Marking packets to be routed through ISP

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
tectonic
DD-WRT Novice


Joined: 01 Aug 2017
Posts: 27

PostPosted: Sun Aug 20, 2017 6:23    Post subject: Marking packets to be routed through ISP Reply with quote
Good morning,

I've been reading the thread here http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1065270 as I have the same problem but have been trying to solve it in a different way.

I have three subnets and am using PBR (through the GUI) so that only those devices on one of the subnets is routed through the VPN (OpenVPN, by the way).

I'm trying to solve this problem:
    TCP connection is made from an origin address to my public IP

    The router forwards the request to an internal IP

    The server responds, but the response is directed down the VPN


To do this, I've created a new routing table which forwards over the WAN:
Code:
ip route add default table 100 via $(nvram get wan_gateway)


I then mark the packets I want to be sent back over the WAN and have them use this new routing table:

Code:
ip rule add fwmark 1 table 100


Code:
iptables -t mangle -I PREROUTING -i br0 -p tcp -s 192.168.1.4 --sport 4567 -j MARK --set-mark 1


Can anybody advise why this isn't quite working? I'm inclined to suggest it's because table 10 is taking precedence so table 100 is never used irrespective of the packet being marked out.

Is there an elegant solution for this, or should I use eibgrad's script?
https://pastebin.com/tTr3X1JV

Many thanks.

Edit:
A bit of additional detail in case it's relevant. I'm also using eibgrad's script to copy over routes to table 10: https://pastebin.com/YwnHLqaa


Last edited by tectonic on Sun Aug 20, 2017 7:50; edited 1 time in total
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sun Aug 20, 2017 7:46    Post subject: Reply with quote
Your ip address is invalid "192.168.1.4567". All 4 numbers must be between 1 and 254.
tectonic
DD-WRT Novice


Joined: 01 Aug 2017
Posts: 27

PostPosted: Sun Aug 20, 2017 7:49    Post subject: Reply with quote
Ah, sorry; that was just a poorly-typed example. Fixed in my original post.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sun Aug 20, 2017 8:48    Post subject: Reply with quote
Try to put an interface to the route:

ip route add default via $(nvram get wan_gateway) dev `get_wanface` table 100
tectonic
DD-WRT Novice


Joined: 01 Aug 2017
Posts: 27

PostPosted: Sun Aug 20, 2017 11:19    Post subject: Reply with quote
Thanks, Per

That hasn't sorted it, *but* I think my issue is that I'm not marking the correct packets. I have:

[code]--sport 4567[/code]

I suspect the source port is incorrect, so I need to track down the correct one.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sun Aug 20, 2017 11:31    Post subject: Reply with quote
What service are you trying to reroute?

Port 4567 is used by Verizon for fw upgrades.

https://www.speedguide.net/port.php?port=4567
tectonic
DD-WRT Novice


Joined: 01 Aug 2017
Posts: 27

PostPosted: Sun Aug 20, 2017 11:46    Post subject: Reply with quote
Hi Per,

I've got a Plex server running on Port 32400 on my local network.

If I disable my OpenVPN client, I can access it from the Internet.
As soon as OpenVPN is enabled, I lose access.

I figured that the source port would be 32400, so that if I added

Code:

iptables -t mangle -I PREROUTING -i br0 -p tcp -s 192.168.1.4 --sport 32400 -j MARK --set-mark 1


then the response from the Plex Server would be routed back over my ISP rather than the VPN tunnel. But, apparently not. For what it's worth, I've also tried eibgrad's script (https://pastebin.com/tTr3X1JV ) with this rule; but still no luck


Code:

add_rule_lan -p tcp -s 192.168.1.4 --sport 32400


So, I need to tweak the rule I think
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sun Aug 20, 2017 11:57    Post subject: Reply with quote
Telnet/SSH into the router and run TCPDUMP.

Check the packets that transverses your router when the plex server is accessed.
tectonic
DD-WRT Novice


Joined: 01 Aug 2017
Posts: 27

PostPosted: Sun Aug 20, 2017 13:23    Post subject: Reply with quote
Thanks, Per

Some progress...

changing the rule from:

Code:

add_rule_lan -p tcp -s 192.168.1.4 --sport 32400


to:
Code:

add_rule_lan -s 192.168.1.4


has done the trick. I can now access the Plex Server over the internet. However, I want all other traffic from 192.168.1.4 to go over the VPN which is why specifying the source port is desirable.

When I grab the tcpdump from interface br0, I see entries such as those below. If I've interpreted them correctly, then the source port is, indeed, 32400...

14:17:12.939108 IP xxx.xxx.xxx.xxx.threembb.co.uk.54214 > Thundera.32400: Flags [.], ack 2340882, win 3314, options [nop,nop,TS val 87348145 ecr 9858601], length 0

14:17:12.949080 IP xxx.xxx.xxx.xxx.threembb.co.uk.54214 > Thundera.32400: Flags [.], ack 2343574, win 3314, options [nop,nop,TS val 87348148 ecr 9858607], length 0

14:17:12.959083 IP xxx.xxx.xxx.xxx.threembb.co.uk.54214 > Thundera.32400: Flags [.], ack 2347612, win 3314, options [nop,nop,TS val 87348152 ecr 9858607], length 0

14:17:12.979715 IP xxx.xxx.xxx.xxx.threembb.co.uk.54214 > Thundera.32400: Flags [.], ack 2352996, win 3314, options [nop,nop,TS val 87348155 ecr 9858607], length 0

14:17:12.979793 IP xxx.xxx.xxx.xxx.threembb.co.uk.54214 > Thundera.32400: Flags [.], ack 2357034, win 3314, options [nop,nop,TS val 87348158 ecr 9858607], length 0

14:17:12.979855 IP xxx.xxx.xxx.xxx.threembb.co.uk.54214 > Thundera.32400: Flags [.], ack 2362418, win 3314, options [nop,nop,TS val 87348158 ecr 9858608], length 0

14:17:12.979919 IP xxx.xxx.xxx.xxx.threembb.co.uk.54214 > Thundera.32400: Flags [.], ack 2365110, win 3314, options [nop,nop,TS val 87348158 ecr 9858610], length 0

14:17:12.980356 IP Thundera.32400 > xxx.xxx.xxx.xxx.threembb.co.uk.54214: Flags [.], seq 2374532:2389338, ack 1072, win 2078, options [nop,nop,TS val 9858617 ecr 87348155], length 14806
tectonic
DD-WRT Novice


Joined: 01 Aug 2017
Posts: 27

PostPosted: Sun Aug 20, 2017 13:35    Post subject: Reply with quote
A suspect there's a bug in the rule:

Code:
add_rule_lan -p tcp -s 192.168.1.4 --sport 32400


When I run the following, there's no corresponding entry:

Code:

iptables -L -t mangle


Whereas this yields an entry:

Code:

add_rule_lan -s 192.168.1.4


Any idea what's wrong with the rule with the source port specified?
tectonic
DD-WRT Novice


Joined: 01 Aug 2017
Posts: 27

PostPosted: Sun Aug 20, 2017 14:26    Post subject: Reply with quote
It's working!

Went with the brutal option and started from scratch. Thanks, Per for your help in tracking down the problems.

Just one more piece of the puzzle: since I have a reasonable-sized Firewall script now, where do I install this; and how do I execute it? https://pastebin.com/vXfWLnPe
Bunsen
DD-WRT User


Joined: 10 Jan 2017
Posts: 76

PostPosted: Tue Aug 29, 2017 8:39    Post subject: Reply with quote
tectonic wrote:
A suspect there's a bug in the rule:

Code:
add_rule_lan -p tcp -s 192.168.1.4 --sport 32400


When I run the following, there's no corresponding entry:

Code:

iptables -L -t mangle


Whereas this yields an entry:

Code:

add_rule_lan -s 192.168.1.4


Any idea what's wrong with the rule with the source port specified?


I think the bug in your first rule is that the --sport directive needs to follow the -p tcp, not -s <ip>
like this:
Code:
add_rule_lan -p tcp --sport 32400 -s 192.168.1.4


That being said... I am trying to do the same thing that you are.
I'm not using the script you mention, I'm writing the iptables rules directly.
I'm interested in how you finally got it working.

When i add a rule that includes the port 32400 it doesnt work [similar to the issue it sounds like you were having, but my rule gets created... it just doesn't work as i'd expect it to]
Bunsen
DD-WRT User


Joined: 10 Jan 2017
Posts: 76

PostPosted: Tue Aug 29, 2017 8:48    Post subject: Reply with quote
tectonic wrote:
It's working!

Went with the brutal option and started from scratch. Thanks, Per for your help in tracking down the problems.

Just one more piece of the puzzle: since I have a reasonable-sized Firewall script now, where do I install this; and how do I execute it? https://pastebin.com/vXfWLnPe


Are you asking how to use the script you linked, or are you asking where to install the firewall script you have written?

To use the script you have linked you need to have this script saved on your router file system someplace, and also a "target" script that you want to make smaller.
Then on the cmdline, just type the name of the compress script as your first argument, and the "target" as your second argument. The result is that the target script has had comments and other "non-code" removed.

To install a firewall script you can go to the GUI on your dd-wrt router: Choose the "Administration" tab, and the "Commands" tab under that.
Then paste the firewall script in the box and choose the button at the bottom that says "Save Firewall"
tectonic
DD-WRT Novice


Joined: 01 Aug 2017
Posts: 27

PostPosted: Thu Aug 31, 2017 18:43    Post subject: Reply with quote
@bunsen

Sorry for the slow reply. I've been offline for a few days.

To get my set-up to work, I ended up using eibgrad's script from here:
https://pastebin.com/tTr3X1JV

In order to get the Plex Server accessible from the internet, I have this rule:
Code:

add_rule_lan -s 192.168.1.xxx -p tcp --sport 32400


Where the source IP is the (static) IP of the machine on which the Plex Server is running. You were absolutely right, by the way: I needed the --sport option to follow the protocol.

Thanks also for the hint on running the script to compress other script. Makes perfect sense.

Good luck! Give me a shout if you'd like me to try and help.
Bunsen
DD-WRT User


Joined: 10 Jan 2017
Posts: 76

PostPosted: Fri Sep 01, 2017 2:22    Post subject: Reply with quote
tectonic wrote:
@bunsen

In order to get the Plex Server accessible from the internet, I have this rule:
Code:

add_rule_lan -s 192.168.1.xxx -p tcp --sport 32400


Good luck! Give me a shout if you'd like me to try and help.


Interesting.
I needed to allow my plex server ip access to talk to "plex.tv" on both 80 and 443 - then it worked.
I didnt need the above rule - i assume because I have the port forwarding already set in the GUI. I really wish i fully understood why though - I mean I don;t have an explicit rule to allow my plex server to talk over 32400 using the ISP gateway...but it does.

Any way - thanks for getting back.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum