[slidermike]

Gents,
I know this particular request has been covered several times as my searching has many results.
However since this isnt a baked in feature to dd-wrt and seems to require either eigrab's script or additional repo downloads to get iptables I am going to see if this can be made clearer for those of us less Linux savvy.
I am also adding a diagram showing what I would like to achieve.

Router:
R7800 Atheros chipset
Kong build: 38340M (1_20_2019 test build)
Standard IP scope (192.168.1.0/24)
ovpn client (nordvpn)
Using the PBR field for 1 client to use vpn (192.168.1.19)

I am happy to do all the PBR via the FW rules/IPtables etc.. if guided to the proper steps. Since the dd-wrt PBR is limited to source or destination IP only.
I need port based PBR at least for this one client device on the LAN so it is remotely available.

I have a Synology NAS which I want remote access to using port 5010.
I have port forwarding enabled for this on the router and I know that is working.
However, since this single client is also PBR to use the Nord ovpn, remote access is lost.
Request from internet coming in over WAN port 5010
but all 192.168.1.19 traffic PBR out the ovpn interface.
= broken remote management.

I do not currently (but have and can attach) a usb jiffs drive attached.

For some of you this is quite simple to fix. I have looked at eibgrabs script file floating around and honestly understand very little. Not enough to see what its doing and how to tweak it to my specific needs.
Also read that with kongs repo the iptables can be used.
Again, more skills that I do not currently have and with a busy work I dont have much time to devote to the deeper dive.

I am trying to get this working this way since taking my pfSense box out of the picture. In pfSense its easy to do.
Would have went with the stock firmware for the r7800 but it does not support nordvpn clients.

Thank you in advance.
Mike

[egc]

Mike, this is something for @Eibgrad, unfortunately he is MIA.

I am not a networking engineer but will share my thoughts for what it is worth.

It can be done manually but as your VPN is dynamic this does not seem like good idea.

I suggest using one of @Eibgrad's scripts, as you are dealing with ports you have to use the advanced script.

What it does is creating an alternate routing table just like PBR, only it creates table 200 instead of table 10 for PBR.
It adds routes just like PBR is doing.

But traffic is diverted using IP Tables instead of routing.
A new chain "ovpn_split" is added to the PREROUTING chain of the mangle table:

[portsup]

Simple Google search


https://www.linuxquestions.org/questions/linux-networking-3/add-route-based-on-port-not-ip-486823/

I would guess you could use this with PBR. Would need to route the mark to the default table and might need to execute when inside the openvpn routeup script that makes the pbr.

[slidermike]

Thanks guys,
I will review the suggestions.
As I indicated earlier, very busy with work.

[slidermike]

egc,
thank you for providing the script and tweak.
Questions before implementation.
1)
Does
"add_rule -p tcp -s 192.168.1.19 ! --dport 5010"
under the "Begin Rules" section mean this:
add all 192.168.1.19 traffic except tcp port 5010 to go out the ovpn interface?
2)
I am guessing that the argument "!" means "except", would that be correct?
3)
Can I replace tcp with ip for all packets from that client on port 5010 or would I need a 2nd line for udp?
4)
What do the -s, -p, -i arguments do?
I assume -p means "pass" or "port".
I did a quick google search but didnt find a simple list of those variables.
5)
I want to also force all traffic from .18 over ovpn so the rule would look like this correct?
add_rule -s 192.168.1.18

Thank you in advance egc.
Your time and patience has been much appreciated.

[egc]

[slidermike]

One last question if you dont mind.
I was re-reading your OP response and I noticed in the body of your guidance you have

[egc]

Oh no, that is only an explanation of what the script does, you only have to add the udp rule and the rule for the other source address (-s 192.168.1.18 )

[slidermike]

To the best of my understanding I installed the script.
Added a couple of lines to it.
Made it executable.
Verified the certain services were configured as instructed and rebooted.
No traffic is going over the vpn tunnel now.
Its all going out the wan.


Checked it 2 more times, rebooted 3 additional times and the same results.

The only other thing I have in place is a DNSMASQ FW script to block adds which I took out completely for testing.

It appears nothing is flowing over the vpn tunnel.
Counters arent incrementing and the cpu usage isnt spiking which I see when I use the default PBR and say point the .19 client over the vpn.

Here is What i added to ddwrt-ovpn-split-advanced-mike.sh
# ------------------------------- BEGIN RULES -------------------------------- #
add_rule -p tcp -s 192.168.1.18 ! --dport 5010
add_rule -p tcp -s 192.168.1.19 ! --dport 5010
add_rule -s 192.168.1.18
add_rule -s 192.168.2.0/24
The 2.0/24 is a guest ssid



Added to the additional config section of ovpn.
remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0
route-noexec
Most of that is Nordvpn specific options. The last line is what the script instructions said to add.




root@R7800:/# ls jffs/
ddwrt-ovpn-split-advanced-mike.sh

[egc]

Sorry I did not responded sooner, I had urgent matters to attend to.

First thing is to check if the script is running.

Unfortunately the script is not in debug mode by default and I forgot to enable it.
In the script near the top is the line:

[slidermike]

Thanks for your help egc.
Dont feel like you have to rush to help me get this sorted out.
Free support comes when it comes.


I will recreate the script and then edit it on the router with nano. I previously did the file edit on my linux machine.

I will report back my findings.

Thanks again!
Mike

[slidermike]

So i put the script back onto the router.
Used nano on the router to edit & save the script changes.
Enabled debug.
Then made the script executable.
Verified steps 6-9, saved and rebooted the router.
Still appears everything is going out the wan interface.

Got the log output and command line output requested.
I dont know how to verify the script is executable now or how to see if it ran (or didnt) in the logs.

Attaching things here.

I will be rolling back for now.

[egc]

The script does not appear to run
If it runs you should see every step in syslog (if debug is on)

Tomorrow I will get a new router to setup for someone and I will try running the script and see what is going on.

To be continued

[egc]

I just revised the script, attached a revision.

The data you send indicate that the script has not ran.
It ran fine on my R6400 with the latest Kong build.

But lets take it step by step.

Set up your router and the VPN client.
Check that the VPN client is running and traffic is send via the VPN
In the Additional config of the VPN client add:

[slidermike]

Thanks man.,
I will give it another shot this weekend.
I didnt get a notification you had posted in my email so I didnt check until today.

Appreciate you taking the time to assist.

Is there a command like ls -l in the jffs dir to show if a file is executable?

Here is what it is (with the not working ver)