1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato - More specific VPN routings.(port based)

Discussion in 'Tomato Firmware' started by DeathWolf, Jul 29, 2009.

  1. DeathWolf

    DeathWolf Network Guru Member


    Continuing this convo in public:
    I am getting:
    iptables v1.3.7: multiple -j flags not allowed
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    First off, I accidentally left off a "-" the "-gw" should be "--gw". Also, you will need to run "modprobe ipt_ROUTE" before running the iptables commands.
     
  3. DeathWolf

    DeathWolf Network Guru Member

    didnt seem to work.
    The rule added, but the routing isnt working.
    Code:
    iptables -t mangle -I PREROUTING -p tcp --dport 80 -d 72.233.89.0/24 -j ROUTE --gw `nvram get wan_gateway`
    since I only wanted to test it on whatismyip.com to see if it worked.
    In any case it does not seem to work sadly...(the rule did add well)
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    So it was still showing the VPN server's IP address (could you clarify what you where expecting and what you saw)?

    Could you provide the output of the following?
    Code:
    iptables -t mangle -vL
     
  5. DeathWolf

    DeathWolf Network Guru Member

    Code:
    # iptables -t mangle -vL
    Chain PREROUTING (policy ACCEPT 34M packets, 28G bytes)
     pkts bytes target     prot opt in     out     source               destination
       99 29760 ROUTE      tcp  --  any    any     anywhere             72.233.89.0/24      tcp dpt:www ROUTE gw:192.168.1.1
    
    Chain INPUT (policy ACCEPT 11M packets, 11G bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain FORWARD (policy ACCEPT 24M packets, 17G bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain OUTPUT (policy ACCEPT 8730K packets, 3412M bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain POSTROUTING (policy ACCEPT 32M packets, 20G bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    And what I saw was that the connection could not be established anymore.
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Is your router behind another router? Could you provide the output of
    Code:
    route -n
    while connected to the tunnel?
     
  7. DeathWolf

    DeathWolf Network Guru Member

    yes it is.

    Code:
    # route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun11
    10.9.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun12
    91.121.88.169   192.168.1.1     255.255.255.255 UGH   0      0        0 vlan1
    10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun11
    10.9.0.1        10.9.0.5        255.255.255.255 UGH   0      0        0 tun12
    172.16.2.0      0.0.0.0         255.255.255.0   U     0      0        0 br0
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 vlan1
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         10.8.0.5        128.0.0.0       UG    0      0        0 tun11
    128.0.0.0       10.8.0.5        128.0.0.0       UG    0      0        0 tun11
    0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 vlan1
    
    10.8.0.x is the vpn1(91.121.88.169)
    10.9.0.x is the vpn2
     
  8. DeathWolf

    DeathWolf Network Guru Member

    By the way, it would be nice to be able to say to use both vpn for internet, but setting a higher priority for one.(so that one can add manual routes for the second)
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The rule I provided should have sent the connection directly over the WAN, bypassing both VPNs.

    I'll do some testing later to see if I can get it working on my router before posting any other suggestions.
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Higher priority == select "Redirect Internet traffic"
    Lower priority == don't select "Redirect Internet traffic"
    :wink:

    redirect-gateway is for setting the default gateway. There can only reliably be one default. You can still add manual routes for the second VPN even without the box selected.
     
  11. DeathWolf

    DeathWolf Network Guru Member

    I thought so(about bypassing WAN) but I am guessing there might be some NAT issues or something.

    Note that
    Code:
    route add -net 72.233.89.0 netmask 255.255.255.0 gw 192.168.1.1
    works.(and uses the correct routing)

    But that's using route.
     
  12. DeathWolf

    DeathWolf Network Guru Member

    Good, that's what I've been doing:)
    I just wanted to route specific ports through vpn or directly though...
     
  13. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I'm sorry to say I haven't been able to get the the -j ROUTE --gw rules to work as they're supposed to. Searching the internet for "linux port based routing" has turned up some results, but I don't know if they're compatible with Tomato.
     
  14. DeathWolf

    DeathWolf Network Guru Member

    Apparently the features needed for this are in the 2.6 kernel branch... So I'm currently experimentating an x-wrt(openwrt with a better interface)... kind of pain to configure after tomato, but I'm slowly managing.
     

Share This Page