[fuzzyduck]

I got the DDWRT running Nordvpn as a client fine. But i also have one internal IP 192.168.1.4 i want to go over my regular WAN IP. Cuz this is my Nextcloud server VM.

What i did:
1. Disabled "Shortcut Forwarding Engine"

2. Added all IP's i want to go over openVPN in the PBR manually as xxx.xxx.xxx/32, and obviously didnt add 192.168.1.4

3. Checked all clients' external IP and it works fine.

4. Added port 443 to the regular NAT GUI, but i dont think thats what i should be doing.


I think PBR took over the routing and i need to add firewall rules to give 192.168.1.4 an open port 443 to the WAN.


Im reading and reading but it appears a bit too hard for me to tackle. Can somebody point me in the right direction? Or write me the rule? Obviously i would like to be able to still reach 192.168.1.4 on the network behind it.



thx!

[egc]

You can use a range for PBR with the help of a CIDR calculator: https://www.ipaddressguide.com/cidr

Make sure 192.168.1.4 is routed via the WAN, surf from this client to ipleak.net and you should see the ISP's ip address, from the VPN routed clients you should see Nord's.

If I understand correctly you are hosting a server on 192.168.1.4. You need a port forward to that server, the port forward opens up the firewall.
Port 433 is sometimes used so I would suggest using something like 8443, set this port on the server and forward it on the Port Forwarding tab of the router.

That is basically all, assuming this router is internet connected, if it is behind an other ISP router then that one has also to be set up for port forwarding.

Note: there were builds where port forwarding was not working, look in the build threads.
That is why it is always helpfull to state your router and build.

[fuzzyduck]

Thx for the reply. So the GUI portforwarding is for IPs NOT in the PBR range.

My Firmware: DD-WRT v3.0-r35244 std (03/05/1


EDIT1: GUI portforwarding port 443 to the https website at 192.168.1.4 works fine when VPN client disabled. It breaks when i enable VPN client again. Could it be some vpn setting i use (NORDVPN)?

remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0

EDIT2: When i check for port 443 at https://www.yougetsignal.com/tools/open-ports/ with openVPN client enabled it says its open, but the router doesnt seem to forward the packets to 192.168.1.4. When trying the Nextcloud website it loads indefinitely.

[egc]

You can not port forward to a client which is routed through the vpn. That is why you should keep your server outside the vpn by way of not including it in the PBR field.
(Some vpn providers facilitate port forwarding. I am using PIA which does)

[fuzzyduck]

I appreciate you take the time to help me.

the webserver at port 443 on 192.168.1.4 is NOT in the PBR list. I checked the webserver at its external ip is my regular WAN.

So my findings in summary:

1. OPENVPN client disabled, portforwarding with the NAT GUI works, and the website works fine.

2. OPENVPN client enabled, the website loads forever. An external port check website says the port is open.

The proven open port plus the fact that the website is loading forever does mean something at least, but i dont know what...

[egc]

You can not test from inside your network when VPN is on. You have to test if the server is accessible from outside e.g. from a friends address or using your phone via cellular network.

You should be able to access the server by using its local address 192.168.1.4 if VPN/PBR is on but for that you have to add local routes to the alternative routing table. Is this what you want? If so I can give instructions how to do that

[fuzzyduck]

Thx a lot! I never would have thought of this.

I figured i could just go out over VPN and come back in again over WAN, but that not the case.

Yes, from another IP the website works.

If you could point me in the right direction for this advanced routing i would be grateful. So when i type somewebsite.com behind the router it should route to 192.168.1.4?

EDIT: I addded address=/website.com/192.168.1.4 to the Additional DNSMasq Options. It works now, but im not sure its the best/right way

[egc]

NAT loopback (that is what you use when accessing anything over the WAN from inside your network) does not work because it goes out via the VPN and in via the WAN.

Regarding local routes and PBR see the following explanation: http://svn.dd-wrt.com/ticket/5690

For the script which resolves this see: https://pastebin.com/YwnHLqaa
Copy the Raw data and go to administration/Commands Paste it there and save as Startup.

Reboot when done

Courtesy of master network guru @Eibgrad

I am using it and it works as advertised

[Per Yngve Berg]

[fuzzyduck]

Thx for the help.

Should i keep shortcut forwarding engine disabled when using PBR?

[egc]

Yes keep SFE disabled when using Policy Based Routing.
Otherwise your VPN clients will not have http access.

SFE is not speeding up the VPN connection anyway.
It can speed up the WAN connection but is only helpfull if you have a really slow router or 300 Mb/s or higher internet connection. If that is the case and your firmware is on linux kernel 4.4 I have a patched SFE module which works with PBR (courtesy of @Quarkysg)