1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how to have/set up a Dual Gateway?

Discussion in 'Tomato Firmware' started by Dr.Romantic, Dec 19, 2013.

  1. Dr.Romantic

    Dr.Romantic Serious Server Member

    Hello there

    I'm not sure if the title is the right term for what I'm looking for. I hope this is right.
    I'm not experience so I need your kind help.

    I have an Asus RT-N16 flashed with Shibby's 114.
    I'm in germany and always having my router connected to a British VPN service.
    when I'm logged on to the VPN netwrok from the router I can't access my open ports from the outside world (settings on port forwarding). It doesn't matter if I tried my vpn IP or my local internet IP. they just don't work (I guess maybe since all the devices now are somehow isolated and appearing to be in the UK).
    though when I try to access the port from a local device (for example using German_ip_when_VPN_is_connected:xxxx) it is accessible but if I tried it from the internet (used my brother's computer in another country) i wouldn't be able to access it.

    when I disconnect from the VPN network it would go back to normal operation.

    the thing is that I have one or two devices which I want it to be on the local german IP network (want to use it for VoIP communication) and for it's data not to go through the VPN network.

    is there a way to have a dual Gateway and be able to assign devices to ignore the VPN internet connection and connect normally and be available to be accessed from the forwarded ports.

    thanks for your help. please tell me if your need more info from my setup which I didn't mention.
     
  2. darkknight93

    darkknight93 Networkin' Nut Member

    This is a normal behaivour called nat loopback - your router "sees" packets from inside arriving with IP of your WAN and Redirects them itself to the internal lan - this Feature in fact is in continous discussion due not all Services Support such redirection. For http/https traffic, everything is fine IMHO.


    I think the issue that portforwarding is broken as soon as VPN is established, is a design issue.

    Can you just post your Firewall rules as soon as you are connected to VPN and afterwars with "no VPN Connection"?
    You can do that in Tools -> Scripts: >>iptables -L<< and click run.
    Paste the results here
     
  3. Dr.Romantic

    Dr.Romantic Serious Server Member

    thanks for your reply.

    I get this after connecting to vpn:

    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination        
    ACCEPT     all  --  anywhere             anywhere           
    DROP       all  --  anywhere             anywhere            state INVALID
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
    shlimit    tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW
    ACCEPT     all  --  anywhere             anywhere           
    ACCEPT     all  --  anywhere             anywhere           
    ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc
    Chain FORWARD (policy DROP)
    target     prot opt source               destination        
    ACCEPT     all  --  anywhere             anywhere           
               all  --  anywhere             anywhere            account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
    ACCEPT     all  --  anywhere             anywhere           
    DROP       all  --  anywhere             anywhere            state INVALID
    TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
    wanin      all  --  anywhere             anywhere           
    wanout     all  --  anywhere             anywhere           
    ACCEPT     all  --  anywhere             anywhere           
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination        
    Chain shlimit (1 references)
    target     prot opt source               destination        
               all  --  anywhere             anywhere            recent: SET name: shlimit side: source
    DROP       all  --  anywhere             anywhere            recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
    Chain wanin (1 references)
    target     prot opt source               destination        
    ACCEPT     tcp  --  anywhere             raspbx              tcp dpt:sip
    ACCEPT     udp  --  anywhere             raspbx              udp dpt:sip
    ACCEPT     udp  --  anywhere             raspbx              udp dpt:iax
    ACCEPT     tcp  --  anywhere             foscam              tcp dpt:www
    ACCEPT     udp  --  anywhere             raspbx              udp dpts:10000:10100
    Chain wanout (1 references)
    target     prot opt source               destination



    and after disconnecting from VPN i get the following

    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere            state INVALID 
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    shlimit    tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW 
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc 
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
               all  --  anywhere             anywhere            account: network/netmask: 192.168.1.0/255.255.255.0 name: lan 
    ACCEPT     all  --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            state INVALID 
    TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    wanin      all  --  anywhere             anywhere            
    wanout     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    Chain shlimit (1 references)
    target     prot opt source               destination         
               all  --  anywhere             anywhere            recent: SET name: shlimit side: source 
    DROP       all  --  anywhere             anywhere            recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source 
    Chain wanin (1 references)
    target     prot opt source               destination         
    ACCEPT     tcp  --  anywhere             raspbx              tcp dpt:sip 
    ACCEPT     udp  --  anywhere             raspbx              udp dpt:sip 
    ACCEPT     udp  --  anywhere             raspbx              udp dpt:iax 
    ACCEPT     tcp  --  anywhere             foscam              tcp dpt:www 
    ACCEPT     udp  --  anywhere             raspbx              udp dpts:10000:10100 
    Chain wanout (1 references)
    target     prot opt source               destination       


    basically the change is the first line:
    ACCEPT all -- anywhere anywhere
     
  4. mstombs

    mstombs Network Guru Member

    What about the route table 'route -n' ?
     
  5. Dr.Romantic

    Dr.Romantic Serious Server Member

    before and after?

    this is when VPN is connected
    Code:
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    95.154.xxx.xx   4x.xx8.xxx.1    255.255.255.255 UGH   0      0        0 vlan2
    4x.xx8.xxx.1    0.0.0.0         255.255.255.255 UH    0      0        0 vlan2
    10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun11
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
    4x.xx8.xxx.0    0.0.0.0         255.255.248.0   U     0      0        0 vlan2
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         10.8.0.1        128.0.0.0       UG    0      0        0 tun11
    128.0.0.0       10.8.0.1        128.0.0.0       UG    0      0        0 tun11
    0.0.0.0         4x.xx8.xxx.1    0.0.0.0         UG    0      0        0 vlan2 
     
    Last edited: Dec 19, 2013
  6. Dr.Romantic

    Dr.Romantic Serious Server Member

    this is after disconnecting:

    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    4x.xx8.xxx.1    0.0.0.0         255.255.255.255 UH    0      0        0 vlan2
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
    4x.xx8.xxx.0    0.0.0.0         255.255.248.0   U     0      0        0 vlan2
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         4x.xx8.xxx.1    0.0.0.0         UG    0      0        0 vlan2
    I have adblock.sh running
     
    Last edited: Dec 19, 2013
  7. mstombs

    mstombs Network Guru Member

    You should remove your real IPs there, but would be good to tell us which are your local real IP and Gateway and which the other end of the VPN! As I expected there are significant differences here, making default routing through the tunnel.

    I am partly responsible for the first route table host entry in the seconds example - needed for my half bridge modem mode where ISP gateway when not in the network defined by the IP and netmask.

    Adblock primarily works on DNS poisoning, but can have associated iptables rules to pixelserv etc, but I don't see any here.
     
  8. Dr.Romantic

    Dr.Romantic Serious Server Member

    not sure if I get you but I think you meant to say that I should hide my actual IP from my previous post as to protect it from the public. if that is what you have meant. I'll do that now.

    by the way my actual German IP is not showing in the previous post (the last 3 digits are actually not as (1) what is appearing there is 4x.xx8.xxx.1)

    UK vpn IP =95.154.xxx.xx = that was the actual IP

    I would like to add that my cable modem is operating in bridge mode and the asus router with Shibby is connected to the modem and internet directly
     
    Last edited: Dec 19, 2013
  9. Dr.Romantic

    Dr.Romantic Serious Server Member

    any more help or suggestions guys? have I missed something or did I unnoticeably left a request to give more details unanswered.

    vlan2 is the internet wither connected directly or through a VPN
    br0 is the router internal IP netwrok (LAN DHCP zone)
    lo i think this is for the adblock
    tun11 this is the VPN network pushed by the service provider
     

Share This Page