[SOLVED]Policy based routing blocks amazon.com

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
oquidave
DD-WRT Novice


Joined: 16 Aug 2021
Posts: 6

PostPosted: Wed Dec 07, 2022 14:32    Post subject: [SOLVED]Policy based routing blocks amazon.com Reply with quote
Hello, I have setup policy based routing on my DD-WRT router. Only two hosts are allowed to use the VPN network. However, for some strange reason, amazon.com website gets blocked on hosts that don't use the VPN. Every other major website works except for amazon.com. If i turn off policy-based routing, amazon.com works. DNS works. I can get the amazon IP using dig command on my Linux computer, but I can't ping amazon.com and it can't load on any browser. I completely don't understand this.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Wed Dec 07, 2022 14:55    Post subject: Reply with quote
Welcome to the forum, start with sharing which router and which build, which provider and how you have setup Smile

OpenVPN Documentation/Setup Guide is a sticky in this forum: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
At least I am assuming you are using OpenVPN, WireGuard is also a sticky in this forum if you are using that

Amazon (like Netflix etc. ) actively tracks VPN.
It does not only track the IP addresses but also the origin of the DNS request.

When using OpenVPN almost all OpenVPN providers push their own DNS servers and those are the ones used so although your IP address is not routed via the VPN the DNS is.

There are several ways to deal with this, the easiest is to just enable Split DNS in the GUI, but have a look at the OpenVPN Client setup guide for the prerequisites etc.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
oquidave
DD-WRT Novice


Joined: 16 Aug 2021
Posts: 6

PostPosted: Wed Dec 07, 2022 19:28    Post subject: Reply with quote
Thanks for your response. If that's the case, how is it then that I can access Amazon through the hosts that connect to openVPN? It doesn't make sense.

I am running a D-Link DIR-885L WiFi router. I'll share the build number later as I am currently not connected to the router.
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Fri Dec 09, 2022 10:56    Post subject: Reply with quote
The vpn will not be leaking DNS your WAN will be. Simple run a DNS check to confirm this. EGC has given you the answer.
_________________
Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.

No one can build you the bridge on which you, and only you, must cross the river of life!
oquidave
DD-WRT Novice


Joined: 16 Aug 2021
Posts: 6

PostPosted: Fri Dec 09, 2022 13:59    Post subject: Reply with quote
My DNS servers are set to Google's public DNS 8.8.8.8 and 8.8.4.4 on DD-WRT web interface.
Meanwhile I am using build Firmware: DD-WRT v3.0-r44715 std (11/03/20). Checking my upstream DNS servers from my Linux PC reveals the gateway/router as DNS server.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Fri Dec 09, 2022 14:16    Post subject: Reply with quote
That is why we recommend sharing what buildnumber is being used.

Build 44715 is old and outdated with security issues.
Upgrading is recommended, and as you are coming from a rather old build a reset *after* update and putting in settings manually is also highly recommended, never restore from a backup (to a different build that is).

See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Latest build is 50963 Smile

DNSMasq hands out the routers IP address as DNS server, because that is where DNSMasq is listening.
In normal VPN setup to a provider which pushes its DNS server that pushed DNS server from the provider is used as upstream DNS server by DNSMasq (and there is even a route via the VPN made for that pushed DNS server)

So usually when using the DDWRT OpenVPN Client to a commercial provider, all your LAN clients even the ones not routed via the VPN will use the pushed DNS server and the DNS request is going via the VPN.

Of course there are ways to deal with that as outlined in my earlier post and as described in the documentation.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Fri Dec 09, 2022 14:31    Post subject: Reply with quote
Another possible problem might be that your IP address is not valid, your cable company seems to use some non registered IPv4 addresses.
(As a moderator I get info about these things Smile )

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
oquidave
DD-WRT Novice


Joined: 16 Aug 2021
Posts: 6

PostPosted: Fri Dec 09, 2022 15:25    Post subject: Reply with quote
Thanks egc for the response. So do you think that the firmware update will fix the issue?Was this "DNS Leak" fixed in later version of DD-WRT?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Fri Dec 09, 2022 16:04    Post subject: Reply with quote
Difficult to say.
Recent builds do not have DNS leaks if setup properly.

The OpenVPN thread (a sticky in this forum) has a changelog.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
oquidave
DD-WRT Novice


Joined: 16 Aug 2021
Posts: 6

PostPosted: Fri Dec 09, 2022 16:09    Post subject: Reply with quote
Just updated to the latest build for my router: DD-WRT v3.0-r50963 std (11/28/22. This seems to have fixed the issue. Thanks for the support.
pakamon1
DD-WRT Novice


Joined: 30 Oct 2020
Posts: 21

PostPosted: Sat Feb 04, 2023 18:42    Post subject: Reply with quote
Few cents from my side.
I had exactly the same issue (OpenVPN with external provider, Source Routing PBR enabled, separate network, separate SSID). DNS over Dnsmasq but I was getting DNS from VPN provider).

Read pdf's that EGC recommended (DNS problems and PBR guide). Documents v1.15 are very good although didn't find a reference in there that choosing "Split DNS" checkbox in GUI is all that I had to do to fix the issue.

Perhaps there is a newer version of this document somewhere. v1.15 is dated Nov 2021 so I would assume "Split DNS" was implemented afterwards?

Not a big deal though Smile
I'm glad I was able to reach this thread and perhaps it would be useful for anyone who has the same issue.

Btw. I'm on DD-WRT v3.0-r51506 std (01/25/23)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sat Feb 04, 2023 20:39    Post subject: Reply with quote
Both OpenVPN and WireGuard have "Split DNS" nowadays

Newer guides reflect this Smile

OpenVPN:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
WireGuard: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
VPN and DNS: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1253580#1253580

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
oquidave
DD-WRT Novice


Joined: 16 Aug 2021
Posts: 6

PostPosted: Thu Mar 09, 2023 21:18    Post subject: Reply with quote
Update: Checking Split DNS also fixes the issue
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum