on teh VPN by connecting to a different SSID.

    The post with more detail on what I've done is on the tomatousb forums, I would provide a link but I'm seriously having issues posting here! Everything I do is telling my I'm sneaking in a URL
     
  2. stiebs

    stiebs Serious Server Member

    The detail of what I have tried, and what works and what doesn't work is on the tomatousb forums, titled "another-vpn-help-thread"
     
  3. stiebs

    stiebs Serious Server Member

    I would really love to provide an easier link, or some real commands, but this forum software just won't let me put in anything that remotely resembles anything that could possible ever be intepreted as a link. I can't even put in any ip route / ip rule / iptables commands because it thinks I'm sneaking in IP address as links.
     
  4. stiebs

    stiebs Serious Server Member

    I'm trying to post here, but it keeps telling me that I'm trying to post a sneaky URL. I'm trying to post IP rules and routes, but I think the forum software must be picking up the IP addresses as "sneaky" urls, and I can't post!
     
  5. Toxic

    Toxic Administrator Staff Member

    Stiebs

    That is because of our Anti Spam Policy. Our site is under attack 24/7 with approximately 200-400 spambot registrations a day. These fail due to the new anti spambot measures we have in place now. we are also moderating all new user posts until they prove to me, the moderators and the community that they are worthy of full access as a normal user.

    I have relaxed the Setting for Sneaky URLs at present, but i must emphasise spam defence is a priority and i will not allow the forums to over taken if i can help it.

    Linksysinfo and our Hosts will do anything to prevent spam if we can.
     
  6. stiebs

    stiebs Serious Server Member

    Thanks Toxic, understood. I tried to play around a bit to mask the URL looking things, but just couldn't manage it. I noticed that many other posts have content similar to what I was trying to post, but my guess was that URL posting is allowed once a moderator approves me, or some such. Anyway, here goes with my original again in the next post....
     
  7. stiebs

    stiebs Serious Server Member

    I'm half way through successfully achieving what I want to do, but I'm missing just a couple of pieces.
    The main goal, which does not seem to be uncommon, is to direct traffic from some devices through a VPN, but the majority of traffic directly to the internet.

    The first effort was with a WRT54GL and the K24 VPN build of shibby, however the "ip rule" command failed. The second effort is now with a RT-N66U running K26-AIO 64k, and the following three commands were all that were needed to get my laptop running through my VPN, and all other traffic hitting the 'net directly:
    Code:
    ip rule add from 192.168.1.25 table 200
    ip route add default via x.x.x.x dev tun11 table 200
    ip route flush cache
    
    (Note: replace x.x.x.x with proper VPN destination)
    This solution works nicely for static IPs. But then I wanted a more elegant solution. The ultimate goal is this:
    1. Create a second VLAN on 192.168.2.0/24, which redirects all internet traffic through the VPN but can still access 192.168.1.0/2
    2. Create a virtual WLAN which connects to the above VLAN
    3. Plug my main switch into the first physical router port (ie, main VLAN)
    4. Plug a secondary "VPN" switch into the second physical router port (ie, VPN VLAN)
    What I've done so far:
    1. Set up the VPN, and unchecked "Redirect Internet traffic"
    2. Created a bridge br1 for 192.168.2.0/24
    3. Added a VLAN 3 on Port 4 Bridged on br1 (VLAN 1 is Ports 1,2,3 on br0, and VLAN 2 is WAN Port bridged on WAN)
    4. Created virtual wireless wl0.1 (2.4Ghz) and wl1.1 (5Ghz) both bridged to br1
    At this point, all devices connected to wl0.0 and wl0.1, as well as all devices plugged into the main switch work as per normal.

    Laptop connected to wl1.1 (on 192.168.2.0/24) can ping 192.168.1.1 and 192.168.2.1, but not anything else on 192.168.1

    Now run these two commands (Note that I have *not* run the "ip rules" commands above at this stage:
    Code:
    iptables -I INPUT -i br1 -j ACCEPT
    iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j ACCEPT
    
    Now, my laptop on 192.168.2 can access all devices on 192.168.1.0/24, as well as the internet.
    If I turn off wireless and plug it into Port 4, it gets a 192.168.2 address, and can access 192.168.1.0/24.
    All good so far.
    So the missing link for me is how to connect these two bits together.
    After adding the ip rule again:
    Code:
    ip rule add from 192.168.2.0/24 table 200
    
    I lose the routing back to 192.168.1.0/24
    So I continue on with:
    Code:
    ip route add 192.168.1.0/24 dev br0 table 200
    ip route add 192.168.2.0/24 dev br1 table 200
    
    This gets back full connectivity from 192.168.2.0/24 to both 192.168.1.0/24 and the internet, but not via the VPN.
    So I continue on with this:
    Code:
    ip route add default dev tun11 table 200
    
    (Also tried a few variations on above, with and without specifying "via x.x.x.x")
    And I keep connectivity between the VLANs, but no connection to the outside world at all.
    I also tried a few commands along these lines, but all internet traffic went out directly, not via VPN
    Code:
    iptables -I FORWARD -i br1 -o br0 -d 192.168.0.0/16 -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i br1 -o tun11 -d ! 192.168.0.0/16 -m state --state NEW -j ACCEPT
    
    Thanks to anyone who a) spends the time reading my verbose post, and b) to anyone who can offer suggestions or a solution!
     

Share This Page