[SOLVED] WRT 3200ACM PBR routing access from WAN with VPN

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Forest75
DD-WRT Novice


Joined: 17 Oct 2022
Posts: 5

PostPosted: Mon Oct 17, 2022 20:18    Post subject: [SOLVED] WRT 3200ACM PBR routing access from WAN with VPN Reply with quote
I have the WRT Ac3200 Router and I'm using OPENVPN.
All traffic goes through VPN by default (except for settings in VPN service settings, selected IP addresses are directly via WAN)

Currently, I have a problem with the PBR rule, since the firmware change in the router, the PBR is the overriding rule

My firewall entries regulating access to port data from outside to inside the network are not working Sad

Please help what should I do.

I want a few ports that I need to access from outside the network

In my iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
logdrop icmp -- anywhere anywhere
logdrop igmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere
logdrop all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
vpn-pbr all -- anywhere anywhere
logdrop all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
upnp all -- anywhere anywhere
lan2wan all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- 10.10.20.0/24 anywhere tcp dpt:1723
ACCEPT gre -- 10.10.20.0/24 anywhere
ACCEPT tcp -- anywhere VUSOLO tcp dpt:100
ACCEPT tcp -- anywhere VUSOLO tcp dpt:8001
ACCEPT tcp -- anywhere VUSOLO tcp dpt:8002
ACCEPT tcp -- anywhere VUSOLO tcp dpt:telnet
TRIGGER all -- anywhere anywhere TRIGGER type:in match:0 relate:0
trigger_out all -- anywhere anywhere
TRIGGER all -- anywhere anywhere TRIGGER type:in match:0 relate:0
trigger_out all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere
logdrop all -- anywhere anywhere
ACCEPT tcp -- anywhere VUSOLO tcp dpt:100
ACCEPT tcp -- anywhere VUSOLO tcp dpt:8001
ACCEPT tcp -- anywhere VUSOLO tcp dpt:8002
ACCEPT tcp -- anywhere VUSOLO tcp dpt:telnet
ACCEPT tcp -- anywhere VUSOLO tcp dpt:100
ACCEPT tcp -- anywhere VUSOLO tcp dpt:8001
ACCEPT tcp -- anywhere VUSOLO tcp dpt:8002
ACCEPT tcp -- anywhere VUSOLO tcp dpt:telnet

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain advgrp_1 (0 references)
target prot opt source destination

Chain advgrp_10 (0 references)
target prot opt source destination

Chain advgrp_11 (0 references)
target prot opt source destination

Chain advgrp_12 (0 references)
target prot opt source destination

Chain advgrp_13 (0 references)
target prot opt source destination

Chain advgrp_14 (0 references)
target prot opt source destination

Chain advgrp_15 (0 references)
target prot opt source destination

Chain advgrp_16 (0 references)
target prot opt source destination

Chain advgrp_17 (0 references)
target prot opt source destination

Chain advgrp_18 (0 references)
target prot opt source destination

Chain advgrp_19 (0 references)
target prot opt source destination

Chain advgrp_2 (0 references)
target prot opt source destination

Chain advgrp_20 (0 references)
target prot opt source destination

Chain advgrp_3 (0 references)
target prot opt source destination

Chain advgrp_4 (0 references)
target prot opt source destination

Chain advgrp_5 (0 references)
target prot opt source destination

Chain advgrp_6 (0 references)
target prot opt source destination

Chain advgrp_7 (0 references)
target prot opt source destination

Chain advgrp_8 (0 references)
target prot opt source destination

Chain advgrp_9 (0 references)
target prot opt source destination

Chain grp_1 (0 references)
target prot opt source destination

Chain grp_10 (0 references)
target prot opt source destination

Chain grp_11 (0 references)
target prot opt source destination

Chain grp_12 (0 references)
target prot opt source destination

Chain grp_13 (0 references)
target prot opt source destination

Chain grp_14 (0 references)
target prot opt source destination

Chain grp_15 (0 references)
target prot opt source destination

Chain grp_16 (0 references)
target prot opt source destination

Chain grp_17 (0 references)
target prot opt source destination

Chain grp_18 (0 references)
target prot opt source destination

Chain grp_19 (0 references)
target prot opt source destination

Chain grp_2 (0 references)
target prot opt source destination

Chain grp_20 (0 references)
target prot opt source destination

Chain grp_3 (0 references)
target prot opt source destination

Chain grp_4 (0 references)
target prot opt source destination

Chain grp_5 (0 references)
target prot opt source destination

Chain grp_6 (0 references)
target prot opt source destination

Chain grp_7 (0 references)
target prot opt source destination

Chain grp_8 (0 references)
target prot opt source destination

Chain grp_9 (0 references)
target prot opt source destination

Chain lan2wan (1 references)
target prot opt source destination

Chain logaccept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain logdrop (5 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain logreject (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset

Chain trigger_out (2 references)
target prot opt source destination

Chain upnp (1 references)
target prot opt source destination

Chain vpn-pbr (1 references)
target prot opt source destination
ACCEPT all -- 10.10.20.24 anywhere
ACCEPT all -- 10.10.20.65 anywhere
ACCEPT all -- Z930_DOCK anywhere
ACCEPT all -- X240 anywhere
ACCEPT all -- X240_WIFI anywhere


In earlier version of DDWRT i have in my firewall at commands (everything was ok) i could enter to my open ports 100,8001 etc

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -F PREROUTING
ip route add default table 200 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 200
ip route flush cache
iptables -t nat -A PREROUTING -p tcp --dport 100 -j DNAT --to 10.10.20.40:100
iptables -A FORWARD -i WAN -d 10.10.20.40 -p tcp --dport 100 -j ACCEPT
iptables -t mangle -A PREROUTING -i br0 -p tcp -s 10.10.20.40 --sport 100 -j MARK --set-mark 1

iptables -t nat -A PREROUTING -p tcp --dport 8001 -j DNAT --to 10.10.20.40:8001
iptables -A FORWARD -i WAN -d 10.10.20.40 -p tcp --dport 8001 -j ACCEPT
iptables -t mangle -A PREROUTING -i br0 -p tcp -s 10.10.20.40 --sport 8001 -j MARK --set-mark 1


Now i have a Firmware: DD-WRT v3.0-r50500 std (10/13/22) i cannot enter for ip 10.10.20.40 at port 100 or 8001 from oustide of network
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Oct 18, 2022 7:55    Post subject: Reply with quote
As this can be of interest to us all I moved your post to the Advanced Networking Forum.

It looks like you are making your own port forward and firewall and routing rules, which is fine of course, in that case do not use the built-in PBR.

Alternatively just use the port forward of the GUI and only the built-in PBR.

The current PBR implementation is quite powerful and also supports sport.

I am running a OpenVPN server and Client on one of the routers I administer and in the clients PBR I have route selected sources via the WAN and entered as source: sport 1194
Now sport 1194 is routed via the WAN.

OpenVPN Documentation is a sticky in this forum, you need the Client setup guide which has a paragraph about PBR.

To view firewall rules use:
iptables -vnL --line-numbers

To view routing use
ip route show
ip route show table all
ip route show table xx

ip rule show

ip rule show also show the priority, lowest priority number means it is executed first.
Usually the ip rules added latest are given the lowest priority number and are thus executed first.

In your case the OpenVPN rules are added later than the firewall rules and take precedence, I assume.
What might mitigate in your case is just restarting the firewall after the router is up:
restart firewall

But I would aim for a more permanent solution as described above.

I am traveling so not much time to respond the coming days.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Forest75
DD-WRT Novice


Joined: 17 Oct 2022
Posts: 5

PostPosted: Thu Nov 03, 2022 22:43    Post subject: Reply with quote
iptables -vnL --line-numbers

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 29235 1567K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 3 995 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
3 0 0 logdrop icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
4 0 0 logdrop 2 -- eth0 * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
6 39 3615 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
7 0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
8 24 2333 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 46 12211 vpn-pbr all -- * eth0 0.0.0.0/0 0.0.0.0/0
2 0 0 logdrop all -- * eth0 0.0.0.0/0 0.0.0.0/0
3 799 361K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 70 15460 upnp all -- * * 0.0.0.0/0 0.0.0.0/0
5 70 15460 lan2wan all -- * * 0.0.0.0/0 0.0.0.0/0
6 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
7 0 0 ACCEPT tcp -- * eth0 10.10.20.0/24 0.0.0.0/0 tcp dpt:1723
8 0 0 ACCEPT 47 -- * eth0 10.10.20.0/24 0.0.0.0/0
9 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.10.20.40 tcp dpt:100
10 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.10.20.40 tcp dpt:8001
11 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.10.20.40 tcp dpt:8002
12 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.10.20.40 tcp dpt:23
13 0 0 TRIGGER all -- eth0 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
14 70 15460 trigger_out all -- br0 * 0.0.0.0/0 0.0.0.0/0
15 0 0 TRIGGER all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
16 0 0 trigger_out all -- eth1 * 0.0.0.0/0 0.0.0.0/0
17 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW
18 51 14472 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
19 0 0 ACCEPT all -- br0 eth0 0.0.0.0/0 0.0.0.0/0
20 19 988 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0
21 0 0 ACCEPT tcp -- WAN * 0.0.0.0/0 10.10.20.40 tcp dpt:100
22 0 0 ACCEPT tcp -- WAN * 0.0.0.0/0 10.10.20.40 tcp dpt:8001
23 0 0 ACCEPT tcp -- WAN * 0.0.0.0/0 10.10.20.40 tcp dpt:8002
24 0 0 ACCEPT tcp -- WAN * 0.0.0.0/0 10.10.20.40 tcp dpt:23
25 0 0 ACCEPT tcp -- WAN * 0.0.0.0/0 10.10.20.40 tcp dpt:100
26 0 0 ACCEPT tcp -- WAN * 0.0.0.0/0 10.10.20.40 tcp dpt:8001
27 0 0 ACCEPT tcp -- WAN * 0.0.0.0/0 10.10.20.40 tcp dpt:8002
28 0 0 ACCEPT tcp -- WAN * 0.0.0.0/0 10.10.20.40 tcp dpt:23

Chain OUTPUT (policy ACCEPT 371 packets, 77055 bytes)
num pkts bytes target prot opt in out source destination
1 7648 413M ACCEPT all -- * br0 0.0.0.0/0 0.0.0.0/0

Chain advgrp_1 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_10 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_11 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_12 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_13 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_14 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_15 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_16 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_17 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_18 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_19 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_2 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_20 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_3 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_4 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_5 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_6 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_7 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_8 (0 references)
num pkts bytes target prot opt in out source destination

Chain advgrp_9 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_1 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_10 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_11 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_12 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_13 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_14 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_15 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_16 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_17 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_18 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_19 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_2 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_20 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_3 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_4 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_5 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_6 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_7 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_8 (0 references)
num pkts bytes target prot opt in out source destination

Chain grp_9 (0 references)
num pkts bytes target prot opt in out source destination

Chain lan2wan (1 references)
num pkts bytes target prot opt in out source destination

Chain logaccept (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop (5 references)
num pkts bytes target prot opt in out source destination
1 43 3321 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logreject (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset

Chain trigger_out (2 references)
num pkts bytes target prot opt in out source destination

Chain upnp (1 references)
num pkts bytes target prot opt in out source destination

Chain vpn-pbr (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 10.10.20.24 0.0.0.0/0
2 0 0 ACCEPT all -- * * 10.10.20.65 0.0.0.0/0
3 0 0 ACCEPT all -- * * 10.10.20.11 0.0.0.0/0
4 0 0 ACCEPT all -- * * 10.10.20.5 0.0.0.0/0
5 0 0 ACCEPT all -- * * 10.10.20.16 0.0.0.0/0
6 0 0 ACCEPT all -- * * 10.10.20.26 0.0.0.0/0
7 0 0 ACCEPT all -- * * 10.10.20.22 0.0.0.0/0
8 0 0 ACCEPT all -- * * 10.10.20.33 0.0.0.0/0
9 0 0 ACCEPT all -- * * 10.10.20.43 0.0.0.0/0
10 46 12211 ACCEPT all -- * * 10.10.20.25 0.0.0.0/0
11 0 0 ACCEPT all -- * * 172.16.0.152 0.0.0.0/0
12 0 0 ACCEPT all -- * * 10.10.20.23 0.0.0.0/0
13 0 0 ACCEPT all -- * * 10.10.20.15 0.0.0.0/0


I can't enter from outside network (WAN) to 10.10.20.40 port 100 Can't connect Sad


ip route show

0.0.0.0/1 via 10.12.5.1 dev tun0
default via 17X.XXX.XX.1 dev eth0 (MY WAN)
10.0.0.243 via 10.12.5.1 dev tun0
10.10.20.0/24 dev br0 scope link src 10.10.20.1
10.12.5.0/24 dev tun0 scope link src 10.12.5.16
127.0.0.0/8 dev lo scope link
128.0.0.0/1 via 10.12.5.1 dev tun0
138.199.59.166 via 178.214.139.1 dev eth0
17X.XXX.XX.1/24 dev eth0 scope link src 17X.XXX.XX.1


ip route show table all

default via 17X.XXX.XX.1 dev eth0 table 10
10.0.0.243 via 10.12.5.1 dev tun0 table 10
10.10.20.0/24 dev br0 table 10 scope link src 10.10.20.1
10.12.5.0/24 dev tun0 table 10 scope link src 10.12.5.16
127.0.0.0/8 dev lo table 10 scope link
138.199.59.166 via 178.214.139.1 dev eth0 table 10
17X.XXX.XX.1/24 dev eth0 table 10 scope link src 17X.XXX.XX.1
default via 17X.XXX.XX.1 dev eth0 table 200
0.0.0.0/1 via 10.12.5.1 dev tun0
default via 17X.XXX.XX.1 dev eth0
10.0.0.243 via 10.12.5.1 dev tun0
10.10.20.0/24 dev br0 scope link src 10.10.20.1
10.12.5.0/24 dev tun0 scope link src 10.12.5.16
127.0.0.0/8 dev lo scope link
128.0.0.0/1 via 10.12.5.1 dev tun0
138.199.59.166 via 178.214.139.1 dev eth0
17X.XXX.XX.1/24 dev eth0 scope link src 17X.XXX.XX.1
broadcast 10.10.20.0 dev br0 table local scope link src 10.10.20.1
local 10.10.20.1 dev br0 table local scope host src 10.10.20.1
broadcast 10.10.20.255 dev br0 table local scope link src 10.10.20.1
broadcast 10.12.5.0 dev tun0 table local scope link src 10.12.5.16
local 10.12.5.16 dev tun0 table local scope host src 10.12.5.16
broadcast 10.12.5.255 dev tun0 table local scope link src 10.12.5.16
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 17X.XXX.XX.1 dev eth0 table local scope link src 17X.XXX.XX.1
local 17X.XXX.XX.1 dev eth0 table local scope host src 17X.XXX.XX.1
broadcast 178.XXX.XXX.255 dev eth0 table local scope link src 17X.XXX.XX.1

ip rule show
0: from all lookup local
32534: from all fwmark 0x1 lookup 200
32535: from all fwmark 0x1 lookup 200
32536: from all fwmark 0x1 lookup 200
32537: from all fwmark 0x1 lookup 200
32538: from all fwmark 0x1 lookup 200
32539: from all fwmark 0x1 lookup 200
32540: from 10.10.20.15 lookup 10
32541: from 10.10.20.23 lookup 10
32542: from 172.16.0.152 lookup 10
32543: from 10.10.20.25 lookup 10
32544: from 10.10.20.43 lookup 10
32545: from 10.10.20.33 lookup 10
32546: from 10.10.20.22 lookup 10
32547: from 10.10.20.26 lookup 10
32548: from 10.10.20.16 lookup 10
32549: from 10.10.20.5 lookup 10
32550: from 10.10.20.11 lookup 10
32551: from 10.10.20.65 lookup 10
32552: from 10.10.20.24 lookup 10
32553: from all fwmark 0x1 lookup 200
32554: from all fwmark 0x1 lookup 200
32568: from all fwmark 0x1 lookup 200
32569: from all fwmark 0x1 lookup 200
32570: from all fwmark 0x1 lookup 200
32571: from all fwmark 0x1 lookup 200
32585: from all fwmark 0x1 lookup 200
32586: from all fwmark 0x1 lookup 200
32600: from all fwmark 0x1 lookup 200
32601: from all fwmark 0x1 lookup 200
32602: from all fwmark 0x1 lookup 200
32603: from all fwmark 0x1 lookup 200
32617: from all fwmark 0x1 lookup 200
32618: from all fwmark 0x1 lookup 200
32632: from all fwmark 0x1 lookup 200
32633: from all fwmark 0x1 lookup 200
32634: from all fwmark 0x1 lookup 200
32635: from all fwmark 0x1 lookup 200
32636: from all fwmark 0x1 lookup 200
32637: from all fwmark 0x1 lookup 200
32638: from all fwmark 0x1 lookup 200
32639: from all fwmark 0x1 lookup 200
32653: from all fwmark 0x1 lookup 200
32654: from all fwmark 0x1 lookup 200
32668: from all fwmark 0x1 lookup 200
32669: from all fwmark 0x1 lookup 200
32670: from all fwmark 0x1 lookup 200
32671: from all fwmark 0x1 lookup 200
32672: from all fwmark 0x1 lookup 200
32673: from all fwmark 0x1 lookup 200
32687: from all fwmark 0x1 lookup 200
32688: from all fwmark 0x1 lookup 200
32702: from all fwmark 0x1 lookup 200
32703: from all fwmark 0x1 lookup 200
32717: from all fwmark 0x1 lookup 200
32718: from all fwmark 0x1 lookup 200
32732: from all fwmark 0x1 lookup 200
32733: from all fwmark 0x1 lookup 200
32734: from all fwmark 0x1 lookup 200
32735: from all fwmark 0x1 lookup 200
32736: from all fwmark 0x1 lookup 200
32737: from all fwmark 0x1 lookup 200
32751: from all fwmark 0x1 lookup 200
32752: from all fwmark 0x1 lookup 200
32766: from all lookup main
32767: from all lookup default



What can i do to enter in my firewall commands?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Nov 04, 2022 7:14    Post subject: Reply with quote
It looks like you are still mixing your own rules with PBR from the OpenVPN client (and also using a non default tun0), either use your own rules or use the built-in PBR I would not use both.

The built-in PBR is quite powerful and also support sport/dport to single out ports.

So if you want have some clients going out of the WAN use selected sources via the WAN, use CIDR notation to add those clients and if you want to have a port e.g. of your own server you can also add that port e.g: sport 8001

Of course you are free to use your own rules for Firewall/PBR/OpenVPN but I would first try the easy way Smile

Edit:
Also your port forward rules look out of order, are you making those yourself instead of using the GUI?
Furthermore you did not state your build number (or I missed it) are you using an outdated build?
Current build is 50786

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Forest75
DD-WRT Novice


Joined: 17 Oct 2022
Posts: 5

PostPosted: Fri Nov 04, 2022 21:57    Post subject: Reply with quote
I use current version now 50786 (yesterday 50500) but the PBR rule was in 46XX version.

Earlier when i set firewall


echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -F PREROUTING
ip route add default table 200 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 200
ip route flush cache
iptables -t nat -A PREROUTING -p tcp --dport 100 -j DNAT --to 10.10.20.40:100
iptables -A FORWARD -i WAN -d 10.10.20.40 -p tcp --dport 100 -j ACCEPT
iptables -t mangle -A PREROUTING -i br0 -p tcp -s 10.10.20.40 --sport 100 -j MARK --set-mark 1


everything was ok, i could enter to 10.10.20.40 @port100 from outside (port was forwarding in DDWRT)

Now problem is the PBR rule, i can't change priotity of this rule, PBR rule is higher than my command firewall.

In services i choose Source Routing (PBR) route selected via WAN, and some ip adress connect via WAN an it's ok

But the 10.10.20.40 IP traffic is on tun incoming and outgoing, but i still can't enter from at 100

You tell me so i use both rules PBR and FIREWALL, but in eariler version DDWRT (about 4400 everything was ok)

What can i do? I must add another lines in firewall commands to change PBR rules?
Maybe change in another options in menu od ddwrt or set a new rule?

When i deleted all entry in firewall commands still can't enter to 10.10.20.40 @port 100 Sad

May i'll be back to earlier version of DDWRT Sad
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Nov 05, 2022 8:17    Post subject: Reply with quote
In the old days you had to do things manually e.g. set killswitch or inbound firewall using tun0, PBR using ports etc.

That no longer is necessary, so you probably should get rid of all the firewall rules and settings you make in the OpenVPN Additonal configuration.

PBR supports routing per port if you want port 100 to use the WAN and you already have Selected sources via the WAN you just add as PBR rule:
sport 100

Now sport 100 is also routed via the WAN.

This is all described in the documentation, I suggest you start to read up on it Smile

Usually with some logic thinking and looking for the best way to setup PBR e.g. using selected sources via WAN or VPN you should be good.

The Other rules you have (DNAT and FORWARD) are port forwarding rules why not use the GUI?

Of course it is equally fine if you make all the rules yourself using iptables/fwmark.
But then only use those and not the PBR from the GUI so leave Source Routing set to Route all Sources via VPN


P.S. You probably do not need this but I want to mention it any way in case you do:
If a setup is very complicated with multiple servers and the need to port forward both via the WAN and via the VPN, extra ip rules might be necessary.
As you already have two tables one using the WAN and the other using the VPN you only need to add the necessary ip rules. e.g.
ip rule add sport 8081 table 10

As you want those rules to have priority and the rules made last have the higher priority, you add the rules to Administration/Commands and Save as Custom (do not forget the shebang).
You call the custom script when the VPN is already up, in the OpenVPN Additional Configuration add:
route-up "/tmp/.rc_custom"

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Forest75
DD-WRT Novice


Joined: 17 Oct 2022
Posts: 5

PostPosted: Sun Nov 06, 2022 23:34    Post subject: Reply with quote
egc You're my master Smile

As you wrote, i just add for PBR rules and VPN settings (in window when I set IP that routing via WAN) line -> sport 100 and i can access from port 100.

It's working Smile

I also deleted all entry with administration firewall commands

Still working Smile

Thank You very much for Yours advice. I spent a lot of time, but i did't idea how to do it Smile One simply command sport 100 Smile

I'm very impress of you knowledge egc. Greetings and one more thank You.

I think, when i added command sport 100, that incoming and outcoming traffic will be still via VPN for this inside IP?
This sport 100 open access from outside on port 100 for all IP in my network?
or only IP that was forwarded in ddwrt menu NAT/QOS/PORT port forwarding IP?

Sample internal IP address 10.10.20.40 its outbound and inbound traffic is done through VPN, but adding this sport 100 will make the VPN allow entry through port 100?

Of course default rule of PBR in VPN Settings is route selested via WAN , and IP that's connect from port 100 is not listed in vpn setting
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Nov 07, 2022 7:12    Post subject: Reply with quote
Glad it is working.

The problem you are facing is that traffic coming in from the WAN also has to go out via the WAN

In your case the traffic for port 100 comes in via the WAN and is port forwarded to your LAN client.
But this LAN client will send its traffic coming from port 100 out via the VPN and the firewall will not allow that.
Because you chose Route all selected sources via the WAN, you can simply add: sport 100 and now all traffic coming from sport 100 will be routed via the WAN.

If you had added the IP address of that LAN client in the PBR window all traffic would go out via the WAN and it would also work but in this case it is not what you want, you only want traffic coming from port 100 routed back via the WAN and all other traffic from that client going via the VPN and so sport 100 does the trick.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Forest75
DD-WRT Novice


Joined: 17 Oct 2022
Posts: 5

PostPosted: Tue Nov 08, 2022 7:37    Post subject: Reply with quote
This is exactly how it should be Smile

The IP to which port 100 relates is only to allow entry through port 100 from the outside, and all traffic is via VPN, so I think that's how it everything ok now Smile

Thank you
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum