Help with routing traffic on vlan with ebtables/iptables

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
paranoid87
DD-WRT Novice


Joined: 05 Aug 2006
Posts: 46

PostPosted: Sun Jul 17, 2011 4:56    Post subject: Help with routing traffic on vlan with ebtables/iptables Reply with quote
Hello Everyone.

I have a linksys E3000 running build 14929 big.

This router is setup to connect to my main ADSL linksys WAG200G router(192.168.1.1) via WLAN on repeater mode(not bridged).

I have a VAP on this E3000 router - wl0.1 - secure1

I have vlan3, vlan4, vlan5 running on 192.168.3.x, 4.x, 5.x seperately.DHCP servers's are all running OK.I have not put in any additonal iptable rules to allow / isolate traffic etc. just as is.

I have a strong pptp vpn setup in PPTP client,and what i am trying to achieve is to selectively route the traffic over vpn by using ebtables and iptables over the wlan and vlan3 and vlan5 only.I have pasted the below in my firewall script --> commands tab:

Code:
echo "sleep 40" > /tmp/firewall_script.sh

echo "for i in ebtables ebt_mark ebtable_filter ebtable_nat; do insmod \$i; done" >> /tmp/firewall_script.sh
echo "ebtables -t nat -F" >> /tmp/firewall_script.sh
echo "ip rule del from 0/0 fwmark 4 lookup 4" >> /tmp/firewall_script.sh
echo "ip route flush table 4" >> /tmp/firewall_script.sh
echo "iptables -t mangle -F" >> /tmp/firewall_script.sh
echo "ebtables -t nat -A PREROUTING -i wl0.1 -j mark --set-mark 4" >> /tmp/firewall_script.sh
echo "ebtables -t nat -A PREROUTING -i vlan3 -j mark --set-mark 4" >> /tmp/firewall_script.sh
echo "ip route show table main | grep -Ev ^default | while read ROUTE; do ip route add table 4 \$ROUTE; done" >> /tmp/firewall_script.sh
echo "ip route add table 4 default dev ppp0" >> /tmp/firewall_script.sh
echo "ip rule add fwmark 4 table 4" >> /tmp/firewall_script.sh
echo "ip route flush cache" >> /tmp/firewall_script.sh
echo "ebtables -t nat -A PREROUTING -i vlan3 -j mark --set-mark 4" >> /tmp/firewall_script.sh

chmod +x /tmp/firewall_script.sh
sh /tmp/firewall_script.sh &


however the vpn tunnel is routed on wlan but not through any of the vlans3,4 or 5.

Is this because of the fact that the default bridge br0 is not bridging or having these interfaces viz. vlan3, vlan4 or vlan5 ?

Please help,

Thanks in advance,

paranoid
Sponsor
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Mon Jul 18, 2011 18:21    Post subject: Reply with quote
Using ebtables really complicates things... As long as you're not trying to do anything crazy like bridging two interfaces and only routing one of them over the VPN, then you should just use simple source based policy routing instead of marking it with ebtables. ie. just set some source subnets to route over the tunnel.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
paranoid87
DD-WRT Novice


Joined: 05 Aug 2006
Posts: 46

PostPosted: Mon Jul 18, 2011 20:09    Post subject: Reply with quote
Thanks phuzi0n, if policy based routing works then thats how it'd be,

i know for ex i can do the below:

add pppo as gw for one internal adress:
********
ip rule add from 192.168.1.111 table 200
ip route add default via 173.195.10.129 dev ppp0 table 200
ip route flush cache
*******

if 1.111 is one of my internal address, and 173 is the ppp0 address.

But how to add a whole subnet? is it like this?

ip rule add from 192.168.2.0 table 200? instead of the ip listed in the above?

~paranoid
paranoid87
DD-WRT Novice


Joined: 05 Aug 2006
Posts: 46

PostPosted: Mon Jul 18, 2011 20:12    Post subject: Reply with quote
on a side note, can policy based routing be used for multiple subnets? viz if i have 3 vlans not bridged running independent dhcp servers on 2.x, 3.x, 4.x etc.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Thu Jul 21, 2011 19:58    Post subject: Reply with quote
paranoid87 wrote:
But how to add a whole subnet? is it like this?

ip rule add from 192.168.2.0 table 200? instead of the ip listed in the above?

No, an address is not a subnet without a netmask. Add a CIDR style netmask onto it.

ip rule add from 192.168.2.0/24 table 200

paranoid87 wrote:
on a side note, can policy based routing be used for multiple subnets? viz if i have 3 vlans not bridged running independent dhcp servers on 2.x, 3.x, 4.x etc.

Yes or course, you can have multiple rules to make different source addresses use whichever routing table you want them to. To make all your extra VLAN's go over the tunnel just create a rule for each subnet to use the alternate routing table.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
paranoid87
DD-WRT Novice


Joined: 05 Aug 2006
Posts: 46

PostPosted: Thu Jul 21, 2011 20:03    Post subject: Reply with quote
Thanks but my pptp remote vpn ip keeps changing almost whenever the vpn tunnel is dropped/ re-connected

how to make it work then?

thanks again phuzion
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Thu Jul 21, 2011 20:26    Post subject: Reply with quote
You don't need to know the IP of the next hop for a route on a point to point link, you can just specify the interface.

ip route add default dev ppp0 table 200


If you need the IP for some other reason then it's probably in an nvram variable and you can find out by grepping for the IP from nvram show.

nvram show | grep [tunnel gateway IP]

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
paranoid87
DD-WRT Novice


Joined: 05 Aug 2006
Posts: 46

PostPosted: Thu Jul 21, 2011 20:35    Post subject: Reply with quote
no i dont need to know the ip

ppp0 is just fine by me if defining that in the routing table works

thanks!
paranoid87
DD-WRT Novice


Joined: 05 Aug 2006
Posts: 46

PostPosted: Fri Jul 22, 2011 6:43    Post subject: Reply with quote
to test i did this on save firewall:

ip rule add from 192.168.6.0/24 table 200
ip route add default dev ppp0 table 200
ip route flush cache

even then, on vlan 192.168.6.x i was not going through pptp vpn as i could not get a US ip.

anything wrong here?ppp0 was up in ifconfig
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Fri Jul 22, 2011 20:04    Post subject: Reply with quote
Use the command I gave and find what nvram variable has your PPTP gateway, then try adding it to the route command.

ip route add default via `nvram get pptp_gateway_variable_name` dev ppp0 table 200

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
paranoid87
DD-WRT Novice


Joined: 05 Aug 2006
Posts: 46

PostPosted: Fri Jul 22, 2011 21:28    Post subject: Reply with quote
ifconfig of my ppp0 is:

ppp0 Link encap:Point-to-Point Protocol
inet addr:199.127.24x.xx P-t-P:199.127.24x.x Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:104 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:3534 (3.4 KiB) TX bytes:126 (126.0 B)


which of this is :

nvram show | grep [tunnel gateway IP]

the tunnel gateway IP, secondly - when running the above command i get this:

root@DD-WRT:~# nvram show | grep 199.247.24w.b
size: 21940 bytes (10828 left)
root@DD-WRT:~# nvram show | grep 199.247.24x.xy
size: 21940 bytes (10828 left)

is the tunnel gateway IP the tunnel IP or the PPTP server IP which i am connecting to?

could this be the variable:

pptpd_client_srvip
or

pptpd_client_srvsub=0.0.0.0


when i do the above command with square brackets [] i get a huge config output.
paranoid87
DD-WRT Novice


Joined: 05 Aug 2006
Posts: 46

PostPosted: Fri Jul 22, 2011 21:42    Post subject: Reply with quote
phuzi0n! thanks for your patience,

after much struggling i found that typing this on while telnet to router gives me remote VPN IP:


Code:
ifconfig ppp0 | grep 'inet addr' | grep -v '127.0.0.1' | cut -d:
-f2 | cut -d' ' -f1


now to how to add this as a variable which can be used in the route command?

thanks!
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Fri Jul 22, 2011 22:14    Post subject: Reply with quote
Use command substitution like I showed. Either `command` or $(command) inside of the ip route command.


ip route add default via `ifconfig ppp0|grep 'inet addr'|grep -v '127.0.0.1'|cut -d: -f2|cut -d' ' -f1` dev ppp0 table 200

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
paranoid87
DD-WRT Novice


Joined: 05 Aug 2006
Posts: 46

PostPosted: Sat Jul 23, 2011 10:12    Post subject: Reply with quote
this is what i was looking for!

ip rule add from 192.168.6.0/24 table 200
ip route add default via `ifconfig ppp0|grep 'inet addr'|grep -v '127.0.0.1'|cut -d: -f2|cut -d' ' -f1` dev ppp0 table 200
ip route flush cache

--except for some reason the route table 200 goes, where do i add this to? command/firewall or startup or custom script?no matter what when i telnet and run

ip route show table 200 - nada zip no results, although ip rule shows that 6.0 lookup 200

any help? i want this to be static in the sense that it should STICK,

thanks phuzi0n!
paranoid87
DD-WRT Novice


Joined: 05 Aug 2006
Posts: 46

PostPosted: Sat Jul 23, 2011 11:50    Post subject: Reply with quote
on another note - i think there might be another way of acheiving this.

issuing a root@DD-WRT:~# ip route

shows my default routing table.

Is it possible to assign the default gateway of one of my routers subnets as the VPN ip?

if yes, how can this be set as a variable instead of a fixed ip?

like $dynvpnip(ifconfig ppp0|grep 'inet addr'|grep -v '127.0.0.1'|cut -d: -f2|cut -d' ' -f1)

Thanks!
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum