I have three subnets and am using PBR (through the GUI) so that only those devices on one of the subnets is routed through the VPN (OpenVPN, by the way).
I'm trying to solve this problem:
TCP connection is made from an origin address to my public IP
The router forwards the request to an internal IP
The server responds, but the response is directed down the VPN
To do this, I've created a new routing table which forwards over the WAN:
Code:
ip route add default table 100 via $(nvram get wan_gateway)
I then mark the packets I want to be sent back over the WAN and have them use this new routing table:
Can anybody advise why this isn't quite working? I'm inclined to suggest it's because table 10 is taking precedence so table 100 is never used irrespective of the packet being marked out.
then the response from the Plex Server would be routed back over my ISP rather than the VPN tunnel. But, apparently not. For what it's worth, I've also tried eibgrad's script (https://pastebin.com/tTr3X1JV ) with this rule; but still no luck
has done the trick. I can now access the Plex Server over the internet. However, I want all other traffic from 192.168.1.4 to go over the VPN which is why specifying the source port is desirable.
When I grab the tcpdump from interface br0, I see entries such as those below. If I've interpreted them correctly, then the source port is, indeed, 32400...
14:17:12.939108 IP xxx.xxx.xxx.xxx.threembb.co.uk.54214 > Thundera.32400: Flags [.], ack 2340882, win 3314, options [nop,nop,TS val 87348145 ecr 9858601], length 0
14:17:12.949080 IP xxx.xxx.xxx.xxx.threembb.co.uk.54214 > Thundera.32400: Flags [.], ack 2343574, win 3314, options [nop,nop,TS val 87348148 ecr 9858607], length 0
14:17:12.959083 IP xxx.xxx.xxx.xxx.threembb.co.uk.54214 > Thundera.32400: Flags [.], ack 2347612, win 3314, options [nop,nop,TS val 87348152 ecr 9858607], length 0
14:17:12.979715 IP xxx.xxx.xxx.xxx.threembb.co.uk.54214 > Thundera.32400: Flags [.], ack 2352996, win 3314, options [nop,nop,TS val 87348155 ecr 9858607], length 0
14:17:12.979793 IP xxx.xxx.xxx.xxx.threembb.co.uk.54214 > Thundera.32400: Flags [.], ack 2357034, win 3314, options [nop,nop,TS val 87348158 ecr 9858607], length 0
14:17:12.979855 IP xxx.xxx.xxx.xxx.threembb.co.uk.54214 > Thundera.32400: Flags [.], ack 2362418, win 3314, options [nop,nop,TS val 87348158 ecr 9858608], length 0
14:17:12.979919 IP xxx.xxx.xxx.xxx.threembb.co.uk.54214 > Thundera.32400: Flags [.], ack 2365110, win 3314, options [nop,nop,TS val 87348158 ecr 9858610], length 0
Went with the brutal option and started from scratch. Thanks, Per for your help in tracking down the problems.
Just one more piece of the puzzle: since I have a reasonable-sized Firewall script now, where do I install this; and how do I execute it? https://pastebin.com/vXfWLnPe
When I run the following, there's no corresponding entry:
Code:
iptables -L -t mangle
Whereas this yields an entry:
Code:
add_rule_lan -s 192.168.1.4
Any idea what's wrong with the rule with the source port specified?
I think the bug in your first rule is that the --sport directive needs to follow the -p tcp, not -s <ip>
like this:
Code:
add_rule_lan -p tcp --sport 32400 -s 192.168.1.4
That being said... I am trying to do the same thing that you are.
I'm not using the script you mention, I'm writing the iptables rules directly.
I'm interested in how you finally got it working.
When i add a rule that includes the port 32400 it doesnt work [similar to the issue it sounds like you were having, but my rule gets created... it just doesn't work as i'd expect it to]
Went with the brutal option and started from scratch. Thanks, Per for your help in tracking down the problems.
Just one more piece of the puzzle: since I have a reasonable-sized Firewall script now, where do I install this; and how do I execute it? https://pastebin.com/vXfWLnPe
Are you asking how to use the script you linked, or are you asking where to install the firewall script you have written?
To use the script you have linked you need to have this script saved on your router file system someplace, and also a "target" script that you want to make smaller.
Then on the cmdline, just type the name of the compress script as your first argument, and the "target" as your second argument. The result is that the target script has had comments and other "non-code" removed.
To install a firewall script you can go to the GUI on your dd-wrt router: Choose the "Administration" tab, and the "Commands" tab under that.
Then paste the firewall script in the box and choose the button at the bottom that says "Save Firewall"
Where the source IP is the (static) IP of the machine on which the Plex Server is running. You were absolutely right, by the way: I needed the --sport option to follow the protocol.
Thanks also for the hint on running the script to compress other script. Makes perfect sense.
Good luck! Give me a shout if you'd like me to try and help.
Good luck! Give me a shout if you'd like me to try and help.
Interesting.
I needed to allow my plex server ip access to talk to "plex.tv" on both 80 and 443 - then it worked.
I didnt need the above rule - i assume because I have the port forwarding already set in the GUI. I really wish i fully understood why though - I mean I don;t have an explicit rule to allow my plex server to talk over 32400 using the ISP gateway...but it does.