Posted: Wed Jun 29, 2022 17:28 Post subject: [SOLVED] "killswitch" doesn't fully kill & how
firmware r48607
Using OpenVPN
I have a firewall rule
Code:
iptables -I FORWARD -s 192.168.0.28 -o vlan2 -j DROP
and this set
Code:
ip route add default dev tun1 table 200
ip rule add from 192.168.0.28 table 200
If I run command
Code:
killall openvpn
The "STATUS - OPEENVPN" page shows that the VPN is down as expected but if I try to browse the internet on the .28 device (which should only be connected over the VPN) after 5 min the browser does render the page sometimes (sometimes it times out as expected). I don't think thse pages are browser cached and they could be a new google search
A traceroute from .28 when the VPN is up takes 1 second as expected when the VPN is down it takes 5 minutes to complete (very slow on each hop) but eventually completes and returns
Code:
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
1 * 192.168.1.1 (192.168.1.1) 4.789 ms 266.605 ms
2 182.157.64.1 (182.157.64.1) 11.577 ms 12.225 ms 7.943 ms
3 68.173.202.188 (68.173.202.188) 15.400 ms 267.406 ms 12.024 ms
4 68.173.198.56 (68.173.198.56) 20.236 ms 15.717 ms 28.289 ms
5 66.109.6.78 (66.109.6.78) 17.732 ms 183.490 ms
107.14.19.24 (107.14.19.24) 16.981 ms
6 66.109.5.138 (66.109.5.138) 15.709 ms
66.109.6.27 (66.109.6.27) 242.718 ms
66.109.5.138 (66.109.5.138) 247.722 ms
7 209.85.172.46 (209.85.172.46) 13.920 ms
24.30.200.163 (24.30.200.163) 15.725 ms
72.14.212.114 (72.14.212.114) 273.217 ms
8 * * *
9 8.8.8.8 (8.8.8.8) 15.788 ms * 131.192 ms
Why doesn't my firewall rule totally kill the .28 devise when the VPN is down? How can I make this work as expected (totally kill internet for .28 when VPN is down)?
Why/how is it working if the firewall is down. ie I would like to understand how it is still working and why if it is, it is so slow (would think I'm connected or not)
I know there is a lot of other config stuff I could provide, but this post is already getting long so I'm hoping this info may be enough to answer the question (of course I can provide more if requested
Why are you NOT using the GUI to manage all this? It has its own PBR (policy based routing) and a proper killswitch, even a watchdog!, all of which is known to work correctly.
As far as your specific coding, it *assumes* vlan2 is the network interface for the WAN. That's not always the case! Did you verify this by dumping the main routing table?
I ran into some problems I think it was related to the USB/NAS settings. After 2 weeks of fooling around with it I finally gave up and went with older version of the firmware. Can't remember the specifics.
If I cant get my way to work correctly I will try the GUI PBR but would like to try to fix this and understand it if possible.
ip route returns
Code:
default via x.x.x.x dev eth0
127.0.0.0/8 dev lo scope link
y.y.y.y/23 dev tun1 scope link src z.z.z.z
a.a.a.0/19 dev eth0 scope link src b.b.b.b
192.168.1.0/24 dev br0 scope link src 192.168.1.1
eth0 is the normal WAN
tun1 is the VPN
I dont think I should change the firewall rule to tun1 (should I?)
iptables -I FORWARD -s 192.168.0.28 -o tun1 -j DROP <---- ??????
I ran into some problems I think it was related to the USB/NAS settings. After 2 weeks of fooling around with it I finally gave up and went with older version of the firmware. Can't remember the specifics.
If I cant get my way to work correctly I will try the GUI PBR but would like to try to fix this and understand it if possible.
ip route returns
Code:
default via x.x.x.x dev eth0
127.0.0.0/8 dev lo scope link
y.y.y.y/23 dev tun1 scope link src z.z.z.z
a.a.a.0/19 dev eth0 scope link src b.b.b.b
192.168.1.0/24 dev br0 scope link src 192.168.1.1
eth0 is the normal WAN
tun1 is the VPN
I dont think I should change the firewall rule to tun1 (should I?)
iptables -I FORWARD -s 192.168.0.28 -o tun1 -j DROP <---- ??????
