1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Iptables not routing guest network through VPN

Discussion in 'Tomato Firmware' started by blackjackel, Apr 25, 2014.

  1. blackjackel

    blackjackel LI Guru Member

    I'm trying to have a guest network that is completely routed through VPN, yet when I change the iptables to do so, the guest network loses all access to the internet,

    I am using shibby v117, Asus RT-AC66U and the guest network is br2. In this example, both br1 and br2 should go through the VPN, according to these lines:

    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br2 -j MARK --set-mark 0

    But what happens is that br0 will go through the VPN while br2 has no access to the internet.

    Here is my full iptables script section:


    # This code goes in the WAN UP section of the Tomato GUI.
    # This code based on the contributions from this thread:
    # http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
    #
    # And from material in these articles:
    # http://linux-ip.net/html/adv-multi-internet.html
    # http://fedorasolved.org/Members/kanarip/iptables-howto
    #
    # This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
    # the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
    # traffic to bypass the VPN and use the regular Internet instead.
    #
    # To list the current rules on the router, issue the command:
    # iptables -t mangle -L PREROUTING
    #
    # Flush/reset all the rules to default by issuing the command:
    # iptables -t mangle -F PREROUTING
    #
    #
    # First it is necessary to disable Reverse Path Filtering on all
    # current and future network interfaces:
    #
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i
    done
    #
    # Delete and table 100 and flush any existing rules if they exist.
    #
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
    #
    # Copy all non-default and non-VPN related routes from the main table into table 100.
    # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
    #
    # NOTE: Here I assume the OpenVPN tunnel is named "tun11".
    #
    #
    ip route show table main | grep -Ev ^default | grep -Ev tun11 \
    | while read ROUTE ; do
    ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
    #
    # Define the routing policies for the traffic. The rules will be applied in the order that they
    # are listed. In the end, packets with MARK set to "0" will pass throaugh the VPN. If MARK is set
    # to "1" it will bypass the VPN.
    #
    # EXAMPLES:
    #
    # All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
    # iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    # Ports 80 and 443 will bypass the VPN
    # iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
    # All traffic from a particular computer on the LAN will use the VPN
    # iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
    # All traffic to a specific Internet IP address will use the VPN
    # iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
    # All UDP and ICMP traffic will bypass the VPN
    # iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
    # iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
    # By default all traffic on home lan bypasses the VPN
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0
    # By default all traffic on guest lan goes through vpn
    iptables -t mangle -A PREROUTING -i br2 -j MARK --set-mark 0
    #shit for router to work
    iptables -A INPUT -p udp --sport 67 --dport 68 -j ACCEPT



    # Spotify explicitly uses the VPN
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 78.31.8.1-78.31.15.254 -j MARK --set-mark 0
    #iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 193.182.8.1-193.182.15.254 -j MARK --set-mark 0
     
  2. blackjackel

    blackjackel LI Guru Member

    I had someone (who knows what they're doing) look at this problem and he found the solution, the following line needs to be added to iptables to allow NAT to the br2 vlan:

    iptables -t nat -I POSTROUTING -o tun11 --src 192.168.3.0/24 -j MASQUERADE


    After adding this line, br2 goes through the VLAN just fine.
     
  3. EOC_Jason

    EOC_Jason Networkin' Nut Member

    Yes, if you don't explicity state the route / iroute in the OpenVPN configs then you will need to setup the postrouting / masquerade.

    The only side effect is that traffic coming out of the tunnel will all look like the source is the tunnel IP instead of the actual device.
     
  4. Mohanish Mahajan

    Mohanish Mahajan Network Newbie Member

    Hi All,

    I guess someone from this thread will be able to help me out.
    I am new to tomato firmware
    Mostly have worked with Cisco IOS
    I recently have a Linksys3200 running a Tomato version 1.28 MIPSR2
    I recently was able to successfully advertise the secnd SSID on subnet 192.168.2.0 using a virtual interface wl0.1 (Bridge group1 br1). The problem is I have my primary VLAN set up on subnet 192.168.1.0 over wl0 and a separate SSID over which internet is working fine. But when I advertised the second SSID the internet is not working on it. Please if someone can help urgently!! and yes I am also running OpenVpn client on the device.
     

Share This Page