Policy Based Routing guide for DDWRT

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3946
Location: Netherlands

PostPosted: Mon Oct 14, 2019 13:24    Post subject: Policy Based Routing guide for DDWRT Reply with quote
Policy Based Routing guide for DDWRT

This guide is intended for use with build 41174 or later.

If you have a previous build, you might need scripting to use all the advanced possibilities, see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662

The wiki (https://wiki.dd-wrt.com/wiki/index.php/Policy_Based_Routing) is rather outdated and with all the new and exciting functions we now have in recent builds I am trying to put together a guide.

It is a first draft any help /comments/remarks are welcome.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614


Last edited by egc on Tue Oct 15, 2019 15:02; edited 4 times in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3946
Location: Netherlands

PostPosted: Mon Oct 14, 2019 13:25    Post subject: Reply with quote
Automatic Kill switch script for DDWRT PBR

Script attached to this post, only visible when you are logged in.


Use at your own risk always check if the rules are applied and working.

name: ovpn-pbr-kill-switch-xx.sh
version: 0.1 by egc, this is a modified version from @eibgrad http://www.dd-wrt.com/phpBB2/viewtopic.php?t=288852
purpose: block access LAN->WAN for IPs in OpenVPN client policy based routing
script type: firewall
dd-wrt ref: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686

Instructions:
0. Download and unzip
1. Set VPN_ENABLED_ONLY to your preference, "0" or "1"1
2. Set FW_STATE to your preference, uncomment line to set state NEW
3. Install this script in the router's firewall script: Administration/Commands, Save as Firewall
4. Reboot router
5. The firewall is not automatically updated after a change in the PBR field, so reboot after changing


VPN_ENABLED_ONLY
* 0 = apply rules 24/7
* 1 = apply rules only if VPN enabled (default)
Code:
VPN_ENABLED_ONLY="1" # (0 = apply rules 24/7, 1 = apply rules only if VPN enabled)


State checking: "state NEW" vs. no state
state NEW (default):
* any pre-existing LAN->WAN connections persist until/unless they timeout/close
* remote access (WAN->LAN) is allowed (provided port forwarding is enabled)
* more efficient (only LAN->WAN packets used to establish NEW connections are inspected)
no state:
* any pre-existing LAN->WAN connections are stopped/blocked
* remote access (WAN->LAN) is denied (even if port forwarding is enabled)
* less efficient (every LAN->WAN packet is inspected)

Code:
FW_STATE="-m state --state NEW" # uncomment/comment to disable/enable state checking


Note:
The firewall is not automatically updated after a change in the PBR field, so reboot after changing or do from CLI:
Code:
stopservice firewall && startservice firewall


Troubleshooting
For troubleshooting look at or show when asking for help:
Code:
iptables -vnL blocked-ips
iptables -vnL FORWARD

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614


Last edited by egc on Mon Oct 14, 2019 17:10; edited 2 times in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3946
Location: Netherlands

PostPosted: Mon Oct 14, 2019 15:01    Post subject: Reply with quote
DNS LEAK with Policy Based Routing
There are often questions about a DNS leak when using Policy Based Routing.
To (hopefully) answer some questions and to provide some solutions see the attached file (only visible when you are logged in!).

A very nice utility/script has been produced by @eibgrad, this scripts scans and warns you for DNS leaks, highly recommended. See: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=319747


Watchdog script for VPN client
As you are using PBR the normal watchdog function of DDWRT is not working, you have to do your checking via the VPN tunnel.
For this purpose @Sploit has written a watchdog script see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1093571#1093571

Unfortunately the scripts kills all OpenVPN instances and thus also your OpenVPN server if you are using that simultaneous with your OpenVPN client.

I will post a revision of that script in that thread which only kills the OpenVPN client.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614


Last edited by egc on Tue Oct 15, 2019 13:39; edited 2 times in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3946
Location: Netherlands

PostPosted: Tue Oct 15, 2019 13:35    Post subject: Reply with quote
for future use
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum