Separating Specific Traffic or Port to not go through VPN

Discussion in 'Tomato Firmware' started by Ravium, Jul 22, 2011.

  1. Ravium

    Ravium Networkin' Nut Member

    Hey guys, I just set up a VPN tunnel. VPN Is functional w/ default settings.

    I would love to be able to have the VPN on at all times on for torrenting, web browsing and everything else, but be able to exempt gaming traffic/ports so that I don't get lag. We have several computers that we want on the VPN so it doesn't make sense to turn it off and turn it on constantly because it is disruptive.

    Does anyone have any idea how I could do this, or some ideas on research that I might do so I can try to figure it out?

    Much Appreciated
  2. Ravium

    Ravium Networkin' Nut Member

    TomatoVPN v1.27 on a Linksys WRT54GL V1.1.

    Any ideas from anyone else how to word this request so that I get better search results? Trying to learn about it but there isn't a really easy to find "discussion" on how to implement something like this.

    Preliminary results seem to show that there are ways to assign the physical ports to VPN or No VPN, but separating specific traffic to avoid the VPN doesn't seem to be a very hot topic.
  3. Ravium

    Ravium Networkin' Nut Member

    Bump any suggestions anyone?
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Easier than bypassing for certain ports would be to bypass for certain destination IP addresses. Is that feasible?

    If so, just add
    route <name/ip/subnet> <netmask> net_gateway
    to your custom config (where <name/ip/subnet> and and <netmask> are substituted appropriately).

    For instance to bypass the VPN for and for the subnet:
    route net_gateway
    route net_gateway
  5. Ravium

    Ravium Networkin' Nut Member

    Thanks for the help SgtPepper. I am going to try that today and see how it works. I'm not sure if the IP solution will work satisfactorily since there are several different servers for gaming. It should work for things like netflix though. Is there some place with documentation where I could read about this?

    Also when you say "custom config" I assume you are meaning the firewall area under scripts in admin options?

    When I tried to do that option there my VPN was failing to connect. Will try to diagnose a bit later.
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    By custom config, I meant the "Custom Configuration" section on the VPN configuration tabs.
  7. Ravium

    Ravium Networkin' Nut Member

    Got it to work. I put those lines in front of the custom VPN config from the VPN company. Pretty stoked that at least on the surface this looks like a viable solution. Going to test it out further tomorrow, Thanks for the help.

    I don't really understand the subnet mask but using has worked out so far for a few of my addy's while was the only one that would work on others. Is there any way to tell ?

    Also is there any way to label the ip's I am putting in there? The list is getting a bit long and I would like to know what everything is when I come back to it later or need to reproduce it.

    Thanks again
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The subnet mask says how much of the IP address to compare. means to compare the entire IP address (must be an exact match) while means to only check the first three octets (it will route any IP that matches the first three numbers). Does that make sense?

    Any line that starts with a # is considered a comment, so you could do:
    # Some server
    route net_gateway
    # Other site
    route net_gateway
    I don't know off the top of my head if in-line comments are allowed. You could try and see if they work, though:
    route net_gateway # Some server
    route net_gateway # Other site
  9. Ravium

    Ravium Networkin' Nut Member

    Yup makes sense. The non line comments should be fine, going to try both though.

    Thanks for the wiki article, had already read some of that but it was way more info than I wanted. Got through some of it, but I'm a biology guy, I don't want to take another red pill ;)
  10. Ravium

    Ravium Networkin' Nut Member

    Well after a few days of testing it looks like the IP address specific approach will not work entirely.

    For static websites its fine. Really appreciate the help there now several of the regional websites I don't care about privacy on work properly.

    However for the gaming servers it doesn't appear to be a usable situation. They are not in a single block and they are unknown until you connect to them. It is unknown how many of them there are, but I have played several times and each time wireshark picks up a new one. I could continue adding them to the list but sources suggest there are over 100 possibilities so that somewhat defeats the purpose of a firewall rule like this.

    Does anyone have any other suggestions for port based routing of traffic through the VPN?
  11. wilsonhlacerda

    wilsonhlacerda Addicted to LI Member

  12. Ravium

    Ravium Networkin' Nut Member

    Thanks for the research. Unfortunately the topic there is about IP routing, not port routing. The solution I have for IP's is pretty simple and works well, the issue is that the IP I connect to each game is different and unknown before it starts and the list is extensive, well over 100 ip's. The servers themselves do not respond to pings =/

    Been looking @ several options. Still no hits yet =/
  13. wilsonhlacerda

    wilsonhlacerda Addicted to LI Member

  14. Ravium

    Ravium Networkin' Nut Member

    Sorry should have mentioned. I am using OpenVPN and the option for using my router only instead of their software is OpenVPN only =/, so didn't look @ the pptp link.

    Going to see if I can use similar steps for openVPN or if that research leads me somewhere fruitful
  15. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I think you could probably use DNS names in the route line, and that would add routes for all IP addresses that that DNS lookup returns.

    However, that may still not be sufficient for you. If that's the case you might look into the ROUTE target for iptables. You should be able to modify the gateway for packets fitting pretty much any criteria.
  16. Ravium

    Ravium Networkin' Nut Member

    Tried the DNS name thing in wireshark but the IP's are unresolvable. I tried several methods of capturing the IP's of the servers, but to no avail.

    Not really sure what you said on the second part. What i got out of it was that there is some ability to filter packets, but how I would pick a particular part of the packet to latch onto I don't know.

    The issue is this is a learning process for me so I am learning things very incrementally. Not exactly able to tie it all together yet, but at least with wireshark I can start to record the IP's of the servers as I join them, eventually the list will be complete I suppose.

    Another issue is I am completely unsure of what I am looking for in the ROUTE command =P Currently a bit frustrated, but oh well learning process
  17. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Try adding the following to your firewall script (Administration->Scripts->Firewall):
    modprobe ipt_ROUTE
    iptables -t mangle -I PREROUTING --dport <your port> -j ROUTE --gw `wan_gateway`
  18. Ravium

    Ravium Networkin' Nut Member

    Going to try, here is whats in my firewall area already (instructions from my VPN)

    iptables -I FORWARD -i br0 -o tap0 -j ACCEPT
    iptables -I FORWARD -i tap0 -o br0 -j ACCEPT
    iptables -I INPUT -i tap0 -j REJECT
    iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
  19. Ravium

    Ravium Networkin' Nut Member

    Emailed the company and just asked for the IP's, they yielded them. Over 100, but hey, time to see how it works out =P
  20. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Out of curiosity, did you try the iptables approach?
  21. Ravium

    Ravium Networkin' Nut Member

    I'm actually trying to work with it now. The IP's thing is just stupid, I know that this is the proper way to do it. That particular string didn't work, I tried several iterations of it.

    I am reading this ( ) so I can hopefully try to understand what the line means in more depth, then hopefully try to modify it so it works. I looked up several IPTABLES examples for port forwarding and that line is generally in acceptance with what other people did.

    This is what I have going right now, it doesnt work, but I am slowly working through the line to hopefully iron it out.

    iptables -t mangle -I PREROUTING --dport 11235:11335 -j ROUTE --gw `wan_gateway`
    I am wondering what the

    modprobe ipt_ROUTE
    does. I know modprobe is used to add modules to the kernal, but my other firewall rules (see above) that were added by the VPN company do not reference that. So is it necessary?

    I am doing this all via the GUI, is it better to do it via telnet?
  22. wilsonhlacerda

    wilsonhlacerda Addicted to LI Member

  23. Mission

    Mission Networkin' Nut Member

    Sorry for hijacking thread.
  24. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Oh, shoot. It's not working because I had a typo :oops:
    `wan_gateway` should be `nvram get wan_gateway`

    It's easier to test it using telnet/ssh, as you can see any error messages when adding the rule (if the syntax is invalid, for example) and you can try different things quickly and test them. (btw, change the -I to a -D to remove the rule before trying a new one via telnet/ssh).

    The modprobe may be necessary since, in some builds, the ROUTE target's module isn't loaded by default. I don't know whether or not its needed in the build you're using, but it doesn't hurt either way.

    By the way, selecting "Automatic" for the "Firewall" VPN setting and selecting the "Create NAT on tunnel" checkbox in the VPN config will accomplish the same thing as the other firewall rules.
  25. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    @Mission: It doesn't sound like you're trying to do the same thing at all. Please don't hijack this thread, but create a new one instead if you want assistance. Also, no need to reply here saying you're creating a new thread or apologizing or anything like that.
    P.S. This isn't meant as a "flame". It's easy to get different topics confused when you don't really fully understand them. It's just that for getting Ravium's issue solved, your discussion will only serve as noise.
  26. Ravium

    Ravium Networkin' Nut Member

    Well, I kept wondering what was going on with this thread. Come to find out there is a page two! Epic user error.

    Anyway. The IPTABLES command does not work properly, however it does seem to be a step in the right direction. And I appear to be learning a bit. I did an IPTABLES dump and it seems that the rule is being put in, and it does appear to be routing the game packets. I can tell because when I try to ping servers, the packet count next to the rule goes up.

    When I go into game it looks like all game packets are being routed, just not to the right destination.

    I tried to replace nvram get wan_gateway with wanip_addr as well as trying --gw net_gateway instead to try to route it differently, but that option did not work either. Going to work on it a little bit tomorrow and see if i can play with some other stuff. Any other suggestions? here is my IPTABLES dump.

    pkts bytes target prot opt in out source destination
    231 7870 ROUTE udp -- * * udp dpts:11235:11335 ROUTE gw:
  27. Ravium

    Ravium Networkin' Nut Member

    Also wanted to add that apparently when i put in 70 some odd values into the VPN custom config the method stops working. Unfortunate. =X
  28. Ravium

    Ravium Networkin' Nut Member

  29. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Unfortunately, the ROUTE iptables target is quite flakey. There's another approach that involves setting up a second routing table and just using iptables to choose which table is used. See here for an example. Though, I can't guarantee that will work, either.
    In the end, this is just linux, and googling for resources may be your best bet ("linux port-based routing").
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice