IP Rules duplicate each time VPN goes down/up

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
JackPollack
DD-WRT User


Joined: 22 May 2015
Posts: 60

PostPosted: Mon Jun 20, 2022 22:16    Post subject: IP Rules duplicate each time VPN goes down/up Reply with quote
I'm routing only certain IP's through OpenVPN with the code below. The problem is that every time I save or apply a setting in the web GUI the VPN connection must go down and then back up so that my IP rules are duplicating each time.

ip rule list
Code:
0:   from all lookup local
32742:   from 192.168.0.247 lookup 200
32743:   from 192.168.0.199 lookup 200
32744:   from 192.168.0.190 lookup 200
32745:   from 192.168.0.88 lookup 200
32746:   from 192.168.0.247 lookup 200
32747:   from 192.168.0.199 lookup 200
32748:   from 192.168.0.190 lookup 200
32749:   from 192.168.0.88 lookup 200
32750:   from 192.168.0.247 lookup 200
32751:   from 192.168.0.199 lookup 200
32752:   from 192.168.0.190 lookup 200
32753:   from 192.168.0.88 lookup 200
32754:   from 192.168.0.247 lookup 200
32755:   from 192.168.0.199 lookup 200
32756:   from 192.168.0.190 lookup 200
32757:   from 192.168.0.88 lookup 200




My firewall rule
Code:
# Prevent specified IPs from reaching the internet directly
# So no connection if VPN down (kill switch)
iptables -I FORWARD -s 192.168.0.88 -o vlan2 -j DROP
iptables -I FORWARD -s 192.168.0.190 -o vlan2 -j DROP
iptables -I FORWARD -s 192.168.0.199 -o vlan2 -j DROP
iptables -I FORWARD -s 192.168.0.247 -o vlan2 -j DROP


and I have a scrip VPN-ONUP which runs when the VPN connects.
This is in my VPN additional config
Code:
# Script to run when the link is established
# This sets up my custom routes and iptable rules
up /jffs/openvpn/vpn-onup


VPN-ONUP
Code:
#!/bin/sh
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
 
# Set the default route for table 200 as over the VPN
ip route add default dev tun1 table 200
 
# Assign all outgoing connections from specified IPs to table 200
# so they go over the VPN
ip rule add from 192.168.0.88 table 200
ip rule add from 192.168.0.190 table 200
ip rule add from 192.168.0.199 table 200
ip rule add from 192.168.0.247 table 200

# Flush the cache
ip route flush cache



How can I clean this up?
Sponsor
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Mon Jun 20, 2022 22:24    Post subject: Reply with quote
Use the functionality(ies) of PBR (and other features, i.e. killswitch) in the webUI? Use "save" and when all done, "reboot"?

OpenVPN guides and documentation

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Mon Jun 20, 2022 22:25    Post subject: Reply with quote
as you didnt mention your current build...

use the last firmware...49268...
all PBR can be set up via GUI now...

Cool Cool

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Mon Jun 20, 2022 22:35    Post subject: Reply with quote
As others have suggested, use the GUI for PBR.

But to answer your question directly (since this type of problem is common to many scripting situations besides this one), you just need to precede the addition of ip rules by flushing the previous rules.

Code:
while ip rule del from 0/0 to 0/0 table 200 2>/dev/null; do :; done

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Mon Jun 20, 2022 23:08    Post subject: Reply with quote
Something like this, I presume:

Code:
#!/bin/sh
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
 
# Set the default route for table 200 as over the VPN
ip route add default dev tun1 table 200
 
# Assign all outgoing connections from specified IPs to table 200
# so they go over the VPN
while ip rule del from 0/0 to 0/0 table 200 2>/dev/null; do :; done
ip rule add from 192.168.0.88 table 200
ip rule add from 192.168.0.190 table 200
ip rule add from 192.168.0.199 table 200
ip rule add from 192.168.0.247 table 200

# Flush the cache
ip route flush cache

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Tue Jun 21, 2022 5:54    Post subject: Reply with quote
Have a look at the OpenVPN Client setup guide how to use the GUI to use Policy Based Routing, easier and better:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

Latest build which is recommended is 49268

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
JackPollack
DD-WRT User


Joined: 22 May 2015
Posts: 60

PostPosted: Tue Jun 21, 2022 12:29    Post subject: Reply with quote
I'm using DDWRT Firmware v3.0-r48607. I played around with a newer firmware a month ago and although I forget the exact reason I ended up using a little older version.

Anyway, clearing the 200 table before setting it works perfectly.

Thanks
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Tue Jun 21, 2022 12:39    Post subject: Reply with quote
Suit yourself, but also on build 48607 you can use the GUI.

Why are you not using the GUI?

Just curious if there is something in the GUI which is preventing from using it.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
JackPollack
DD-WRT User


Joined: 22 May 2015
Posts: 60

PostPosted: Tue Jun 21, 2022 18:33    Post subject: Reply with quote
My old router was running very old firmware. When I upgraded I manually transferred many settings including the old PBR. I didn't know that the new GUI now had PBR.

Guess I will have to play with it, but anyway the old way works now clearing out the table before re-building it.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Tue Jun 21, 2022 18:44    Post subject: Reply with quote
Ok thanks Smile
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum