How to add and IP range to PBR field under OpenVPN?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
Skoda Zek
DD-WRT User


Joined: 07 Apr 2018
Posts: 67
Location: Calgary, AB Canada

PostPosted: Wed Jun 13, 2018 18:16    Post subject: How to add and IP range to PBR field under OpenVPN? Reply with quote
Finally got PBR working.

I want to add my entire DHCP range to the Policy as I only need 3 devices (which I have setup as static outside the DHCP range) to be direct.

192.168.0.100 - 192.168.0.149 is the DHCP range setup by DD-WRT as default and I just want to know what to enter into the PBR field under Services/OpenVPN Client.

The only way I know how to do this is to add each ip individually 1 per line
192.168.0.100/32
192.168.0.101/32 etc....

But I was wondering if there was a more efficient way to cover the 100-149 range.

Thanks
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7414

PostPosted: Wed Jun 13, 2018 18:23    Post subject: Reply with quote
Use any online IP Range to CIDR calculator/converter. Loads of them.

https://www.ipaddressguide.com/cidr
Skoda Zek
DD-WRT User


Joined: 07 Apr 2018
Posts: 67
Location: Calgary, AB Canada

PostPosted: Wed Jun 13, 2018 18:40    Post subject: Reply with quote
Thanks so much that did it.

Now one last thing I need to figure out and everything is perfect.

3 devices on my dd-wrt are static and operate direct and bypass the vpn.

They are 192.168.0.205, 192.168.0.206, 192.168.0.207
I need to assign them a custom primary and secondary DNS, and I need to do it from the DD-WRT router.

Anyone know how I can do this?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 4315
Location: Akershus, Norway

PostPosted: Wed Jun 13, 2018 18:45    Post subject: Reply with quote
It cannot be done with static addresses, but you can change the clients to static dhcp leases.
Skoda Zek
DD-WRT User


Joined: 07 Apr 2018
Posts: 67
Location: Calgary, AB Canada

PostPosted: Wed Jun 13, 2018 18:56    Post subject: Reply with quote
ok, can you explain how to do that and then assign them the custom dns?

Thansk
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7414

PostPosted: Wed Jun 13, 2018 19:09    Post subject: Reply with quote
DNSMasq (the router's local DNS server/proxy) doesn't support different DNS servers for different source IPs. Neither can any public DNS server. DNS just doesn't work that way.

Assuming these three devices have static leases defined in the router, you could make DNS exceptions for them via DHCP. But it's necessary to establish the static leases directly in DNSMasq, using the Additional DNSMasq Options field, rather than the GUI.

Code:
dhcp-host=set:altdns,01:a6:69:81:7f:25,192.168.0.205,hostname1,24h
dhcp-host=set:altdns,01:91:c8:ed:87:1e,192.168.0.206,hostname2,24h
dhcp-host=set:altdns,01:ad:e4:76:73:b4,192.168.0.207,hostname3,24h
dhcp-option=tag:altdns,6,8.8.8.8,8.8.4.4


What's happening here is that the tag "altdns" is being used to direct the DHCP server to use the DNS servers defined on the dhcp-option w/ the same tag for those devices.

However, a word of caution. Many times the dd-wrt version of DNSMasq can be woefully out of date, and therefore might not have this feature. Or sometimes the dd-wrt developers simply strip the feature out to save space. So I can't guarantee it will work for your build. But this *is* how you do it assuming your version of DNSMasq has the feature.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7414

PostPosted: Wed Jun 13, 2018 19:17    Post subject: Reply with quote
P.S. If it doesn't work, worst case scenario, you could just intercept the DNS queries from those particular devices and redirect them to your preferred DNS server using the following firewall script.

Code:
# dns over udp
iptables -t nat -A PREROUTING -i br0 -p udp -s 192.168.0.205 --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -A PREROUTING -i br0 -p udp -s 192.168.0.206 --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -A PREROUTING -i br0 -p udp -s 192.168.0.207 --dport 53 -j DNAT --to 8.8.8.8

# dns over tcp
iptables -t nat -A PREROUTING -i br0 -p tcp -s 192.168.0.205 --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -A PREROUTING -i br0 -p tcp -s 192.168.0.206 --dport 53 -j DNAT --to 8.8.8.8
iptables -t nat -A PREROUTING -i br0 -p tcp -s 192.168.0.207 --dport 53 -j DNAT --to 8.8.8.8


So now it doesn't matter how they get configured for DNS; statically, static leases, DHCP, whatever. It just gets overridden all the time to 8.8.8.8.

Only downside is you can only bind these devices to a single DNS server (no backup). So if that DNS server isn't available for any reason, they have no DNS at all! Not unless and until you change it in the firewall rules.
Skoda Zek
DD-WRT User


Joined: 07 Apr 2018
Posts: 67
Location: Calgary, AB Canada

PostPosted: Wed Jun 13, 2018 19:36    Post subject: Reply with quote
I think the firewall script you suggested is likely the best option.

Just wondering how to determine if I should use your UDP or TCP code?

Thanks so much btw
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7414

PostPosted: Wed Jun 13, 2018 19:38    Post subject: Reply with quote
Skoda Zek wrote:
I think the firewall script you suggested is likely the best option.

Just wondering how to determine if I should use your UDP or TCP code?

Thanks so much btw


Usually the client will try udp first, then fall back to tcp if that fails. So you really need both to be safe.
Skoda Zek
DD-WRT User


Joined: 07 Apr 2018
Posts: 67
Location: Calgary, AB Canada

PostPosted: Wed Jun 13, 2018 20:00    Post subject: Reply with quote
perhaps i did it wrong:

# dns over udp
iptables -t nat -A PREROUTING -i br0 -p udp -s 192.168.0.205 --dport 53 -j DNAT --to 85.203.37.1
iptables -t nat -A PREROUTING -i br0 -p udp -s 192.168.0.206 --dport 53 -j DNAT --to 85.203.37.1
iptables -t nat -A PREROUTING -i br0 -p udp -s 192.168.0.207 --dport 53 -j DNAT --to 85.203.37.1

# dns over tcp
iptables -t nat -A PREROUTING -i br0 -p tcp -s 192.168.0.205 --dport 53 -j DNAT --to 85.203.37.1
iptables -t nat -A PREROUTING -i br0 -p tcp -s 192.168.0.206 --dport 53 -j DNAT --to 85.203.37.1
iptables -t nat -A PREROUTING -i br0 -p tcp -s 192.168.0.207 --dport 53 -j DNAT --to 85.203.37.1

Exactly as I put in Administration->Commands and chose "Save Firewall"

Then I did a router Reboot from Admin just to be safe. But these 3 ips are still using default DNS
Skoda Zek
DD-WRT User


Joined: 07 Apr 2018
Posts: 67
Location: Calgary, AB Canada

PostPosted: Wed Jun 13, 2018 20:12    Post subject: Reply with quote
also ssh into dd-wrt and ran both the udp and tcp commands (testing the results of each) and in both cases the DNS seems to fail to catch on so to speak.

Yet when running the command I got no error at the ssh console.
Skoda Zek
DD-WRT User


Joined: 07 Apr 2018
Posts: 67
Location: Calgary, AB Canada

PostPosted: Wed Jun 13, 2018 20:19    Post subject: Reply with quote
eibgrad wrote:
DNSMasq (the router's local DNS server/proxy) doesn't support different DNS servers for different source IPs. Neither can any public DNS server. DNS just doesn't work that way.

Assuming these three devices have static leases defined in the router, you could make DNS exceptions for them via DHCP. But it's necessary to establish the static leases directly in DNSMasq, using the Additional DNSMasq Options field, rather than the GUI.

Code:
dhcp-host=set:altdns,01:a6:69:81:7f:25,192.168.0.205,hostname1,24h
dhcp-host=set:altdns,01:91:c8:ed:87:1e,192.168.0.206,hostname2,24h
dhcp-host=set:altdns,01:ad:e4:76:73:b4,192.168.0.207,hostname3,24h
dhcp-option=tag:altdns,6,8.8.8.8,8.8.4.4


What's happening here is that the tag "altdns" is being used to direct the DHCP server to use the DNS servers defined on the dhcp-option w/ the same tag for those devices.

However, a word of caution. Many times the dd-wrt version of DNSMasq can be woefully out of date, and therefore might not have this feature. Or sometimes the dd-wrt developers simply strip the feature out to save space. So I can't guarantee it will work for your build. But this *is* how you do it assuming your version of DNSMasq has the feature.


I think im going to give this method a try instead of iptables.

My DD-WRT build is DD-WRT v3.0-r36104 std (06/10/1Cool running on the Linksys WRT32X. Not sure if that helps in identifying if what I have will or will not work for the aforementioned method.

Currently my DHCP server is managed by whatever DD-WRT uses as default. I do have DNSMasq enabled as the OpenVPN guide for my ExpressVPN setup had me enable it and add "interface=tun1" to Additional DNSMasq options.

Do I simply need to add the code you offered (modifying the obvious parts to specify devices/dns servers) on the lines following the interface=tun1 I already have there
and in theory it should work following router reboot?
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7414

PostPosted: Wed Jun 13, 2018 21:14    Post subject: Reply with quote
Skoda Zek wrote:
perhaps i did it wrong:

# dns over udp
iptables -t nat -A PREROUTING -i br0 -p udp -s 192.168.0.205 --dport 53 -j DNAT --to 85.203.37.1
iptables -t nat -A PREROUTING -i br0 -p udp -s 192.168.0.206 --dport 53 -j DNAT --to 85.203.37.1
iptables -t nat -A PREROUTING -i br0 -p udp -s 192.168.0.207 --dport 53 -j DNAT --to 85.203.37.1

# dns over tcp
iptables -t nat -A PREROUTING -i br0 -p tcp -s 192.168.0.205 --dport 53 -j DNAT --to 85.203.37.1
iptables -t nat -A PREROUTING -i br0 -p tcp -s 192.168.0.206 --dport 53 -j DNAT --to 85.203.37.1
iptables -t nat -A PREROUTING -i br0 -p tcp -s 192.168.0.207 --dport 53 -j DNAT --to 85.203.37.1

Exactly as I put in Administration->Commands and chose "Save Firewall"

Then I did a router Reboot from Admin just to be safe. But these 3 ips are still using default DNS


Could be several things.

If your build has the "Forced DNS Redirection" option in the DHCP server section, and it's checked, it might be redirecting those redirects back to the router and its DNS server.

It might help to change the rules from Appends (-A) to Inserts (-I) to given them precedence.

Would help too to dump that portion of the firewall just to confirm the rules are there, they're getting packet hits, and there isn't something interfering, like "Forced DNS Redirection".

Code:
iptables -t nat -vnL PREROUTING
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7414

PostPosted: Wed Jun 13, 2018 21:22    Post subject: Reply with quote
Skoda Zek wrote:
I think im going to give this method a try instead of iptables.

My DD-WRT build is DD-WRT v3.0-r36104 std (06/10/1Cool running on the Linksys WRT32X. Not sure if that helps in identifying if what I have will or will not work for the aforementioned method.


No way for me to know. You just have to try it.

Quote:
Currently my DHCP server is managed by whatever DD-WRT uses as default. I do have DNSMasq enabled as the OpenVPN guide for my ExpressVPN setup had me enable it and add "interface=tun1" to Additional DNSMasq options.


Adding interface=tun1 to DNSMasq is unnecessary. The OpenVPN client is the router, and it already has access to DNSMasq on the LAN side. It doesn't need nor even attempt to access it as from OpenVPN client's network interface (tun1).

Sounds like one of those suggestions from the OpenVPN provider when they don't know what's wrong and start throwing things at the config.

Quote:
Do I simply need to add the code you offered (modifying the obvious parts to specify devices/dns servers) on the lines following the interface=tun1 I already have there
and in theory it should work following router reboot?


Yes.
Skoda Zek
DD-WRT User


Joined: 07 Apr 2018
Posts: 67
Location: Calgary, AB Canada

PostPosted: Thu Jun 14, 2018 3:13    Post subject: Reply with quote
hey ebigrad tried the DNSMasq and it caused an issue where the dhcp failed to issue ip's to anything connected to the router after I rebooted it.

Even devices with static ips issued by the router would not work unless I went into windows tcp/ipv4 settings and specified ip address/gateway etc.

This is EXACTLY what I put in the DNSMasq field after interface=tun1 (decided not to remove that as it didnt seem to be causing any issues.. so dont like to mess with stuff)

Quote:
dhcp-host=set:altdns,C8:3A:6B:D7:9C:F3,192.168.0.205,Adam-Roku,24h
dhcp-host=set:altdns,C8:3A:6B:E2:8F:E9,192.168.0.206,Susan-Roku,24h
dhcp-host=set:altdns,08:05:81:01:BE:8D,192.168.0.207,Glenn-Roku,24h
dhcp-option=tag:altdns,6,85.203.73.1,85.203.73.2


I also disabled Forced DNS Redirection

the original code you gave me for the DNSMasq had mac addresses before each of the ip addresses, I assumed those were to be replaced with the mac addresses associated with the devices at the following ip. If I was not supposed to change that please let me know. Something must have caused the DHCP to hang.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum