1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Route only specific ports through VPN (openvpn)

Discussion in 'Tomato Firmware' started by ethaniel, Apr 1, 2012.

  1. ethaniel

    ethaniel Serious Server Member

    Hi,

    Tomato and OpenVPN are working perfectly, all traffic is encrypted.

    Now, is there any way to get only connections to ports 80 and 443 to go through OpenVPN, while all others - p2p and stuff go unencrypted?

    I tried playing with iptables, but unfortunately, none of the examples I found on the internet worked.
    Did anyone manage to get this working?
     
  2. ethaniel

    ethaniel Serious Server Member

    Thanks to (http://strongvpn.com/forum/viewtopic.php?id=1290) I got this solved:

    First of all, you need putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html) and need to connect to router's SSH port. It is 10.0.0.1:22 in my case. Username is root, password is your admin password. If you don't know how to use SSH, just skip the most of this text almost till the end, this problem can be solved simply through a web-interface.

    Technical details (you can skip this part)

    If you use OpenVPN or PPTP, Tomato automatically routes ALL connections to go through VPN. So we add some specific rules on top of that to get our ideas to work.​

    First of all we have to disable some router security (otherwise our "super-specific" routing will not work):​


    (don't forget to check the /proc/sys/net/ipv4/conf folder for other subfolders and repeat this process for them too).​

    If I want a specific port to NOT go through VPN:​


    If I want only SOME ports through VPN, while keeping all other unencrypted (don't forget, that by default everything goes through VPN, so we basically just exclude all ports except 80,443):​


    If you also want to route UDP and ICMP without VPN:​


    You can replace [Your ISP's Gateway] with $(nvram get wan_gateway) if you are on Tomato. This will fill it in automatically.​

    To cancel our changes:​


    TO PERMANENTLY APPLY THOSE SETTINGS:

    If you want those changes to be applied automatically, every time you reboot your router, add the following lines to Administration>Scripts>WAN Up in the webinterface of your router. I provide you with 2 solutions, but I suggest you stick with #1:​

    Solution 1. Browse (http & https) through VPN, all other (games/radio/torrents) without VPN:​
    Solution 2 (not recommended, but listed to give you a general idea). Browse (http & https) without VPN, all other (games/radio/torrents) through VPN:​

     
  3. wilsonhlacerda

    wilsonhlacerda Networkin' Nut Member

  4. blackjackel

    blackjackel LI Guru Member


    Thanks so much for your help but for some reason this does not work for me, i did have to modify the first part as i did have an eth2 folder, but basically whenever I would insert your script all ports would no longer run through the VPN... what am i doing wrong? If you help me sucessfully I'm willing to buy you a beer through paypal ($10)
     
  5. blackjackel

    blackjackel LI Guru Member

    basically i want my web browsing to be unaffected by the VPN....

    So when i go to whatismyip.com, it should give me my router gateway's ip... if everything is set up correctly...
     
  6. blackjackel

    blackjackel LI Guru Member

    I think I've solved it, there was never a problem to begin with, the method i was using to check my ip from another port was flawed!
     
  7. ethaniel

    ethaniel Serious Server Member

    You have to replace:
    with
    Which basically means "mark all connections to ports 80,443 with mark 1". The rules listed in the big post above route all connections with mark 1 over regular (unencrypted) connection.
     
  8. wilsonhlacerda

    wilsonhlacerda Networkin' Nut Member

    Nice solution!
     
  9. Grdnkln

    Grdnkln Serious Server Member

    Hi everybody,

    I just wanted to weigh in on this thread since it was EXTREMELY helpful to me. I was trying to set up a Tomato router which connected to a VPN provider via OpenVPN, and selectively allowed only CERTAIN connections to use the VPN, while others continued to use the Internet as normal. The point here was that the VPN is slow, and I wanted to have ONLY Spotify go through the VPN while the rest of the network uses the regular Internet.

    So I needed to set up my policies so that:
    - All traffic by default goes out the WAN (bypasses the VPN)
    - Traffic destined to a certain range of IPs goes through the VPN

    I used the code above with a few modifications to the last few lines so that it marked ALL packets as "1". Then, the next rule selectively picked certain packets which were destined for one of Spotify's IP addresses and re-marked those ones as "0".

    I ran into several issues with the code here

    1) The part where you disable the router security (Reverse Path Filtering) by doing "echo 0 > /proc/sys/net/ipv4/conf/????/rp_filter" is hard-coded to a few specific interfaces. If you have any other network interfaces besides the ones listed above you'll run into problems. If the interfaces change in the future you'll run into problems. It's very rigid. It would be much more helpful if the code could intelligently go into each sub-directory and fix the settings.

    2) It's important to realize that these rules are applied sequentially, in order. After the packet gets to the last rule in the chain THEN it is evaluated where to route it. In particular, it may be confusing that the code above INSERTs the routes into the chain using -I, which means the end result is the rules are in the reverse order that they were written in the code. If you are setting up several cascading rules this could lead to confusion. It is useful to telnet into the router and examine how the chain actually looks by running:

    iptables -t mangle -L PREROUTING

    3) As the script above has been written, it has a bug where it could potentially break "NAT loopback" functionality. E.g. if you had a webserver on your local network that you forwarded port 80 to, and you try to access your the WAN IP address from within your LAN like "http://99.123.51.23", it will sit there and spin and fail to connect. This is because the NAT port forwarding rules are being bypassed by this "Table 100" being used in the code. Table "100" doesn't contain any of the routes already specified in the "main" table, which is where all the normal NAT stuff happens.

    Here's a modified version of the code that I wrote with more documentation, some examples etc. in the comments, and a fix for the above issues. In the code below it will allow ALL traffic to bypass the VPN and go directly out the WAN except for SPECIFICALLY code which has Spotify's servers as the destination IP.

    Also, reading these two articles IN THEIR ENTIRETY was extremely helpful to figure out what exactly is going on:
    http://linux-ip.net/html/adv-multi-internet.html
    http://fedorasolved.org/Members/kanarip/iptables-howto


    Code:
    # This code goes in the WAN UP section of the Tomato GUI.
    # This code based on the contributions from this thread:
    #  http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
    #
    # And from material in these articles:
    #  http://linux-ip.net/html/adv-multi-internet.html
    #  http://fedorasolved.org/Members/kanarip/iptables-howto
    #
    # This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
    # the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
    # traffic to bypass the VPN and use the regular Internet instead.
    #
    #  To list the current rules on the router, issue the command:
    #      iptables -t mangle -L PREROUTING
    #
    #  Flush/reset all the rules to default by issuing the command:
    #      iptables -t mangle -F PREROUTING
    #
     
    #
    # First it is necessary to disable Reverse Path Filtering on all
    # current and future network interfaces:
    #
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
    done
     
    #
    # Delete and table 100 and flush any existing rules if they exist.
    #
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
     
    #
    # Copy all non-default and non-VPN related routes from the main table into table 100.
    # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
    #
    # NOTE: Here I assume the OpenVPN tunnel is named "tun11".
    #
    #
    ip route show table main | grep -Ev ^default | grep -Ev tun11 \
      | while read ROUTE ; do
          ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
     
     
    #
    # Define the routing policies for the traffic. The rules will be applied in the order that they
    # are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
    # to "1" it will bypass the VPN.
    #
    # EXAMPLES:
    #
    #  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
    #    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    #  Ports 80 and 443 will bypass the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
    #  All traffic from a particular computer on the LAN will use the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
    #  All traffic to a specific Internet IP address will use the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
    #  All UDP and ICMP traffic will bypass the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
    #    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
     
     
    # By default all traffic bypasses the VPN
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
     
    # Spotify explicitly uses the VPN
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 78.31.8.1-78.31.15.254 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 193.182.8.1-193.182.15.254 -j MARK --set-mark 0
     
  10. tjfriese

    tjfriese Addicted to LI Member

    Grdnkln:

    The above looks like exactly what I am looking for. However, it doesn't work. I have modified the spotify section at the bottom and am unable to get it to display correctly for the site that I want to (Netflix, using the IP range: 69.53.224.0-69.53.255.255).

    Is this because of the name of the OpenVPN tunnel? Is there anything else that could be wrong?

    Thanks,

    Tim
     
  11. tjfriese

    tjfriese Addicted to LI Member

    Has anyone else tried the above from Grdnkln?

    I have a couple of more questions concerning it. How do I find out the name of my OpenVPN tunnel? Why is the script laid out the way it is? If the script is processed in a top down manner why would instructions at the bottom of the script (to send traffic over the VPN) work properly if by default all traffic is routed outside of the VPN first? Wouldn't it make sense to have have traffic forwarded through the VPN first (traffic sent to a specific site/IP address) and then the default of all other traffic?
     
  12. ovel2clock

    ovel2clock Serious Server Member

    Thanks Grdnkln! Your script works perfectly. I just want to do something perhaps a bit more customized.

    What I'm trying to do is forward all traffic from one particular computer on the network (192.168.1.3) to use the VPN for everything except port 32400 (plex media server). I adjusted your example above to:
    Code:
    # By default all traffic bypasses the VPN
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
     
    # Route all 192.168.1.3 traffic over VPN except Plex media server (port 32400)
    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport ! --dport 32400 -m iprange --src-range 192.168.1.3 -j MARK --set-mark 0
    
    This seems to work since appending port 80 to the dport exclusion list shows 192.168.1.3 with a different IP address than say 192.168.1.4 (testing using ipchicken.com).

    My question is, what's the rule I need to forward 32400 traffic to 192.168.1.3 but keeping the VPN traffic rule above? I tried adding this :
    Code:
    iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 32400 -j DNAT --to 192.168.1.3:32400
    iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.3 --dport 32400 -j ACCEPT
    
    I'm assuming one rule is messing up the other. Any assistance you can provide would be greatly appreciated!
     
  13. richardvoyageur

    richardvoyageur Serious Server Member

    Post #9 worked beautifully for me, thanks so much. I now have my TV going through the VPN exclusively and everything else is not. Thanks again!
     
  14. Grdnkln

    Grdnkln Serious Server Member

    Hey Tim, Netflix uses a huge wide range of IPs in many countries. They use Amazon (AWS) for hosting. Because of that it is almost impossible to selectively route VPN traffic for netflix using only destination IP ranges. I never got it working satisfactorily. I ended up setting the rule up so a single local PC on the LAN has ALL traffic routed over VPN. Then Netflix worked properly.

    Ovel2clock - I'm really not sure about the port forwarding rules you posted. For me, the built-in port forwarding section of the Tomato GUI works in harmony with my script so no special scripting was needed. Just go to Port Forwarding->Basic and enter whatever you need.
     
  15. Grdnkln

    Grdnkln Serious Server Member

    tjfriese, you find out the name of the tunnel by logging into the Tomato router via Telnet / Putty, and examining the results of "ifconfig".

    Regarding your second question - remember the script isn't actually processing any packets. It's just defining the iptables that will eventually process packets. ALL rules defined in the PREROUTING table are applied in sequence to each packet, and the end result is the packet gets routed differently depending on whether the "mark" ended up being set to 1 or not.

    You can set up the rules however you like, of course. If you want all traffic routed over VPN EXCEPT for specific exclusions, just modify the script and remove that first "catch-all" rule.
     
  16. quidagis

    quidagis Networkin' Nut Member

    @tjfriese

    You can add these lines of code right after

    # NOTE: Here I assume the OpenVPN tunnel is named "tun11".
    #
    #

    iface_lst=`route | awk ' {print $8}'`
    for tun_if in $iface_lst; do
    if [ "$tun_if" = "tun11" ]; then
    exit 0
    elif [ "$tun_if" = "tun12" ]; then
    exit 0
    fi
    done

    And edit this line
    ip route show table main | grep -Ev ^default | grep -Ev tun11 \

    to make it look like this:
    ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
     
  17. kk5000

    kk5000 Serious Server Member

    Well that's not the case. I had this running perfectly on DD-WRT for nearly a year. Unfortunately I just got sick of DD-WRT dying for no reason and resetting all the rules away and needing to be restored and OpenVPN being broken in all new versions for the past year so I decided to move to Tomato-Shibby and I'm glad I did. Looks better, works better and most importantly, is not eating the entire NVRAM on the router (or anywhere close to it with just a standard install).

    HOWEVER, I have gotten caught up in a snag :) I am using your excellent script for selective VPN routing and its working like a charm but after I added all the ranges I wanted to reroute I get a "WAN up script is too long" error. I'm guessing there has to be a way to either increase the 4096k limit or put these rules somewhere else? Any help would be gladly appreciated. In the meantime, here's what you wanna reroute for Netflix, Hulu, Pandora, Disney, CBS, NBC, ABC and host of other sites that block all non-US IPs from viewing most videos :

    Code:
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
    done
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
    ip route show table main | grep -Ev ^default | grep -Ev tun11 \
      | while read ROUTE ; do
          ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 98.207.0.1-98.207.255.254 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 208.85.40.0-208.85.47.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 23.20.0.0-23.23.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 50.16.0.0-50.19.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 50.112.0.0-50.112.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 54.224.0.0-54.225.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 54.240.0.0-54.240.63.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 67.202.0.0-67.202.63.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 72.44.32.0-72.44.63.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 75.101.128.0-75.101.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 107.20.0.0-107.23.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 174.129.0.0-174.129.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 184.72.0.0-184.73.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 184.169.128.0-184.169.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 204.236.128.0-204.236.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 46.51.128.0-46.51.191.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 46.51.192.0-46.51.207.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 46.137.0.0-46.137.127.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 46.137.128.0-46.137.191.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 79.125.0.0-79.125.63.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 176.34.0.0-176.34.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 176.34.128.0-176.34.135.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 108.175.32.0-108.175.47.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 208.75.76.0-208.75.79.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 64.212.0.0-64.215.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 199.92.0.0-199.95.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 206.32.0.0-206.32.0.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 209.244.0.0-209.247.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 68.142.64.0-68.142.127.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 69.28.128.0-69.28.191.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 69.164.0.0-69.164.63.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 208.111.128.0-208.111.191.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 128.242.0.0-128.242.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 204.0.0.0-204.3.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 204.141.0.0-204.141.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 204.200.0.0-204.203.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 208.44.0.0-208.44.7.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 23.32.0.0-23.67.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 23.32.0.0-23.67.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 64.220.0.0-64.221.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 77.109.170.0-77.109.170.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 80.239.221.0-80.239.221.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 92.122.0.0-92.122.7.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 195.27.0.0-195.27.0.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 199.127.192.0-199.127.195.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 208.91.156.0-208.91.159.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 217.156.128.0-217.156.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 192.221.0.0-192.221.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 204.160.0.0-204.163.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 205.128.0.0-205.131.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 207.120.0.0-207.123.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 209.84.0.0-209.84.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 192.147.170.0-192.147.170.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 198.105.192.0-198.105.199.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 68.71.208.0-68.71.223.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 129.228.0.0-129.228.127.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 166.77.0.0-166.77.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 206.220.40.0-206.220.43.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 69.31.132.0-69.31.133.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 72.246.0.0-72.247.255.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 198.99.118.0-198.99.122.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 66.77.124.0-66.77.124.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 199.181.129.0-199.181.135.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 207.223.0.0-207.223.15.255 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 199.182.100.0-199.182.103.255 -j MARK --set-mark 0
    
     
  18. koitsu

    koitsu Network Guru Member

    The limit is 4096 bytes, not 4096k (4096k implies 4096KBytes). Two pieces of advice that will cut down the size substantially:

    1. Make a shell function called ipt and make it call iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range ... -j MARK --set-mark 0, then call ipt x.x.x.x-y.y.y.y (or better yet, see #2). Example:

    Code:
    ipt() {
      iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range "$1" -j MARK --set-mark 0
    }
     
    ipt 98.207.0.1-98.207.255.254
    ipt 208.85.40.0-208.85.47.255
    ...
    
    2. Cease use of this silly iprange module. Use CIDR notion instead -- you'll save bytes, and it's what actual (real) network technicians use. There are tools online that can help you convert a "range of IPs" into CIDR. Here's some example use:

    Code:
    iptables -t mangle -A PREROUTING -i br0 -d 23.20.0.0/14 -j MARK --set-mark 0
    
     
  19. kk5000

    kk5000 Serious Server Member

    Well I don't tangle with IPtables much so I didn't know how easy/difficult it was to use CIDR/netmask instead of these ranges :)

    I was already using that with DD-WRT. Here's the list if someone else needs it :

    route 98.207.0.0 255.255.0.0 vpn_gateway
    route 208.85.40.0 255.255.248.0 vpn_gateway
    route 23.20.0.0 255.252.0.0 vpn_gateway
    route 50.16.0.0 255.252.0.0 vpn_gateway
    route 50.112.0.0 255.255.0.0 vpn_gateway
    route 54.224.0.0 255.240.0.0 vpn_gateway
    route 54.240.0.0 255.240.0.0 vpn_gateway
    route 67.202.0.0 255.255.192.0 vpn_gateway
    route 72.44.32.0 255.255.224.0 vpn_gateway
    route 75.101.128.0 255.255.128.0 vpn_gateway
    route 107.20.0.0 255.252.0.0 vpn_gateway
    route 174.129.0.0 255.255.0.0 vpn_gateway
    route 184.72.0.0 255.254.0.0 vpn_gateway
    route 184.169.128.0 255.255.128.0 vpn_gateway
    route 204.236.128.0 255.255.128.0 vpn_gateway
    route 46.51.128.0 255.255.192.0 vpn_gateway
    route 46.51.192.0 255.255.240.0 vpn_gateway
    route 46.137.0.0 255.255.128.0 vpn_gateway
    route 46.137.128.0 255.255.192.0 vpn_gateway
    route 79.125.0.0 255.255.128.0 vpn_gateway
    route 176.34.64.0 255.255.192.0 vpn_gateway
    route 176.34.128.0 255.255.128.0 vpn_gateway
    route 108.175.32.0 255.255.240.0 vpn_gateway
    route 208.75.76.0 255.255.252.0 vpn_gateway
    route 64.212.0.0 255.252.0.0 vpn_gateway
    route 199.92.0.0 255.252.0.0 vpn_gateway
    route 206.32.0.0 255.252.0.0 vpn_gateway
    route 209.244.0.0 255.252.0.0 vpn_gateway
    route 68.142.64.0 255.255.192.0 vpn_gateway
    route 69.28.128.0 255.255.192.0 vpn_gateway
    route 69.164.0.0 255.255.192.0 vpn_gateway
    route 208.111.128.0 255.255.192.0 vpn_gateway
    route 128.242.0.0 255.255.0.0 vpn_gateway
    route 204.0.0.0 255.252.0.0 vpn_gateway
    route 204.141.0.0 255.255.0.0 vpn_gateway
    route 204.200.0.0 255.252.0.0 vpn_gateway
    route 208.44.0.0 255.252.0.0 vpn_gateway
    route 23.32.0.0 255.224.0.0 vpn_gateway
    route 23.64.0.0 255.252.0.0 vpn_gateway
    route 64.221.0.0 255.255.128.0 vpn_gateway
    route 64.221.128.0 255.255.192.0 vpn_gateway
    route 64.221.192.0 255.255.224.0 vpn_gateway
    route 77.109.170.0 255.255.255.0 vpn_gateway
    route 80.239.221.0 255.255.255.0 vpn_gateway
    route 92.122.0.0 255.254.0.0 vpn_gateway
    route 195.27.0.0 255.255.0.0 vpn_gateway
    route 199.127.192.0 255.255.252.0 vpn_gateway
    route 208.91.156.0 255.255.252.0 vpn_gateway
    route 217.156.128.0 255.255.128.0 vpn_gateway
    route 192.221.0.0 255.255.0.0 vpn_gateway
    route 204.160.0.0 255.252.0.0 vpn_gateway
    route 205.128.0.0 255.252.0.0 vpn_gateway
    route 207.120.0.0 255.252.0.0 vpn_gateway
    route 209.84.0.0 255.255.0.0 vpn_gateway
    route 68.71.208.0 255.255.240.0 vpn_gateway
    route 129.228.0.0 255.255.128.0 vpn_gateway
    route 166.77.0.0 255.255.0.0 vpn_gateway
    route 206.220.40.0 255.255.252.0 vpn_gateway
    route 69.31.132.0 255.255.254.0 vpn_gateway
    route 72.246.0.0 255.254.0.0 vpn_gateway
    route 198.99.118.0 255.255.254.0 vpn_gateway
    route 198.99.120.0 255.255.254.0 vpn_gateway
    route 198.99.122.0 255.255.255.0 vpn_gateway
    route 66.77.124.0 255.255.255.0 vpn_gateway
    route 199.181.129.0 255.255.255.0 vpn_gateway
    route 199.181.130.0 255.255.254.0 vpn_gateway
    route 199.181.132.0 255.255.252.0 vpn_gateway
    route 207.223.0.0 255.255.240.0 vpn_gateway
     
  20. koitsu

    koitsu Network Guru Member

    Understood (re: not tangling with iptables much). Not too hard to find out though: iptables --help clearly shows CIDR notation for --destination, a.k.a. -d.

    And if you're interested in the help syntax for the iprange module, use iptables -m iprange --help and look closely at the output at the bottom (yeah, this is how you get help/usage syntax for a specific netfilter/iptables module).
     
  21. quidagis

    quidagis Networkin' Nut Member

    @kk5000

    PHP:
    IP_ADDRESS    MASK          CIDR_NOTATION
    98.207.0.0    255.255.0.0    98.207.0.0
    /16
    208.85.40.0    255.255.248.0    208.85.40.0
    /21
    23.20.0.0        255.252.0.0    23.20.0.0
    /14
    50.16.0.0        255.252.0.0    50.16.0.0
    /14
    50.112.0.0    255.255.0.0    50.112.0.0
    /16
    54.224.0.0    255.240.0.0    54.224.0.0
    /12
    54.240.0.0    255.240.0.0    54.240.0.0
    /12
    67.202.0.0    255.255.192.0    67.202.0.0
    /18
    72.44.32.0    255.255.224.0    72.44.32.0
    /19
    75.101.128.0    255.255.128.0    75.101.128.0
    /17
    107.20.0.0    255.252.0.0    107.20.0.0
    /14
    174.129.0.0    255.255.0.0    174.129.0.0
    /16
    184.72.0.0    255.254.0.0    184.72.0.0
    /15
    184.169.128.0    255.255.128.0    184.169.128.0
    /17
    204.236.128.0    255.255.128.0    204.236.128.0
    /17
    46.51.128.0    255.255.192.0    46.51.128.0
    /18
    46.51.192.0    255.255.240.0    46.51.192.0
    /20
    46.137.0.0    255.255.128.0    46.137.0.0
    /17
    46.137.128.0    255.255.192.0    46.137.128.0
    /18
    79.125.0.0    255.255.128.0    79.125.0.0
    /17
    176.34.64.0    255.255.192.0    176.34.64.0
    /18
    176.34.128.0    255.255.128.0    176.34.128.0
    /17
    108.175.32.0    255.255.240.0    108.175.32.0
    /20
    208.75.76.0    255.255.252.0    208.75.76.0
    /22
    64.212.0.0    255.252.0.0    64.212.0.0
    /14
    199.92.0.0    255.252.0.0    199.92.0.0
    /14
    206.32.0.0    255.252.0.0    206.32.0.0
    /14
    209.244.0.0    255.252.0.0    209.244.0.0
    /14
    68.142.64.0    255.255.192.0    68.142.64.0
    /18
    69.28.128.0    255.255.192.0    69.28.128.0
    /18
    69.164.0.0    255.255.192.0    69.164.0.0
    /18
    208.111.128.0    255.255.192.0    208.111.128.0
    /18
    128.242.0.0    255.255.0.0    128.242.0.0
    /16
    204.0.0.0        255.252.0.0    204.0.0.0
    /14
    204.141.0.0    255.255.0.0    204.141.0.0
    /16
    204.200.0.0    255.252.0.0    204.200.0.0
    /14
    208.44.0.0    255.252.0.0    208.44.0.0
    /14
    23.32.0.0        255.224.0.0    23.32.0.0
    /11
    23.64.0.0        255.252.0.0    23.64.0.0
    /14
    64.221.0.0    255.255.128.0    64.221.0.0
    /17
    64.221.128.0    255.255.192.0    64.221.128.0
    /18
    64.221.192.0    255.255.224.0    64.221.192.0
    /19
    77.109.170.0    255.255.255.0    77.109.170.0
    /24
    80.239.221.0    255.255.255.0    80.239.221.0
    /24
    92.122.0.0    255.254.0.0    92.122.0.0
    /15
    195.27.0.0    255.255.0.0    195.27.0.0
    /16
    199.127.192.0    255.255.252.0    199.127.192.0
    /22
    208.91.156.0    255.255.252.0    208.91.156.0
    /22
    217.156.128.0    255.255.128.0    217.156.128.0
    /17
    192.221.0.0    255.255.0.0    192.221.0.0
    /16
    204.160.0.0    255.252.0.0    204.160.0.0
    /14
    205.128.0.0    255.252.0.0    205.128.0.0
    /14
    207.120.0.0    255.252.0.0    207.120.0.0
    /14
    209.84.0.0    255.255.0.0    209.84.0.0
    /16
    68.71.208.0    255.255.240.0    68.71.208.0
    /20
    129.228.0.0    255.255.128.0    129.228.0.0
    /17
    166.77.0.0    255.255.0.0    166.77.0.0
    /16
    206.220.40.0    255.255.252.0    206.220.40.0
    /22
    69.31.132.0    255.255.254.0    69.31.132.0
    /23
    72.246.0.0    255.254.0.0    72.246.0.0
    /15
    198.99.118.0    255.255.254.0    198.99.118.0
    /23
    198.99.120.0    255.255.254.0    198.99.120.0
    /23
    198.99.122.0    255.255.255.0    198.99.122.0
    /24
    66.77.124.0    255.255.255.0    66.77.124.0
    /24
    199.181.129.0    255.255.255.0    199.181.129.0
    /24
    199.181.130.0    255.255.254.0    199.181.130.0
    /23
    199.181.132.0    255.255.252.0    199.181.132.0
    /22
    207.223.0.0    255.255.240.0    207.223.0.0
    /20
     
  22. kk5000

    kk5000 Serious Server Member

    Thanks guys. The support really has been spectacular on this forum. When compared to the nothing or one shitty remark telling you to read the non-existent or horribly arranged documentation on DD-WRT, WOW. Kudos to the Tomato community!
     
  23. kk5000

    kk5000 Serious Server Member

    Still too long :


    Code:
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i
    done
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
    ip route show table main | grep -Ev ^default | grep -Ev tun11 \
    | while read ROUTE ; do
    ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
     
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -i br0 -d 98.207.0.0/16 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 208.85.40.0/21 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 23.20.0.0/14 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 50.16.0.0/14 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 50.112.0.0/16 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 54.224.0.0/12 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 54.240.0.0/12 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 67.202.0.0/18 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 72.44.32.0/19 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 75.101.128.0/17 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 107.20.0.0/14 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 174.129.0.0/16 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 184.72.0.0/15 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 184.169.128.0/17 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 204.236.128.0/17 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 46.51.128.0/18 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 46.51.192.0/20 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 46.137.0.0/17 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 46.137.128.0/18 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 79.125.0.0/17 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 176.34.64.0/18 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 176.34.128.0/17 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 108.175.32.0/20 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 208.75.76.0/22 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 64.212.0.0/14 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 199.92.0.0/14 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 206.32.0.0/14 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 209.244.0.0/14 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 68.142.64.0/18 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 69.28.128.0/18 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 69.164.0.0/18 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 208.111.128.0/18 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 128.242.0.0/16 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 204.0.0.0/14 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 204.141.0.0/16 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 204.200.0.0/14 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 208.44.0.0/14 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 23.32.0.0/11 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 23.64.0.0/14 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 64.221.0.0/17 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 64.221.128.0/18 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 64.221.192.0/19 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 77.109.170.0/24 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 80.239.221.0/24 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 92.122.0.0/15 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 195.27.0.0/16 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 199.127.192.0/22 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 208.91.156.0/22 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 217.156.128.0/17 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 192.221.0.0/16 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 204.160.0.0/14 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 205.128.0.0/14 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 207.120.0.0/14 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 209.84.0.0/16 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 68.71.208.0/20 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 129.228.0.0/17 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 166.77.0.0/16 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 206.220.40.0/22 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 69.31.132.0/23 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 72.246.0.0/15 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 198.99.118.0/23 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 198.99.120.0/23 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 198.99.122.0/24 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 66.77.124.0/24 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 199.181.129.0/24 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 199.181.130.0/23 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 199.181.132.0/22 -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -d 207.223.0.0/20 -j MARK --set-mark 0
    
    What we need is a combo of the 2 suggested techniques :
    Code:
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
    done
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
    ip route show table main | grep -Ev ^default | grep -Ev tun11 \
      | while read ROUTE ; do
          ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    ipt() {
      iptables -t mangle -A PREROUTING -i br0 -d "$1" -j MARK --set-mark 0
    }
    ipt 98.207.0.0/16
    ipt 208.85.40.0/21
    ipt 23.20.0.0/14
    ipt 50.16.0.0/14
    ipt 50.112.0.0/16
    ipt 54.224.0.0/12
    ipt 54.240.0.0/12
    ipt 67.202.0.0/18
    ipt 72.44.32.0/19
    ipt 75.101.128.0/17
    ipt 107.20.0.0/14
    ipt 174.129.0.0/16
    ipt 184.72.0.0/15
    ipt 184.169.128.0/17
    ipt 204.236.128.0/17
    ipt 46.51.128.0/18
    ipt 46.51.192.0/20
    ipt 46.137.0.0/17
    ipt 46.137.128.0/18
    ipt 79.125.0.0/17
    ipt 176.34.64.0/18
    ipt 176.34.128.0/17
    ipt 108.175.32.0/20
    ipt 208.75.76.0/22
    ipt 64.212.0.0/14
    ipt 199.92.0.0/14
    ipt 206.32.0.0/14
    ipt 209.244.0.0/14
    ipt 68.142.64.0/18
    ipt 69.28.128.0/18
    ipt 69.164.0.0/18
    ipt 208.111.128.0/18
    ipt 128.242.0.0/16
    ipt 204.0.0.0/14
    ipt 204.141.0.0/16
    ipt 204.200.0.0/14
    ipt 208.44.0.0/14
    ipt 23.32.0.0/11
    ipt 23.64.0.0/14
    ipt 64.221.0.0/17
    ipt 64.221.128.0/18
    ipt 64.221.192.0/19
    ipt 77.109.170.0/24
    ipt 80.239.221.0/24
    ipt 92.122.0.0/15
    ipt 195.27.0.0/16
    ipt 199.127.192.0/22
    ipt 208.91.156.0/22
    ipt 217.156.128.0/17
    ipt 192.221.0.0/16
    ipt 204.160.0.0/14
    ipt 205.128.0.0/14
    ipt 207.120.0.0/14
    ipt 209.84.0.0/16
    ipt 68.71.208.0/20
    ipt 129.228.0.0/17
    ipt 166.77.0.0/16
    ipt 206.220.40.0/22
    ipt 69.31.132.0/23
    ipt 72.246.0.0/15
    ipt 198.99.118.0/23
    ipt 198.99.120.0/23
    ipt 198.99.122.0/24
    ipt 66.77.124.0/24
    ipt 199.181.129.0/24
    ipt 199.181.130.0/23
    ipt 199.181.132.0/22
    ipt 207.223.0.0/20
    
    Done deal ;)
     
  24. quidagis

    quidagis Networkin' Nut Member

    @kk5000

    How about this?

    Code:
    ## CUSTOMIZE YOUR SCRIPT VARIABLES
    #
    #ip_addrs_lst=""
    
    web_range_lst="98.207.0.0/16 208.85.40.0/21 23.20.0.0/14 50.16.0.0/14 50.112.0.0/16 54.224.0.0/12 54.240.0.0/12 67.202.0.0/18 72.44.32.0/19 75.101.128.0/17 107.20.0.0/14 174.129.0.0/16 184.72.0.0/15 184.169.128.0/17 204.236.128.0/17 46.51.128.0/18 46.51.192.0/20 46.137.0.0/17 46.137.128.0/18 79.125.0.0/17 176.34.64.0/18 176.34.128.0/17 108.175.32.0/20 208.75.76.0/22 64.212.0.0/14 199.92.0.0/14 206.32.0.0/14 209.244.0.0/14 68.142.64.0/18 69.28.128.0/18 69.164.0.0/18 208.111.128.0/18 128.242.0.0/16 204.0.0.0/14 204.141.0.0/16 204.200.0.0/14 208.44.0.0/14 23.32.0.0/11 23.64.0.0/14 64.221.0.0/17 64.221.128.0/18 64.221.192.0/19 77.109.170.0/24 80.239.221.0/24 92.122.0.0/15 195.27.0.0/16 199.127.192.0/22 208.91.156.0/22 217.156.128.0/17 192.221.0.0/16 204.160.0.0/14 205.128.0.0/14 207.120.0.0/14 209.84.0.0/16 68.71.208.0/20 129.228.0.0/17 166.77.0.0/16 206.220.40.0/22 69.31.132.0/23 72.246.0.0/15 198.99.118.0/23 198.99.120.0/23 198.99.122.0/24 66.77.124.0/24 199.181.129.0/24 199.181.130.0/23 199.181.132.0/22"
    
    ########################################
    # NO NEED TO CHANGE BELOW THIS LINE    #
    ########################################
    
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
    done
     
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
    
    iface_lst=`route | awk ' {print $8}'`
    for tun_if in $iface_lst; do
        if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "ppp0" ]; then
        break
      fi
    done
    
    ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
      | while read ROUTE ; do
          ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
     
    # Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    
    for ip_addrs in $ip_addrs_lst ; do
      iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j MARK --set-mark 0
    done
    
    for web_dst_range in $web_range_lst ; do
      iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $web_dst_range -j MARK --set-mark 0
    done
    
     
  25. kk5000

    kk5000 Serious Server Member

    OK so hopefuls can now take the second and final code from my last post and this will reroute Netflix, CBS, NBC, ABC, Hulu, Pandora & Disney for you. Netflix, CBS, NBC, ABC are 100% confirmed. The others are iffy because I don't believe we have all the ranges. But at some point, these companies will acquire new networks and that will again necessitate us updating this list. If some technique can be developed that would allow us to use domain names (especially with wildcards) instead of IPs that would fix this forever. That solution will likely require out of the box thinking using 2 or more things. Obviously, something like just iptables would not work.

    Someone once suggested the following :

    I started using privoxy as a transparent proxy on my dd-wrt box. And I use another HTTP proxy on the OpenVPN entpoint side. For me this is no problem because the remote endpoint is a VPS completely managed by myselfe.

    This allows me to filter HTTP requests by very fine grained rules on my local side that aren't based on current IP addresses.

    Especially when you start doing youtube through such a proxy, this becomes very importent because it's the only managable way to avoid doing all google traffic throug an oversea VPN.

    Here's my current local privoxy configuration on my dd-wrt box. It's a useractions file.
    Code:
    { \
    +forward-override{forward vpn.interface.of.my.remote.host:8080} \
    }

    ## hulu
    .hulu.com/gc
    .hulu.com/select
    .hulu.com/v3/session


    ## CBS
    .theplatform.com

    ## Youtube
    .youtube.*/watch.*
    .youtube.*/videoplayback.*

    ## Wieistmeineip
    .wieistmeineip.de


    This completely works without the iptables stuff targeting remote content providers. Instead, I pass all my HTTP traffic through my local privoxy instance that runs on my dd-wrt:
    Code:
    iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -s 192.168.0.128/255.255.255.224 -j DNAT --to 192.168.0.1:8118

    But for this, you need to control the VPN which is cumbersome. A more elegant solution is required that does not require that....
     
  26. kk5000

    kk5000 Serious Server Member

    Even better ;)
     
  27. quidagis

    quidagis Networkin' Nut Member

    @kk5000

    Sadly, that doesn't work for any of those CIDR ranges, the notation is not iptables compatible... SORRY!

    iptables v1.3.8: iprange match: Bad IP address `98.207.0.0/16'

    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.3.8: iprange match: Bad IP address `208.85.40.0/21'

    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.3.8: iprange match: Bad IP address `23.20.0.0/14'

    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.3.8: iprange match: Bad IP address `50.16.0.0/14'
     
  28. kk5000

    kk5000 Serious Server Member

    [/FONT]

    I'm just using the following and it is working like a charm. Why screw with what's working? :) :

    Code:
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
    done
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
    ip route show table main | grep -Ev ^default | grep -Ev tun11 \
      | while read ROUTE ; do
          ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    ipt() {
      iptables -t mangle -A PREROUTING -i br0 -d "$1" -j MARK --set-mark 0
    }
    ipt 98.207.0.0/16
    ipt 208.85.40.0/21
    ipt 23.20.0.0/14
    ipt 50.16.0.0/14
    ipt 50.112.0.0/16
    ipt 54.224.0.0/12
    ipt 54.240.0.0/12
    ipt 67.202.0.0/18
    ipt 72.44.32.0/19
    ipt 75.101.128.0/17
    ipt 107.20.0.0/14
    ipt 174.129.0.0/16
    ipt 184.72.0.0/15
    ipt 184.169.128.0/17
    ipt 204.236.128.0/17
    ipt 46.51.128.0/18
    ipt 46.51.192.0/20
    ipt 46.137.0.0/17
    ipt 46.137.128.0/18
    ipt 79.125.0.0/17
    ipt 176.34.64.0/18
    ipt 176.34.128.0/17
    ipt 108.175.32.0/20
    ipt 208.75.76.0/22
    ipt 64.212.0.0/14
    ipt 199.92.0.0/14
    ipt 206.32.0.0/14
    ipt 209.244.0.0/14
    ipt 68.142.64.0/18
    ipt 69.28.128.0/18
    ipt 69.164.0.0/18
    ipt 208.111.128.0/18
    ipt 128.242.0.0/16
    ipt 204.0.0.0/14
    ipt 204.141.0.0/16
    ipt 204.200.0.0/14
    ipt 208.44.0.0/14
    ipt 23.32.0.0/11
    ipt 23.64.0.0/14
    ipt 64.221.0.0/17
    ipt 64.221.128.0/18
    ipt 64.221.192.0/19
    ipt 77.109.170.0/24
    ipt 80.239.221.0/24
    ipt 92.122.0.0/15
    ipt 195.27.0.0/16
    ipt 199.127.192.0/22
    ipt 208.91.156.0/22
    ipt 217.156.128.0/17
    ipt 192.221.0.0/16
    ipt 204.160.0.0/14
    ipt 205.128.0.0/14
    ipt 207.120.0.0/14
    ipt 209.84.0.0/16
    ipt 68.71.208.0/20
    ipt 129.228.0.0/17
    ipt 166.77.0.0/16
    ipt 206.220.40.0/22
    ipt 69.31.132.0/23
    ipt 72.246.0.0/15
    ipt 198.99.118.0/23
    ipt 198.99.120.0/23
    ipt 198.99.122.0/24
    ipt 66.77.124.0/24
    ipt 199.181.129.0/24
    ipt 199.181.130.0/23
    ipt 199.181.132.0/22
    ipt 207.223.0.0/20
     
    koitsu likes this.
  29. kk5000

    kk5000 Serious Server Member

    BTW if you're talking specifically about those 4 ranges I have no clue why 98.207.0.0/16 wouldn't work. It simply means 98.207.0.0 - 98.207.255.255
     
  30. koitsu

    koitsu Network Guru Member

    Somehow you (quidagis) completely misread what I said.

    You don't pass CIDR syntax on to the ipranges module (which is what you're doing). You instead stop using the ipranges module and just pass the CIDR syntax on to -d directly as the destination address. The ipranges module just generates "a range of IPs" for you using a crappy syntax for people who, for whatever reason, cannot mentally comprehend netmasks.

    The error in question, and your (quidagis) script, clearly shows you passing CIDR arguments to the ipranges module.
     
  31. quidagis

    quidagis Networkin' Nut Member

    Yes, Koitsu, you're right. I've already fixed my script using kk5000's syntax inside a couple loops.

    Good day.
     
  32. coen99

    coen99 Serious Server Member

    Hello, I'm following this interesting subforum and I use the script at post #2. Works like a charm..
    However I use the version in which everything goes through the VPN and only eg. port 563 newsgroups are excluded.

    But I'm having a problem with RDP to reach this PC from work where we do NOT have openVPN. So I would like to reach my home PC which is behind the VPN with my WORK PC which is directly connected to the internet. So far I added port 3389 in the script to the list of ports that are excluded from being tunnelled. Furthermore I already had this port forwarded in my router,so when I turn off openVPN it works.

    As my knowledge is very limited as it comes to scripts or VPN I'm wondering if anyone could help?
     
  33. coen99

    coen99 Serious Server Member

    I'm trying to figure it out but I'm not there yet. I run this firewall script on the router but it's not working yet.

    Code:
    iptables -t nat -I PREROUTING 1 -i tun+ -p tcp --dport 3389 -j DNAT --to-destination 192.168.2.xx
    iptables -I FORWARD 1 -i tun+ -p tcp -d 192.168.2.xx --dport  3389 -j ACCEPT 
    Where 192.168.2.xx is the PC I try to reach (TAKE OVER) with RDP.
    Also strange: I can NOT reach my router from a external IP. So I would think it has to do with the router's firewall?

    Any ideas?
     
  34. iskender

    iskender Reformed Router Member

    Just a small question; Should the "Redirect Internet traffic" box be checked for these to work ?
     
  35. JB0909

    JB0909 Reformed Router Member

    Edit:
    @coen99 I was having a problem accomplishing what I think is the same thing. After going through the connection log I realized that my remote machine's request was reaching the machine using the vpn, but the response was not returned to the remote machine it was sent over the vpn. After realizing this, the iptable command in the wanup script just needed a slight adjustment (ie dport to sport):

    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.x.x -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport 80,443 -m iprange --src-range 192.168.x.x -j MARK --set-mark 1

    Then you can just use the port forwarding page in the gui to route the specified ports to 192.168.x.x

    Hope this helps!
     
  36. blackwind

    blackwind Serious Server Member

    I set this up myself before coming across this thread, but haven't had any luck circumventing my ISP's BitTorrent throttling. I've confirmed my setup is working by hitting www.whatismyip.net after entering:
    Code:
    iptables -t mangle -I PREROUTING -p tcp --dport 80 -j MARK --set-mark 100
    I'm finding, though, that my BitTorrent rules are making zero difference:
    Code:
    iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j MARK --set-mark 100
    iptables -t mangle -I PREROUTING -p tcp --sport 6881 -j MARK --set-mark 100
    iptables -t mangle -I PREROUTING -p udp --sport 6881 -j MARK --set-mark 100
    Any thoughts on how to improve them?
     
  37. TronixA

    TronixA Reformed Router Member

    Hi,
    I came across this information and I tried the script from post #9 and it caused my router connection to bounce up and down when I used EasyTomato which is based on the Toastman build. One oddity is that I did do an "echo $(nvram get wan_gateway)" and it simply came back with 0.0.0.0 using Shibby. I'm in the process of putting EasyTomato back on my router since their QOS rules are easier to understand. Also when I looked at the tables, this is what I saw:
    Code:
    root@tomato:/tmp/home/root# iptables -t mangle -L PREROUTING
    Chain PREROUTING (policy ACCEPT)
    target    prot opt source              destination
    MARK      all  --  anywhere            anywhere            MARK set 0x1
    MARK      all  --  anywhere            anywhere            destination IP range 78.31.8.1-78.31.15.254 MARK set 0x0
    MARK      all  --  anywhere            anywhere            destination IP range 193.182.8.1-193.182.15.254 MARK set 0x0
    
    Oh and Shibby did give me a solid connection but ALL traffic went through the VPN. I could never really check using EasyTomato since the router didn't like the script in the WANup section at all. I had to SSH in and type in nvram erase and then do a reboot command because the web interface wasn't even coming back up.

    Any ideas?

    Thanks in advance!
     
  38. Kevman

    Kevman Reformed Router Member

  39. Kevman

    Kevman Reformed Router Member

    I'm a newbie with IPtables, but have set up a couple rules which seem to block IP leaks (it works if a manually stop the VPN client). I put the following rules into the Tomato->Administration->Scripts->Firewall and robooted.

    iptables -I wanout -s 192.168.2.129 -j ACCEPT
    iptables -A wanout -j DROP

    My understanding is that only desktop PC's IP is being allowed through the vlan1 interface? I believe vlan1 is the physical ethernet port connected to the WAN and the VPN works because it uses tun11 interface, do I have this right?

    I'm sure there's a better or more appropriate way to do this, if anyone cares to chime in.
     
  40. MikeHawk

    MikeHawk Reformed Router Member

    I'm not sure about Tomato or how recent the packages are. I was just googling and came accross this post and thought I would share some info.

    The latest version of dnsmasq has the ablility to use ipset from the netfilter project. ipset just stores large lists of ip addresses and updates/reads them very efficiently. Dnsmasq can act like a dns server but with a ton of options.

    Note: I haven't tried this yet.


    /etc/dnsmasq.conf

    ipset=/netflix.com/hulu.com/vpnset

    This will update the vpn ipset with the ip's returned from the netflix.com and hulu.com.

    You might also have to send dns queries to a public dns server like google (8.8.8.8) over the vpn.
    I'm not sure if they rewrite the dns based on source, in which dnsmasq can send certain domains to specific dns servers.

    Then all you need to do (I think):

    iptables -t mangle -A PREROUTING -i br0 -m set --match-set vpnset -j MARK --set-mark 0
     
  41. koitsu

    koitsu Network Guru Member

    This requires the set netfilter/iptables module (as indicated by -m set), which TomatoUSB (nor Linux 2.6.22) does not natively have.

    References:

    http://ipset.netfilter.org/
    http://ipset.netfilter.org/iptables-extensions.man.html (search for "This module matches IP sets")

    And of course:

    Code:
    root@gw:/tmp/home/root# iptables -t mangle -m set -h
    iptables v1.3.8: Couldn't load match `set':File not found
     
    Try `iptables -h' or 'iptables --help' for more information.
    root@gw:/tmp/home/root# ipset
    -sh: ipset: not found
    
     
  42. jerrm

    jerrm Network Guru Member

    Shibby added it in his 109 release.

    Not sure about anyone else, but I don't think so.
     
  43. koitsu

    koitsu Network Guru Member

    Wasn't aware of this -- thank you for educating me!
     
  44. Funkoid

    Funkoid Serious Server Member

    Spent a few hours playing with the script in post #9 using Tomato Firmware 1.28.0000 MIPSR2-112 K26 Max, it's exactly what I need but can I get it to work! Nope! I think my issue is that Route Modem IP is set to 0.0.0.0 / disabled so when I echo $(nvram get wan_gateway) I get 0.0.0.0. Thing is I'm unsure as to what to set Route Model IP to, as far as I'm aware my ISPs modem doesn't have a static IP nor am I able to manage it? Is there any way around this for my use case?
     
  45. MassiveCollision

    MassiveCollision Reformed Router Member

    Hello guys,

    I'm trying to make my NAS behind my Tomato router reachable. The Tomato is the second router in the network, has its own subnet and is connected from the LAN on the first router to the WAN on the Tomato. OpenVPN is working fine. Everything is working fine except that I can't reach my NAS (172.16.1.2) externally. I can however reach it internally, on both my networks. I've been trying many different iptable rules, to no avail. It usually hangs for a bit and then stops.

    Everything on the first router is fine, no problems.
    The Tomato is on 'Router' mode.
    There's a static routing table entry on my first router for the second routers network, which enables communication between devices on both networks.
    The TCP ports I would like to use on the NAS have been forwarded on both routers. From the first to the second router and from there to the NAS IP.
    The Tomato router has a WAN IP 192.168.178.2.

    This is my WAN up script. Here I am trying to exclude all traffic on port 5001 which is the port the web GUI for my NAS is on. I hoped this would make this port accessible from the outside. My Firewall script is as default.
    Code:
    sleep 30
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
    done
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
    ip route show table main | grep -Ev ^default | grep -Ev tun11 \
      | while read ROUTE ; do
          ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport ! --dport 5001 -m iprange --src-range 172.16.1.2 -j MARK --set-mark 0
    The connection log on the router says this when trying to connect to port 5001 from the outside:
    Code:
    Aug 29 23:14:24 unknown user.warn kernel: DROP IN=vlan2 OUT= MACSRC=c0:25:06:7a:55:36 MACDST=60:a4:4c:65:fd:e9 MACPROTO=0800 SRC=<redacted VPN IP> DST=192.168.178.2 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=23004 DF PROTO=TCP SPT=61122 DPT=5001 SEQ=2689429389 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (02040558010303040101080A3CB714E10000000004020000)
    I'm sure one of you heroes must have done this before!
     
    Last edited: Aug 29, 2013
  46. Funkoid

    Funkoid Serious Server Member

    Probably should have noted in my last post that I'm connecting to the ISP via PPPoE so I'm not getting a wan gateway value until after the connection is actually opened by which point nvram isn't aware of it?

    Instead of grabbing the $(nvram get wan_gateway) value is there any way of specifying the negotiated wan gateway IP by a variable? The value is displayed in Gateway under the status menu so it must be pulling it and storing it somewhere even if its in memory? I've seen people setting them manually to nvram but the problem I have is the ISP frequently change the gateway addresses.
     
    Last edited: Aug 29, 2013
  47. MassiveCollision

    MassiveCollision Reformed Router Member

    Don't know if this works in your case but try something like:
    Code:
    WANIP=`ifconfig vlan2 | awk '/inet addr/ {split ($2,A,":"); print A[2]}'`
    Then you can use $WANIP var where you need it. But not sure what $(nvram get wan_gateway) gets, maybe it's the same thing.
     
    Funkoid likes this.
  48. Funkoid

    Funkoid Serious Server Member

    Getting somewhere there - its the gateway of the PPPoE connection (PPP0) that i'd grabbing, just trying to get the P-t-P gateway ip with the awknow.
     
  49. Funkoid

    Funkoid Serious Server Member

    In fact is it the ppoe ip i'm after or the ppoe gateway?
     
  50. Funkoid

    Funkoid Serious Server Member

    Thzt looks to have helped, i've done the following.....

    Code:
    #start_modification here
    ppoe_gateway=`ifconfig ppp0 | awk '/P-t-P/ {split ($3,A,":"); print A[2]}'`
    #end modification here
    
    #old - ip route add default table 100 via $(nvram get wan_gateway)
    #new
    ip route add default table 100 via $ppoe_gateway
    ip rule add fwmark 1 table 100
    ip route flush cache
      
    It's working... I'm much closer, the only thing I need to do now is kill connectivity from certain hosts if the VPN goes down.

    At the minute regardless of the rules I've put into the script I end up with traffic still being routed over the wan connection if/when the VPN disconnects.
     
  51. dvbguy

    dvbguy Reformed Router Member

    I have a internal camera, that I have setup with port 12345 to forward to 192.168.5.2. When I not am running openvpn and connect it from outside wan, the forward work well and I can connect

    When I connect openvpn on my tomato router I am unable to acess this anymore. I have tried with below in startup wan script

    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -I PREROUTING -p tcp --dport 54321 -j MARK --set-mark 1

    But it still does not work. Can anyone help me what could be wrong?
     
  52. chrobiche

    chrobiche Reformed Router Member

    Hello everybody,

    i used the script in #9 post and everything is working like a charm. BUT i can no longer access my tomato GUI remotely (i have a fix IP). What should i do?

    Regards,
     
  53. JB0909

    JB0909 Reformed Router Member

    In Firewall Script:
    # Traffic through VPN allowed
    iptables -I FORWARD 1 -s x.x.x.x -o tun11 -j ACCEPT
    # Rule below not needed if no ports use WAN; y and z is any ports on x.x.x.x that still use WAN
    iptables -I FORWARD 2 -s x.x.x.x -p tcp -m multiport --sport y,z -j ACCEPT
    # By default all traffic not allowed; x.x.x.x is IP of device on VPN
    iptables -I FORWARD 3 -s x.x.x.x -j DROP
     
    Last edited: Oct 31, 2013
  54. jdunst

    jdunst Reformed Router Member

    I'd like to thank #9 above (Grdnkln) for his input. I wanted specific MAC addresses outside the Shibby Tomato VPN and his solution made it easy. Make everything in Table 1 = 0 (goes to VPN) and exclude specific IP addresses after assigning Static DHCP. Easy and it works! :)
     
  55. zavar

    zavar Networkin' Nut Member

    Grndnkln's script looks pretty much what I was looking for, thanks to Grndkln and all the other contributors for this! For any devices that I want to be using the VPN, my intent was to assign IP's via Static DHCP. A couple of questions, as I'm not very iptables literate:

    # All traffic from a particular computer on the LAN will use the VPN
    # iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0

    My understanding is that this is for a single LAN computer. If I want this to be a range of LAN IPs, say 192.168.1.10 through 192.168.1.20, how do I change this?

    The other thing I'm thinking, is I have a PC that I'd only like to route torrent traffic through the VPN, with all other traffic going through the normal WAN. My VPN provider does provide a proxy that can be used for this. If I setup my torrent client with the proxy details, and add the proxy address to the Specific Internet IP Address portion of the script that are to use the VPN, would that work?

    The other concern I have is will my RT-N16 be able to adequately handle this? My current ISP connection is 35M Down/2M Up.
     
    Last edited: Nov 1, 2013
  56. koitsu

    koitsu Network Guru Member

    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10-192.168.1.20 -j MARK --set-mark 0

    I've bolded the part that matters/changes.
     
  57. zavar

    zavar Networkin' Nut Member

    Thanks koitsu, much appreciated!
     
  58. theboyk

    theboyk Serious Server Member

    Quick question, if someone could answer this for me. The script (not the one in this thread) that I currently use for selective VPN based on IP address has one flaw—whether or not I'm bypassing the VPN, all traffic going through the router uses the VPN's DNS. Using this script, does the same happen, or will devices within the VPN IP range use the VPNs DNS server and the rest of the traffic (i.e., the naked/non-VPN traffic) use the routers standard DNS servers?

    Thanks!
    Kristin.
     
  59. zavar

    zavar Networkin' Nut Member

    theboyk likes this.
  60. theboyk

    theboyk Serious Server Member

    Thanks for the link—that totally worked!!! Thank you!!!
     
  61. JB0909

    JB0909 Reformed Router Member

    I was under the impression this is how the script functions. Just out of curiosity can someone else confirm this?
     
  62. ir0nfist

    ir0nfist Reformed Router Member

    How's it going. I've tried a couple of the scripts on here and cannot get them to work. Regardless of how I change the scripts with the provided info here, all traffic is being routed through the vpn. With no modification to the scripts, same thing. All traffic goes through the vpn. Anyone have any idea why this might be or what I could try to fix this issue? I'm running a WRT54GL with Tomato Firmware v1.28.7635 Toastman-IPT-ND ND VPN. Thanks for your time.
     
  63. TronixA

    TronixA Reformed Router Member

    I'm actually having the same issue. At first I thought the scripts were working but when I went to check to see if port 80 traffic was excluded (it should have been since it was not specifically set) a page came up to show that I was going through the VPN instead of my ISP which told me that all the ports were using the VPN.
     
  64. jimmie

    jimmie Reformed Router Member

    I've used the script provided by Grdkln, modified to work with ppp0 because I'm using a PPTP VPN. It works correctly except it causes my PPTP server to fail. Before running the script I verified that I could make a VPN connection inbound while the outbound PPTP VPN was enabled, but after running the script I can't make an inbound VPN. Does anyone have any pointers?
     
  65. _wb_

    _wb_ Networkin' Nut Member


    Have you been able to access it from outside?
     
  66. Mikeyy

    Mikeyy Reformed Router Member

    First of all, thank you for great instructions how to split VPN on Tomato (especially ethaniel, Grdnkln, Funkoid, MassiveCollision and ovel2clock)!
    This is what I came up reading this thread:

    Code:
    # SHELL COMMANDS FOR MAINTENANCE.
    # DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
    #
    #  List Contents by line number
    # iptables -L PREROUTING -t mangle -n --line-numbers
    #
    #  Delete rules from mangle by line number
    # iptables -D PREROUTING type-line-number-here -t mangle
    #
    #  To list the current rules on the router, issue the command:
    #      iptables -t mangle -L PREROUTING
    #
    #  Flush/reset all the rules to default by issuing the command:
    #      iptables -t mangle -F PREROUTING
    #
    # First it is necessary to disable Reverse Path Filtering on all
    # current and future network interfaces:
    #
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
    done
    #
    # Delete table 100 and flush any existing rules if they exist.
    #
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING
    
    #
    # Let's find out the tunnel interface
    #
    iface_lst=`route | awk ' {print $8}'`
    for tun_if in $iface_lst; do
        if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "ppp0" ]; then
        break
      fi
    done
    
    #start_modification here
    ppoe_gateway=`ifconfig ppp0 | awk '/P-t-P/ {split ($3,A,":"); print A[2]}'`
    #end modification here
    
    #
    # Copy all non-default and non-VPN related routes from the main table into table 100.
    # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
    #
    ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
      | while read ROUTE ; do
          ip route add table 100 $ROUTE
    done
    
    ip route add default table 100 via $ppoe_gateway
    ip rule add fwmark 1 table 100
    ip route flush cache
    # EXAMPLES:
    #
    #  All LAN traffic will bypass the VPN (Useful to put this rule first,
    #  so all traffic bypasses the VPN and you can configure exceptions afterwards)
    #    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    #
    #  Ports 80 and 443 will bypass the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
    #
    #  All traffic from a particular computer on the LAN will use the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
    #
    #  All traffic to a specific Internet IP address will use the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
    #
    #  All UDP and ICMP traffic will bypass the VPN
    #    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
    #    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
    # Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
    iptables -t mangle -A PREROUTING -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 59.124.41.250 -j MARK --set-mark 1
    All traffic is routed via VPN and only traffic to IP 59.124.41.250 is routed outside of VPN.
    Problem is, that IP is just part of Synology DDNS and there are more then 1 IP address which are unknown to me so I thought that it would be good to allow ALL traffic from NAS internal ip (192.168.1.5) and port 80,443 to be router outside of VPN.

    For that I used code from comment #12, ovel2clock, I just replaced last line with this one.
    Code:
    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport ! --dport 80 -m iprange --src-range 192.168.1.5 -j MARK --set-mark 0
    But this didn't work and I'm not sure why. Where did I go wrong?

    EDIT: After some pocking around, I managed to fix this with. It almost same as ovel2clock. :)
    Code:
    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80 -m iprange --src-range 192.168.1.5 -j MARK --set-mark 1
     
    Last edited: Dec 15, 2013
  67. fearz

    fearz Serious Server Member

    Hi,

    Can anyone please help me? using shibby 115 RTN66U

    Using post #9 .. everything working as it should, but now i can't access my router from outside network / internet...
     
  68. fearz

    fearz Serious Server Member

    I have another problem is that...after sometime (random) all traffic would get routed through VPN...here is what I have in my WANUP:

     
  69. kthaddock

    kthaddock Network Guru Member

    If I were you I should first remove ALL unusded lines with "#" in first. This is huge and may fill your nvarm.
    Or put it in ubs memory /mnt and call it from script=>firewall
     
  70. fearz

    fearz Serious Server Member

    Ok, i'll do that, what about unable to access the router from internet?
     
  71. kthaddock

    kthaddock Network Guru Member

    It depends what settings you have here:
    - Push LAN to clients
    - Direct clients to
    redirect Internet traffic
    - Respond to DNS
    - Advertise DNS to clients
     
  72. fearz

    fearz Serious Server Member

    Where can I check those settings? in my OpenVPN client page I have Create NAT on tunnel checked and Redirect Internet Traffic checked.
     
  73. fearz

    fearz Serious Server Member

    Also, I did remove the "#" and whenever I try to access the router from internet, ALL traffic gets routed to VPN as if no rules were applied as I did above...very weird.
     
  74. kthaddock

    kthaddock Network Guru Member

    Aha you use Client. Did you reboot router after removing "# raws" ?
    I'm not sure you need "Redirect Internet Traffic checked." if you use your script.
    That is the point with the script.
     
  75. fearz

    fearz Serious Server Member

    Well, for some reason if I uncheck redirect internet traffic from openvpn client page...VPN won't work.

    Any other suggestions to check why cant i access router page from internet and why the sudden change of traffic all goes to VPN after some time?
     
  76. fearz

    fearz Serious Server Member

    I think the sudden change is triggered when trying several times to access my https://routerip from internet...after that if i check my ip on all devices on my network it shows the VPN IP
     
  77. fearz

    fearz Serious Server Member

    Anyone please?
     
  78. fearz

    fearz Serious Server Member

    Bump!
     
  79. Anubis14

    Anubis14 Addicted to LI Member

    Hello,

    I'm running this script on my WAN UP. My VPN provider is PIA, the only way to get this script to run is to ad "route-nopull" on OpenVPN Client Configuration/Custom Configuration and unchecked Create NAT on tunnel. I want to route all traffic from these ports (26662,26643,26664,26669,26612) and these IP addresses (192.168.2.101,192.168.2.114,192.168.2.102) run through VPN. When I check from the computers that are suposed to run through the vopn I get my actual external IP show. What am I doing wrong? Help?

     
  80. jolaube

    jolaube Reformed Router Member

    Registered purely to complement Grdnkln on the script you put together. It work frigging flawlessly. I love you.
     
    QQQTJ likes this.
  81. ir0nfist

    ir0nfist Reformed Router Member

    If you figure this out let me know. I can't get it working either. It's either everything or nothing. Also using PIA and looking to run selective ports/ips through it.
     
  82. Anubis14

    Anubis14 Addicted to LI Member

    A little help gentlemen?
     
  83. fearz

    fearz Serious Server Member

    Seems like all dead here...any alternative solutions?
     
  84. JB0909

    JB0909 Reformed Router Member

    In the "Admin Access" tab under "Administration" make sure "Remote Access" under the "Web Admin" heading is not 'disabled'

    Also, traffic directly from the router (like ssh and the admin page) uses the "OUTPUT" table not "PREROUTING" so the rule should look something like this:
    iptables -t mangle -A OUTPUT -p tcp -m multiport --sport XYZ -j MARK --set-mark 1
    #where XYZ is the port being used by the web admin
    If any services on the router are restarted (for example when you change any settings) sometimes the iptables will be reset. The next time you notice all traffic heading through the VPN, ssh into the router end run "iptables -nvL FORWARD" and see if the rules you set up in the WANUP section are still in place. If not, this is the issue.
    _____________
    I use post #9 (make sure you copy directly from post to tomato config page) with only the rules modified and OpenVPN setup using: https://www.privateinternetaccess.c...-setup-for-newer-branches-including-tomatousb without issue on a N66U running Shibby v114 ac-branch so it must be something to do with your setup. I would flash nvram and start from scratch if you're still having problems.
     
    Last edited: Jan 22, 2014
  85. Shamus

    Shamus Reformed Router Member

    This is a wonderful thread... thank you to @Grdnkln and @Funkoid. By combining the two (I'm on xDSL) I was able to get almost everything working.

    The one thing that isn't working for me is my OpenVPN server that I was running on my Tomato router. Prior to enabling the script, I was able to OpenVPN into my router to see my home network. Once the script was added, OpenVPN timed out on my remote devices to connect home.

    Has anyone been able to get both an OpenVPN client (for this script) AND server (on non-VPN) running simultaneously?
     
  86. Shamus

    Shamus Reformed Router Member

    I had a brief "DOH" moment when I realized that both my client and server were listening on the same port. I changed the server's port to 1193, and now see that the server sees the connection attempts. However, it doesn't not seem able to send the responses back to the potential client. Can anyone help from an iproute/iptable perspective?
     
  87. JB0909

    JB0909 Reformed Router Member

    Did you try doing something like this?
    iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 1193 -j MARK --set-mark 1

    If the traffic is coming directly from the router, you need to use the OUTPUT table.
     
  88. oliverphaser

    oliverphaser Reformed Router Member

    Dear All!

    I want to use the VPN only for RDP. I have 1 OpenVPN server somewhere, 1 Router at home with OpenVPN client and 1 Router in the office also with OpenVPN client. At home My Computer is connected to the router as 6.0.0.6. If I use the Firewall Script below I can connect to the Office computer's RDP thru VPN and surf the web without the VPN, but I can not reach My Computer at home from the office by RDP connection.

    My Firewall script is below:

    iptables -t mangle -I PREROUTING -i br0 -p tcp -m multiport --dport ! 3389 -j MARK --set-mark 1
    iptables -t mangle -I PREROUTING -i br0 -p udp -j MARK --set-mark 1
    iptables -t mangle -I PREROUTING -i br0 -p icmp -j MARK --set-mark 1

    iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
    iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 3389 -j DNAT --to-destination 6.0.0.6
    iptables -I FORWARD -p tcp -d 6.0.0.6 --dport 3389 -j ACCEPT


    Can anyone advise something?

    Thanks in advance!
     
  89. TonyD

    TonyD Network Newbie Member

    Hey, I know your question is old, but after spending a couple days failing to find a solution, I figured one out for myself. So I wanted to post this so others may find it.

    Here are the iptables settings I have for my Plex machine (in this case a FreeBSD jail) to put the whole thing behind a VPN, with the exception of a port forward (on the router) and access to the plex.tv server (for web communication to register the server I think).

    iptables -t mangle -A PREROUTING -i br0 -s <ip_of_local_plex_server> -j MARK --set-mark 0
    iptables -t mangle -A PREROUTING -i br0 -s <ip_of_local_plex_server> -p tcp --sport 32400 -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -i br0 -s <ip_of_local_plex_server> -d plex.tv -j MARK --set-mark 1

    The first line enables VPN for the machine. The second line allows it to receive communications over port 32400 as forwarded from the router, bypassing VPN, either through UPnP or manual port forward config. And the third line allows the machine to register/communicate with plex.tv, again bypassing the VPN. Once this was done, I was able to go to my plex server Settings | Connect and click "Retry" to re-establish the connection. I was then able to successfully see the server was registered on their site, and connect to it remotely for all my media viewing pleasure. :)

    The nice thing about this config versus others I've seen, is you don't have to manage a set of plex IP addresses. The plex.tv will resolve when the rule is read. So if plex.tv decides to change their IP address, you just need to re-run the script.

    I wasn't impressed though at the plex media server. It seems to give up too easily in trying to establish a connection. I found that whenever I rebooted my router (or got a new IP address), I needed to manually click the "Retry" button again. Luckily, my network is very stable, so that rarely happens.

    Oh, and this was done on DD-WRT + OpenVPN + PIA VPN.
     
  90. john9527

    john9527 Network Guru Member

    Definitely a novice at iptables, and worn out trying :confused:

    Anybody offer up some rules that will route FTP client requests around the VPN using the script template in this thread? (my VPN blocks ports 20,21) Thanks!
     
    Last edited: Apr 5, 2014
  91. john9527

    john9527 Network Guru Member

    Just a comment about your last rule on plex.tv It actually resolves to multiple addresses, so there is a good chance it may change between the time the script runs and plex tries to connect. Also, plex revalidates your external ip via plex.tv sometime every 24 hours, so the multiples addresses comes into play then as well.
     
  92. Charles Phillips

    Charles Phillips Reformed Router Member


    Works great for me to whitelist port forwards on Tomato Shibby BigVPN using OpenVPN. This thread is by far the best and most straightfoward advice I could find. Makes me want to load it up with keywords for others: exclude port from openvpn, allow http server port forward with VPN enabled, enable ssh on WAN with VPN, split tunnel vpn traffic based on port :)

    This script is pretty bulletproof, I would love to see this as a "bypass VPN" checkbox next to the port forward list in Tomato... What does the web UI run on? ASP?
     
  93. genghis_tron

    genghis_tron Network Newbie Member


    I am trying to do the exact same thing, but the script is not allowing me to connect to myplex. not sure what's up...
     
    Last edited: Apr 23, 2014
  94. papadeeh

    papadeeh Network Newbie Member

    Hello,

    I would like to thank everybody who helped in the above discussions very much. It really made my router more usefull. Its an Asus rt n16 with tomato shibby 1.28.

    One problem persists for me though. I've made a tunnel connection with openvpn and used the script to re-route most of the ports directly to the WAN (including ports 80 and 443). As mentioned above the dns in this case stil gets resolved through the tunnel. Because i use opendns the tunnel's outside IP adress gets used for dns request filtering. Therefore a lot of internetsites are blocked. The solution mentined above (dns per client redirecting) does not work for me because i really want to use the dnscrypt proxy.

    Has anyone had this same issue and maybe the solution?
    Thanks
     
    Last edited: May 3, 2014
  95. Bird333

    Bird333 Network Guru Member

    Reading through this thread I noticed that multiple PREROUTING rules are being used. I thought iptables worked by the first rule that matches gets selected. It seems that 'iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1' should match all traffic on the LAN and not go to the other rules. Does the PREROUTING chain not work that way? If not, how does it work?
     
  96. Bird333

    Bird333 Network Guru Member

  97. fearz

    fearz Serious Server Member

    Hey,

    Been using this now:

    # This code goes in the WAN UP section of the Tomato GUI.
    #
    # This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
    # the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
    # traffic to bypass the VPN and use the regular Internet instead.
    #
    # To list the current rules on the router, issue the command:
    # iptables -t mangle -L PREROUTING
    #
    # Flush/reset all the rules to default by issuing the command:
    # iptables -t mangle -F PREROUTING
    #

    #
    # First it is necessary to disable Reverse Path Filtering on all
    # current and future network interfaces:
    #
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i
    done

    #
    # Delete and table 100 and flush any existing rules if they exist.
    #
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING

    #
    # Copy all non-default and non-VPN related routes from the main table into table 100.
    # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
    #
    # NOTE: Here I assume the OpenVPN tunnel is named "tun11".
    #
    #
    ip route show table main | grep -Ev ^default | grep -Ev tun11 \
    | while read ROUTE ; do
    ip route add table 100 $ROUTE
    done
    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache

    #
    # Define the routing policies for the traffic. The rules will be applied in the order that they
    # are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
    # to "1" it will bypass the VPN.
    #
    # EXAMPLES:
    #
    # All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
    # iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
    # Ports 80 and 443 will bypass the VPN
    # iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
    # All traffic from a particular computer on the LAN will use the VPN
    # iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
    # All traffic to a specific Internet IP address will use the VPN
    # iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
    # All UDP and ICMP traffic will bypass the VPN
    # iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
    # iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1

    # By default all traffic bypasses the VPN
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

    # Set COMPUTER1 to use the VPN
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 0

    # Set COMPUTER2 to use the VPN
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.11 -j MARK --set-mark 0

    # Set TABLET1 to use the VPN
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.12 -j MARK --set-mark 0

    # Set NEWSGROUPS to bypass the VPN
    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 119,563 -j MARK --set-mark 1

    # Spotify explicitly uses the VPN
    # iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 78.31.8.1-78.31.15.254 -j MARK --set-mark 0
    # iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 193.182.8.1-193.182.15.254 -j MARK --set-mark 0



    The only problem is when VPN is on, I can't access the router from outside the network, can anyone kindly support?
     
  98. theredmoose

    theredmoose Network Newbie Member



    @john9527 - Are you sure plex.tv resolves to multiple ip addresses? I think plex.tv resolves to one address however plex uses other AWS servers to keep the connection active. I have been trying to setup plex to not route over the VPN and it works intermittently. A few ideas/questions...

    1) Could we identify the AWS plex server ipaddresses or do they change?

    2) Would there be anything in the packets that we could create an iptable rule on to identify that the packet is from a specific application?
     
  99. theredmoose

    theredmoose Network Newbie Member


    1) @TonyD Is your connection with plex stable?

    2) On your second line you state "The second line allows it to receive communications over port 32400 as forwarded from the router, bypassing VPN, either through UPnP or manual port forward config."

    iptables -t mangle -A PREROUTING -i br0 -s <ip_of_local_plex_server> -p tcp --sport 32400 -j MARK --set-mark 1

    I think this rules is used on outbound traffic rather than inbound traffic. The source port is named above would be the plex server so this rule would route traffic over the nonVPN connection if the source was the plex server on port 32400.
     
  100. john9527

    john9527 Network Guru Member

    From the plex forums, I'm pretty sure there are multiple addresses.....I took what people did implementing the bypass on the host via routes and came up with the following rules to address the plex.tv addresses which seem to work for me. Note I changed the rules from mark 1 to mark 2. I'm running on an ASUS RT-AC68R with Merlin FW, and it looks like this fw uses mark 1 for some other purpose.


    iptables -t mangle -A PREROUTING -i br0 -d 184.72.0.0/16 -j MARK --set-mark 2
    iptables -t mangle -A PREROUTING -i br0 -d 50.18.0.0/16 -j MARK --set-mark 2
    iptables -t mangle -A PREROUTING -i br0 -d 184.169.0.0/16 -j MARK --set-mark 2
    iptables -t mangle -A PREROUTING -i br0 -d 54.241.0.0/16 -j MARK --set-mark 2
     

Share This Page