Posted: Sun Feb 21, 2021 19:12 Post subject: [SOLVED]Policy Based Routing (PBR) blocks WAN traffic
Running Cyberghost VPN client on Netgear R7000P. Cannot seem to get PBR to work as I expect it should on a late version of dd-wrt (r45XXX). The IPs in the PBR field (in CIDR notation) pass to the VPN, but non-VPN traffic is blocked from the WAN.
Shortcut Forwarding Engine (SFE) has been disabled.
The following is what the VPN provider suggests as a firewall rule:
Currently running r39960 kongAC, and it works with nothing more than the VPN-specific IPs in the PBR field; all other traffic goes to the WAN (as expected). It would be my preference, however, to run a current version of dd-wrt.
I expect I have missed something simple in the configuration. Suggestions, anyone?
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sun Feb 21, 2021 20:05 Post subject:
You don't need the firewall rules, as modern dd-wrt releases take care of all that, at least if you enable "Inbound firewall on TUN" and "CVE-2019-14899 Mitigation" on the OpenVPN client setup page. If you still have issues, try removing all Additional Config and see how that goes. Most vpn providers post instructions that are old and are now obsolete, as dd-wrt has greatly improved and has solid defaults. If even that doesn't do it, post your vpn settings here (no more than 768 pixels wide if you use images) and see if one of the guys with more expertise than I have can jump in and advise.
Make sure your vpn is functioning first, but eventually you may want to research kill switches, which will use firewall rules different from what you are showing here. Many threads in the forum on it. Nothing special about mine really, but I do discuss some in the big first post, near the end, in the AirVPN how-to linked in my sig below. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
As @SurprisedItWorks says, you don't need any of those firewall rules. However, it's not obvious how their presence could lead to the problem of non-VPN clients being denied access to the WAN. Makes me wonder if those same clients don't have access to the WAN even is the VPN is disabled, perhaps due to an inappropriate kill switch, one that's blocking *all* access to the WAN rather than being limited to only those enumerated in PBR.
FWIW, I have a rather old (but presumably still functioning) script that does just that.
Joined: 18 Mar 2014 Posts: 12882 Location: Netherlands
Posted: Mon Feb 22, 2021 7:04 Post subject: Re: Policy Based Routing (PBR) blocks WAN traffic
boredwild wrote:
Running Cyberghost VPN client on Netgear R7000P. Cannot seem to get PBR to work as I expect it should on a late version of dd-wrt (r45XXX). The IPs in the PBR field (in CIDR notation) pass to the VPN, but non-VPN traffic is blocked from the WAN.
Are you saying the IP's not in the PBR field have no internet or are they still using the VPN?
If the former i would expect that you are using a kill switch as @eibgrad already remarked, if it is the latter it could be the crappy set up instructions of Cyberghost
Posted: Mon Feb 22, 2021 15:54 Post subject: Correction to my observations.
Applied r45767 with no firewall or startup scripts. With blank PBR field, all traffic goes through the VPN (expected). Enter one IP (ex 192.168.1.98/32) in the PBR field, apply settings and reboot router. Still all traffic goes through the VPN.
Firewall on TUN is enabled.
Have tried with SP! Firewall enabled and disabled - seems no difference.
Do i need to clear NVRAM? I have never done this.
Below is the "additional configuration" from Cyberghost VPN that I have always had applied to the configuration.
If I had to guess, I bet the "redirect-gateway def1" directive in Additional Config is the problem.
The router *used* to use the route-noexec directive (under the covers) to prevent the default gateway from changing to the VPN, so that PBR would work. And when that directive is specified, it doesn't matter if either the server or client happens to specify the "redirect-gateway def1" directive, it gets ignored. But more recently, the router no longer uses route-noexec, but a "pull" filter to prevent the server (and only the server) from pushing the "redirect-gateway def1" directive, and therefore if the *client* happens to specify it, now everything gets routed over the VPN! IOW, it breaks PBR.
Posted: Mon Feb 22, 2021 18:30 Post subject: Removing "additional configuration" makes it work!
In my last post I made reference to the "additional configuration" recommended by Cyberghost VPN, but I neglected to post it; egc found it and posted it - thanks.
Remove all that and PBR functions correctly.
FYI, VPN Watchdog startup script is running, SPI Firewall enabled, CVE mitigation enabled, and all is well.
Thanks so much to a generous, dedicated community!
Just to let know, I switched from Kongac to stock latest firmware on my R7000. I had cyberghost with all their additional params and the firewall rules.
Things worked then suddently stopped working.
I removed all the crap as suggested here, either in firewall commands or in additional parameters, checked the firewall on tun rule, and now it works perfectly.
I also had this message in the logs :
Quote:
WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
so I guess eibgrad is correct.
(I already had to remove the ping exit 60 rule before as it disconnected my vpn after 60 seconds...)