Policy Based Routing guides for DDWRT

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
t81
DD-WRT User


Joined: 04 Nov 2015
Posts: 59

PostPosted: Mon Dec 30, 2019 19:03    Post subject: Reply with quote
Having recently started using PBR I stumbled upon a security threat that I believe anyone should be aware of. Check signature.

Many thanks to egc for the kind support.

_________________
Netgear R7800 - Firmware: DD-WRT v3.0-r41811 std (12/28/19)
TP-Link AC1750 as Repeater- Firmware: DD-WRT v3.0 r44187 std (08/13/2020)
OpenVPN PBR + Privoxy = IP EXPOSURE: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322517&start=0
Sponsor
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Thu Feb 13, 2020 17:18    Post subject: Reply with quote
I upgraded a mates r7800 to build BS build 41813 from feb 2019 kong build and started a fresh, nvram erased so he can PBR.
Basically he lives in the UK and had everything going through his PIA VPN gateway on the r7800, (PIA don't support bbc iplayer) but his kids want to watch BBC iplayer from time to time.
The PBR routing is working a treat with local ip's but he has a stb emu installed on smart tv for some iffy iptv as well as the bbc iplayer app so i am unable route the tv ip through the none vpn gateway, so trying to force it to route any BBC ip via net_gateway as per egc tutorial (big thanks to egc for your guide by the way!)
i added "route 212.58.0.0 255.255.0.0 net_gateway #bbc"
in to the advanced config & rebooted but still seems to see it as vpn ip as it will not allow it to play.
Any ideas what i am doing wrong?
thanks
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Fri Feb 14, 2020 11:11    Post subject: Reply with quote
BBC is active blocking vpn just like Netflix.
It has been a long time ago that I could watch the bbc with PIA

Sometimes when PIA has a new server it works for some time but only if you also send your DNS query through the vpn and use an in private webrowser or clear browser cache and block webrtc

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Fri Feb 14, 2020 11:40    Post subject: Reply with quote
egc wrote:
BBC is active blocking vpn just like Netflix.
It has been a long time ago that I could watch the bbc with PIA

Sometimes when PIA has a new server it works for some time but only if you also send your DNS query through the vpn and use an in private webrowser or clear browser cache and block webrtc


Hi egc

yes i am aware BBC does not work with PIA that is why i was trying to force it through the net_gateway not the vpn_gateway.
so his tv IP set in PBR to route via the vpn and i was trying to force bbc to route through none vpn gateway even though the ip is going through the vpn, it was my understanding that the "force" rule overrides the pbr?
Is this not the case or am i missing something? almost like split tunnelling on the tv so everything goes through the vpn apart from bbc
thanks mate
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Fri Feb 14, 2020 15:26    Post subject: Reply with quote
You are right but the bbc uses many ip addresses you probably need ipset to get them all or search the internet for the range of IP addresses
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Fri Feb 14, 2020 18:32    Post subject: Reply with quote
unable to get bbc iplayer ip range online had a search about but does not seem to be available, currently not got a linux machine for ipset, is there any windows program available?
tried tracert from cli but ip's dont seem to unblock it.
forced the dns through net_gateway just in case it was picking it up from that but no joy.
i have confirmed that the route commands are working with whatsmyip so it is simply down to the ip's of bbc iplayer
tried with domain also no joy
shadyjoin
DD-WRT Novice


Joined: 06 Oct 2019
Posts: 11

PostPosted: Thu Apr 02, 2020 18:19    Post subject: Reply with quote
egc wrote:
Watchdog script for VPN client
If you are using PBR the normal watchdog function of DDWRT is not working, you have to do your checking via the VPN tunnel.
This also applies if you have setup the OVPN client on a WAP.


Hey there. I found this script late last year and I thought I was running it for the past few months.

Last night I was troubleshooting the (in)stability of my OpenVPN connection and it turns out I wasn't running the script at all because my build (r41664) doesn't include a nohup command. So I deleted nohup and started the script and confirmed that the script process was running, etc.

Then, maybe 12 hours later, my router stopped assigning IP addresses in response to DHCP requests. Then the DHCP server went completely dead while the GUI, etc. continued to operate. After hard resetting, I was able to get things working again.

Is it possible that something (maybe the 'logger' commands) is filling up NVRAM and breaking the DHCP server or something else?

Apologies if this is a stupid question. I'll concede my ignorance and inexperience.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Thu Apr 02, 2020 20:13    Post subject: Reply with quote
What router? What build?
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
shadyjoin
DD-WRT Novice


Joined: 06 Oct 2019
Posts: 11

PostPosted: Thu Apr 02, 2020 23:57    Post subject: Reply with quote
egc wrote:
What router? What build?


TP-Link WDR-4300, Build 3.0r41664
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Fri Apr 03, 2020 8:33    Post subject: Reply with quote
It is not a very recent build but should get the job done.

The logger just writes to syslog which is a file on the router (var/log/messages) so I doubt that is the cause.

But what else is causing this I do not know Sad

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
WhiteJ2799
DD-WRT Novice


Joined: 21 Dec 2020
Posts: 6

PostPosted: Wed Dec 23, 2020 8:31    Post subject: Reply with quote
boris03 wrote:
You are the man:-)

So it works - Proof of concept for you working also on WAP routers, and I leave it like it is!


The only thing what would be great for other dummy users like me, if you could achieve to include it in the Web GUI with two flags for restart and reboot.


I agree. For noobs (like me) it would be great if there is an option "auto reboot at disconnection" in the GUI.
routvol
DD-WRT User


Joined: 02 Feb 2009
Posts: 87

PostPosted: Sat Jan 02, 2021 22:38    Post subject: Reply with quote
Great PBR functionality in dd-wrt and thanks for you guides.

I played around with it a bit, maybe you can give me an advice and if this can be done and how to do it in the best way.

Basically I want all outgoing traffic to go via the vpn, however I need specific ports to specific local servers to be allowed to come in and connect to the server applications, finally I still want wireguard to work to be able to connect to the local network from the smartphone.

Code:
dd-wrt router with opevnpn set up as client
synology server 1 application 1 utilizing port 1 protocol tcp https, forward on firewall active via my own script
synology server 2 application 1 utilizing port 2 protocol tcp https, forward on firewall active via my own script
synology server 1 application 3 utilizing port 3 protocol tcp https, forward on firewall active via my own script
wireguard in dd-wrt tab tunnel configured to access all local network ips from outside, firewall settings handled by dd-wrt



I tried so far the following utilizing the mentioned script from https://pastebin.com/nC27ETsp.
However it seems I am missing something, when trying the wan ip via ddns name (https://myserver.no-ip.org:xxx1) it does not work.
The log says warning: ipset not supported, however I believe since not using sets this is ok.



Code:

#server 1
add_rule -s 192.168.x.1
#add_rule -tcp -s 192.168.x.1 -dport xxx1
#add_rule -tcp -s 192.168.x.1 -dport xxx2

#server 2
add_rule -d 192.168.x.2

#wireguard
add_rule -p udp --dport 51820


thx for some ideas.

_________________
my dd-wrt configuration:
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=682296
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sun Jan 03, 2021 3:36    Post subject: Reply with quote
routvol wrote:
Great PBR functionality in dd-wrt and thanks for you guides.

I played around with it a bit, maybe you can give me an advice and if this can be done and how to do it in the best way.

Basically I want all outgoing traffic to go via the vpn, however I need specific ports to specific local servers to be allowed to come in and connect to the server applications, finally I still want wireguard to work to be able to connect to the local network from the smartphone.

Code:
dd-wrt router with opevnpn set up as client
synology server 1 application 1 utilizing port 1 protocol tcp https, forward on firewall active via my own script
synology server 2 application 1 utilizing port 2 protocol tcp https, forward on firewall active via my own script
synology server 1 application 3 utilizing port 3 protocol tcp https, forward on firewall active via my own script
wireguard in dd-wrt tab tunnel configured to access all local network ips from outside, firewall settings handled by dd-wrt



I tried so far the following utilizing the mentioned script from https://pastebin.com/nC27ETsp.
However it seems I am missing something, when trying the wan ip via ddns name (https://myserver.no-ip.org:xxx1) it does not work.
The log says warning: ipset not supported, however I believe since not using sets this is ok.



Code:

#server 1
add_rule -s 192.168.x.1
#add_rule -tcp -s 192.168.x.1 -dport xxx1
#add_rule -tcp -s 192.168.x.1 -dport xxx2

#server 2
add_rule -d 192.168.x.2

#wireguard
add_rule -p udp --dport 51820


thx for some ideas.


Seems to me it would have been better to create your own thread concerning your specific problems since this thread (at least as I read it) is a broadly based description of how to implement PBR w/ dd-wrt.

Anyway, something to note when using my script when it comes to remote access. A common problem whenever a local device is bound to the VPN is that the device now becomes inaccessible over the WAN, since its replies are also routed over the VPN (rather than back over the WAN). My script *automatically* corrects for this problem; there is no need to add rules for these purposes. Any connections established inbound over the WAN (or VPN for that matter) are *marked* such that the replies are always forced back over the same network interface! Again, this happens *automatically*. Even if you never add any rules at all to the script, it will fix this problem.

That's one of many reasons why my script is far more sophisticated and feature-rich than what is offered in the GUI, or even by other third-party PBR scripts.
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum