Hi all,
I have a separate VLAN just for an ATA for VOIP. Everything is configured correctly and working; however in order to manage the device I need to be able to access it from Lan. I have set the firewall to allow zone forwarding from Lan to VOIP. Whilst I can access the ATA from some devices such as my windows desktop and phone, I cannot access it from another windows pc for some reason. All devices are on Lan. Any suggestions?
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
Thanks for the response.
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
"kernel": "4.14.195",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,rango",
"release": {
"distribution": "OpenWrt",
"version": "19.07.4",
"revision": "r11208-ce6496d796",
"target": "mvebu/cortexa9",
"description": "OpenWrt 19.07.4 r11208-ce6496d796"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5e:6f07:7e9a::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ip6assign '60'
option igmp_snooping '1'
list ipaddr '192.168.10.1/24'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan'
option ifname 'eth1.2'
option proto 'pppoe'
option password
option ipv6 'auto'
option username
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '5t 3 2 1 0'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '6t 4'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '3'
option ports '5t 2t 1t'
config switch_vlan
option device 'switch0'
option vlan '5'
option ports '5t 2t'
option vid '4'
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
config interface 'WRT_Guest'
option proto 'static'
list dns '1.1.1.1'
list dns '1.0.0.1'
option type 'bridge'
list ipaddr '10.10.3.1/24'
option ifname 'eth0.3'
config switch_vlan
option device 'switch0'
option vlan '6'
option ports '5t 0t'
option vid '5'
config interface 'VOIP'
option ifname 'eth0.5'
option proto 'static'
list ipaddr '192.168.5.1/24'
list dns '1.1.1.1'
list dns '1.0.0.1'
package firewall
config defaults
option output 'ACCEPT'
option drop_invalid '1'
option forward 'REJECT'
option input 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option family 'ipv4'
list icmp_type 'echo-request'
option target 'DROP'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '32400'
option src 'wan'
option name 'Plex'
option src_dport '32400'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
option dest_ip '192.168.10.10'
config redirect
option dest_port '5000-5001'
option src 'wan'
option name 'Synology DSM/File Station'
option src_dport '5000-5001'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
option dest_ip '192.168.10.10'
config redirect
option dest_port '5005-5006'
option src 'wan'
option name 'DS File'
option src_dport '5005-5006'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
option dest_ip '192.168.10.10'
config rule
option src 'lan'
option name 'ESP BLOCK'
option dest 'wan'
option target 'REJECT'
list src_mac
config forwarding
option src 'lan'
option dest 'vpnfirewall'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'nordvpntun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
config zone
option network 'WRT_Guest'
option input 'REJECT'
option forward 'REJECT'
option name 'WRT_Guest'
option output 'ACCEPT'
config forwarding
option dest 'wan'
option src 'WRT_Guest'
config rule
option dest_port '53'
option src 'WRT_Guest'
option name 'WRT Guest DNS'
option target 'ACCEPT'
config rule
option dest_port '67-68'
option src 'WRT_Guest'
option name 'WRT Guest DHCP'
option target 'ACCEPT'
list proto 'udp'
config zone
option network 'VOIP'
option input 'REJECT'
option forward 'REJECT'
option name 'VOIP'
option output 'ACCEPT'
config forwarding
option dest 'wan'
option src 'VOIP'
config rule
option dest_port '53'
option src 'VOIP'
option name 'VOIP DNS'
option target 'ACCEPT'
config rule
option dest_port '67-68'
option src 'VOIP'
option name 'VOIP DHCP'
option target 'ACCEPT'
list proto 'udp'
config forwarding
option dest 'VOIP'
option src 'lan'
And:
I think I've got rid of everything sensitive but if you notice something, please do let me know...
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Sat Nov 21 19:04:33 2020
*nat
:PREROUTING ACCEPT [55789:5606237]
:INPUT ACCEPT [9204:984413]
:OUTPUT ACCEPT [8728:610626]
:POSTROUTING ACCEPT [97:15112]
:postrouting_VOIP_rule - [0:0]
:postrouting_WRT_Guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpnfirewall_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_VOIP_rule - [0:0]
:prerouting_WRT_Guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpnfirewall_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_VOIP_postrouting - [0:0]
:zone_VOIP_prerouting - [0:0]
:zone_WRT_Guest_postrouting - [0:0]
:zone_WRT_Guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpnfirewall_postrouting - [0:0]
:zone_vpnfirewall_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[55798:5606757] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[54290:5471745] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[1405:119564] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpnfirewall_prerouting
[46:11109] -A PREROUTING -i br-WRT_Guest -m comment --comment "!fw3" -j zone_WRT_Guest_prerouting
[57:4339] -A PREROUTING -i eth0.5 -m comment --comment "!fw3" -j zone_VOIP_prerouting
[19358:2316913] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[82:14068] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[19261:2301801] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpnfirewall_postrouting
[0:0] -A POSTROUTING -o br-WRT_Guest -m comment --comment "!fw3" -j zone_WRT_Guest_postrouting
[9:612] -A POSTROUTING -o eth0.5 -m comment --comment "!fw3" -j zone_VOIP_postrouting
[9:612] -A zone_VOIP_postrouting -m comment --comment "!fw3: Custom VOIP postrouting rule chain" -j postrouting_VOIP_rule
[57:4339] -A zone_VOIP_prerouting -m comment --comment "!fw3: Custom VOIP prerouting rule chain" -j prerouting_VOIP_rule
[0:0] -A zone_WRT_Guest_postrouting -m comment --comment "!fw3: Custom WRT_Guest postrouting rule chain" -j postrouting_WRT_Guest_rule
[46:11109] -A zone_WRT_Guest_prerouting -m comment --comment "!fw3: Custom WRT_Guest prerouting rule chain" -j prerouting_WRT_Guest_rule
[82:14068] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.10/32 -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: Plex (reflection)" -j SNAT --to-source 192.168.10.1
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.10/32 -p tcp -m tcp --dport 5000:5001 -m comment --comment "!fw3: Synology DSM/File Station (reflection)" -j SNAT --to-source 192.168.10.1
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.10/32 -p tcp -m tcp --dport 5005:5006 -m comment --comment "!fw3: DS File (reflection)" -j SNAT --to-source 192.168.10.1
[54290:5471745] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[5:300] -A zone_lan_prerouting -s 192.168.10.0/24 -d -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: Plex (reflection)" -j DNAT --to-destination 192.168.10.10:32400
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d -p tcp -m tcp --dport 5000:5001 -m comment --comment "!fw3: Synology DSM/File Station (reflection)" -j DNAT --to-destination 192.168.10.10:5000-5001
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d -p tcp -m tcp --dport 5005:5006 -m comment --comment "!fw3: DS File (reflection)" -j DNAT --to-destination 192.168.10.10:5005-5006
[0:0] -A zone_vpnfirewall_postrouting -m comment --comment "!fw3: Custom vpnfirewall postrouting rule chain" -j postrouting_vpnfirewall_rule
[0:0] -A zone_vpnfirewall_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_vpnfirewall_prerouting -m comment --comment "!fw3: Custom vpnfirewall prerouting rule chain" -j prerouting_vpnfirewall_rule
[19261:2301801] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[19261:2301801] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[1405:119564] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[4:220] -A zone_wan_prerouting -p tcp -m tcp --dport 32400 -m comment --comment "!fw3: Plex" -j DNAT --to-destination 192.168.10.10:32400
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 5000:5001 -m comment --comment "!fw3: Synology DSM/File Station" -j DNAT --to-destination 192.168.10.10:5000-5001
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 5005:5006 -m comment --comment "!fw3: DS File" -j DNAT --to-destination 192.168.10.10:5005-5006
COMMIT
# Completed on Sat Nov 21 19:04:33 2020
# Generated by iptables-save v1.8.3 on Sat Nov 21 19:04:33 2020
*raw
:PREROUTING ACCEPT [980253:511530955]
:OUTPUT ACCEPT [82773:21886817]
:zone_VOIP_helper - [0:0]
:zone_WRT_Guest_helper - [0:0]
:zone_lan_helper - [0:0]
[504815:74218484] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[46:11109] -A PREROUTING -i br-WRT_Guest -m comment --comment "!fw3: WRT_Guest CT helper assignment" -j zone_WRT_Guest_helper
[33873:3013106] -A PREROUTING -i eth0.5 -m comment --comment "!fw3: VOIP CT helper assignment" -j zone_VOIP_helper
COMMIT
# Completed on Sat Nov 21 19:04:33 2020
# Generated by iptables-save v1.8.3 on Sat Nov 21 19:04:33 2020
*mangle
:PREROUTING ACCEPT [980159:511465806]
:INPUT ACCEPT [156269:22441316]
:FORWARD ACCEPT [789320:486227553]
:OUTPUT ACCEPT [82785:21888641]
:POSTROUTING ACCEPT [875375:508248076]
:VPNBYPASS - [0:0]
[980216:511503540] -A PREROUTING -m mark --mark 0x0/0xff0000 -g VPNBYPASS
[8395:483848] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[4301:239228] -A FORWARD -i pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpnfirewall MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpnfirewall MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A VPNBYPASS -p tcp -m multiport --sports 5005:5006 -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPNBYPASS -p tcp -m multiport --sports 5000:5001 -j MARK --set-xmark 0x10000/0xff0000
[24:8800] -A VPNBYPASS -p tcp -m multiport --sports 32400 -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPNBYPASS -s 192.168.10.165/32 -j MARK --set-xmark 0x10000/0xff0000
[7107:1978089] -A VPNBYPASS -s 192.168.10.129/32 -j MARK --set-xmark 0x10000/0xff0000
[75059:6327536] -A VPNBYPASS -s 192.168.10.10/32 -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPNBYPASS -m set --match-set vpnbypass dst -j MARK --set-xmark 0x10000/0xff0000
COMMIT
# Completed on Sat Nov 21 19:04:33 2020
# Generated by iptables-save v1.8.3 on Sat Nov 21 19:04:33 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_VOIP_rule - [0:0]
:forwarding_WRT_Guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpnfirewall_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_VOIP_rule - [0:0]
:input_WRT_Guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpnfirewall_rule - [0:0]
:input_wan_rule - [0:0]
:output_VOIP_rule - [0:0]
:output_WRT_Guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpnfirewall_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_VOIP_dest_ACCEPT - [0:0]
:zone_VOIP_dest_REJECT - [0:0]
:zone_VOIP_forward - [0:0]
:zone_VOIP_input - [0:0]
:zone_VOIP_output - [0:0]
:zone_VOIP_src_REJECT - [0:0]
:zone_WRT_Guest_dest_ACCEPT - [0:0]
:zone_WRT_Guest_dest_REJECT - [0:0]
:zone_WRT_Guest_forward - [0:0]
:zone_WRT_Guest_input - [0:0]
:zone_WRT_Guest_output - [0:0]
:zone_WRT_Guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_DROP - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpnfirewall_dest_ACCEPT - [0:0]
:zone_vpnfirewall_dest_REJECT - [0:0]
:zone_vpnfirewall_forward - [0:0]
:zone_vpnfirewall_input - [0:0]
:zone_vpnfirewall_output - [0:0]
:zone_vpnfirewall_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
[445:40318] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[155825:22401038] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[65112:5766059] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[297:22393] -A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[1280:55408] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[88979:16491047] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[1401:119344] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpnfirewall_input
[0:0] -A INPUT -i br-WRT_Guest -m comment --comment "!fw3" -j zone_WRT_Guest_input
[36:2195] -A INPUT -i eth0.5 -m comment --comment "!fw3" -j zone_VOIP_input
[0:0] -A INPUT -m comment --comment "!fw3" -j reject
[789418:486295786] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[764444:483325014] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[517:29197] -A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[24428:2938807] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[4:224] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpnfirewall_forward
[0:0] -A FORWARD -i br-WRT_Guest -m comment --comment "!fw3" -j zone_WRT_Guest_forward
[25:2544] -A FORWARD -i eth0.5 -m comment --comment "!fw3" -j zone_VOIP_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[445:40318] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[82346:21850067] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[64341:20712700] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[3848:175475] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[14157:961892] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpnfirewall_output
[0:0] -A OUTPUT -o br-WRT_Guest -m comment --comment "!fw3" -j zone_WRT_Guest_output
[0:0] -A OUTPUT -o eth0.5 -m comment --comment "!fw3" -j zone_VOIP_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[1280:55408] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[9:612] -A zone_VOIP_dest_ACCEPT -o eth0.5 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_VOIP_dest_REJECT -o eth0.5 -m comment --comment "!fw3" -j reject
[25:2544] -A zone_VOIP_forward -m comment --comment "!fw3: Custom VOIP forwarding rule chain" -j forwarding_VOIP_rule
[25:2544] -A zone_VOIP_forward -m comment --comment "!fw3: Zone VOIP to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_VOIP_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_VOIP_forward -m comment --comment "!fw3" -j zone_VOIP_dest_REJECT
[36:2195] -A zone_VOIP_input -m comment --comment "!fw3: Custom VOIP input rule chain" -j input_VOIP_rule
[0:0] -A zone_VOIP_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: VOIP DNS" -j ACCEPT
[36:2195] -A zone_VOIP_input -p udp -m udp --dport 53 -m comment --comment "!fw3: VOIP DNS" -j ACCEPT
[0:0] -A zone_VOIP_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: VOIP DHCP" -j ACCEPT
[0:0] -A zone_VOIP_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_VOIP_input -m comment --comment "!fw3" -j zone_VOIP_src_REJECT
[0:0] -A zone_VOIP_output -m comment --comment "!fw3: Custom VOIP output rule chain" -j output_VOIP_rule
[0:0] -A zone_VOIP_output -m comment --comment "!fw3" -j zone_VOIP_dest_ACCEPT
[0:0] -A zone_VOIP_src_REJECT -i eth0.5 -m comment --comment "!fw3" -j reject
[0:0] -A zone_WRT_Guest_dest_ACCEPT -o br-WRT_Guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_WRT_Guest_dest_REJECT -o br-WRT_Guest -m comment --comment "!fw3" -j reject
[0:0] -A zone_WRT_Guest_forward -m comment --comment "!fw3: Custom WRT_Guest forwarding rule chain" -j forwarding_WRT_Guest_rule
[0:0] -A zone_WRT_Guest_forward -m comment --comment "!fw3: Zone WRT_Guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_WRT_Guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_WRT_Guest_forward -m comment --comment "!fw3" -j zone_WRT_Guest_dest_REJECT
[0:0] -A zone_WRT_Guest_input -m comment --comment "!fw3: Custom WRT_Guest input rule chain" -j input_WRT_Guest_rule
[0:0] -A zone_WRT_Guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: WRT Guest DNS" -j ACCEPT
[0:0] -A zone_WRT_Guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: WRT Guest DNS" -j ACCEPT
[0:0] -A zone_WRT_Guest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: WRT Guest DHCP" -j ACCEPT
[0:0] -A zone_WRT_Guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_WRT_Guest_input -m comment --comment "!fw3" -j zone_WRT_Guest_src_REJECT
[0:0] -A zone_WRT_Guest_output -m comment --comment "!fw3: Custom WRT_Guest output rule chain" -j output_WRT_Guest_rule
[0:0] -A zone_WRT_Guest_output -m comment --comment "!fw3" -j zone_WRT_Guest_dest_ACCEPT
[0:0] -A zone_WRT_Guest_src_REJECT -i br-WRT_Guest -m comment --comment "!fw3" -j reject
[3848:175475] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_DROP -o br-lan -m comment --comment "!fw3" -j DROP
[24428:2938807] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source -m comment --comment "!fw3: ESP BLOCK" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source -m comment --comment "!fw3: ESP BLOCK" -j zone_wan_dest_REJECT
[24428:2938807] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[9:612] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpnfirewall forwarding policy" -j zone_vpnfirewall_dest_ACCEPT
[9:612] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpnfirewall forwarding policy" -j zone_vpnfirewall_dest_ACCEPT
[9:612] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to VOIP forwarding policy" -j zone_VOIP_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[88979:16491047] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[14470:459660] -A zone_lan_input -p igmp -m comment --comment "!fw3: ubus:igmpproxy[instance1] rule 3" -j ACCEPT
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[74509:16031387] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[3848:175475] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[3848:175475] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[74509:16031387] -A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpnfirewall_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_vpnfirewall_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpnfirewall_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_vpnfirewall_forward -m comment --comment "!fw3: Custom vpnfirewall forwarding rule chain" -j forwarding_vpnfirewall_rule
[0:0] -A zone_vpnfirewall_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpnfirewall_forward -m comment --comment "!fw3" -j zone_vpnfirewall_dest_REJECT
[0:0] -A zone_vpnfirewall_input -m comment --comment "!fw3: Custom vpnfirewall input rule chain" -j input_vpnfirewall_rule
[0:0] -A zone_vpnfirewall_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpnfirewall_input -m comment --comment "!fw3" -j zone_vpnfirewall_src_REJECT
[0:0] -A zone_vpnfirewall_output -m comment --comment "!fw3: Custom vpnfirewall output rule chain" -j output_vpnfirewall_rule
[0:0] -A zone_vpnfirewall_output -m comment --comment "!fw3" -j zone_vpnfirewall_dest_ACCEPT
[0:0] -A zone_vpnfirewall_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[38601:3902631] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_DROP -o pppoe-wan -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_DROP -o eth1.2 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
[4:224] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -d 239.255.255.250/32 -p udp -m comment --comment "!fw3: ubus:igmpproxy[instance1] rule 1" -j zone_lan_dest_DROP
[0:0] -A zone_wan_forward -d 224.0.0.0/4 -p udp -m comment --comment "!fw3: ubus:igmpproxy[instance1] rule 2" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[4:224] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_DROP
[1401:119344] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: ubus:igmpproxy[instance1] rule 0" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[4:128] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j DROP
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1397:119216] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
[14157:961892] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[14157:961892] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[1397:119216] -A zone_wan_src_DROP -i pppoe-wan -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_src_DROP -i eth1.2 -m comment --comment "!fw3" -j DROP
COMMIT
# Completed on Sat Nov 21 19:04:33 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
15: br-WRT_Guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 10.10.3.1/24 brd 10.10.3.255 scope global br-WRT_Guest
valid_lft forever preferred_lft forever
17: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.10.1/24 brd 192.168.10.255 scope global br-lan
valid_lft forever preferred_lft forever
19: eth0.5@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.5.1/24 brd 192.168.5.255 scope global eth0.5
valid_lft forever preferred_lft forever
30: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc cake state UNKNOWN qlen 3
inet peer scope global pppoe-wan
valid_lft forever preferred_lft forever
default via dev pppoe-wan table 200
default via dev pppoe-wan
10.10.3.0/24 dev br-WRT_Guest scope link src 10.10.3.1
192.168.5.0/24 dev eth0.5 scope link src 192.168.5.1
192.168.10.0/24 dev br-lan scope link src 192.168.10.1
dev pppoe-wan scope link src
broadcast 10.10.3.0 dev br-WRT_Guest table local scope link src 10.10.3.1
local 10.10.3.1 dev br-WRT_Guest table local scope host src 10.10.3.1
broadcast 10.10.3.255 dev br-WRT_Guest table local scope link src 10.10.3.1
local dev pppoe-wan table local scope host src
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.5.0 dev eth0.5 table local scope link src 192.168.5.1
local 192.168.5.1 dev eth0.5 table local scope host src 192.168.5.1
broadcast 192.168.5.255 dev eth0.5 table local scope link src 192.168.5.1
broadcast 192.168.10.0 dev br-lan table local scope link src 192.168.10.1
local 192.168.10.1 dev br-lan table local scope host src 192.168.10.1
broadcast 192.168.10.255 dev br-lan table local scope link src 192.168.10.1
0: from all lookup local
32765: from all fwmark 0x10000 lookup 200
32766: from all lookup main
32767: from all lookup default```You can remove the dns from lan, WRT_Guest, and VOIP interface. They are fine to be in wan only, where they are reachable from.
You are using the vpn bypass. If one of the hosts that has issues is .10 or .129 or .165 then you need to add the voip network in routing table 200.
Yes, it is one of those that is having trouble. I shall try exactly what you suggest tomorrow! Many thanks for this!
Here is the wiki page for the static routes just in case. But I think this one is what you need.
config route
option interface 'VOIP'
option target '192.168.5.0'
option netmask '255.255.255.0'
option table '200'
Interestingly, it was working but after a reboot no longer seems to work (just as before). Any ideas?
uci export network; ip -4 ro li tab all
root@OpenWrt:~# uci export network; ip -4 ro li tab all
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5e:6f07:7e9a::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ip6assign '60'
option igmp_snooping '1'
list ipaddr '192.168.10.1/24'
config interface 'wan'
option ifname 'eth1.2'
option proto 'pppoe'
option password
option ipv6 'auto'
option username
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '5t 3 2 1 0'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '6t 4'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '3'
option ports '5t 2t 1t'
config switch_vlan
option device 'switch0'
option vlan '5'
option ports '5t 2t'
option vid '4'
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
config interface 'WRT_Guest'
option proto 'static'
option type 'bridge'
list ipaddr '10.10.3.1/24'
option ifname 'eth0.3'
config switch_vlan
option device 'switch0'
option vlan '6'
option ports '5t 0t'
option vid '5'
config interface 'VOIP'
option ifname 'eth0.5'
option proto 'static'
list ipaddr '192.168.5.1/24'
config route
option interface 'VOIP'
option target '192.168.5.0'
option netmask '255.255.255.0'
option table '200'
default via dev pppoe-wan table 200
default via dev pppoe-wan
10.10.3.0/24 dev br-WRT_Guest scope link src 10.10.3.1
192.168.5.0/24 dev eth0.5 scope link src 192.168.5.1
192.168.10.0/24 dev br-lan scope link src 192.168.10.1
dev pppoe-wan scope link src
broadcast 10.10.3.0 dev br-WRT_Guest table local scope link src 10.10.3.1
local 10.10.3.1 dev br-WRT_Guest table local scope host src 10.10.3.1
broadcast 10.10.3.255 dev br-WRT_Guest table local scope link src 10.10.3.1
local dev pppoe-wan table local scope host src
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.5.0 dev eth0.5 table local scope link src 192.168.5.1
local 192.168.5.1 dev eth0.5 table local scope host src 192.168.5.1
broadcast 192.168.5.255 dev eth0.5 table local scope link src 192.168.5.1
broadcast 192.168.10.0 dev br-lan table local scope link src 192.168.10.1
local 192.168.10.1 dev br-lan table local scope host src 192.168.10.1
broadcast 192.168.10.255 dev br-lan table local scope link src 192.168.10.1
It is not there. I suspect that vpnbypass is clearing the routing table 200 before it installs the routes. Check if vpnbypass has some option to add a few more networks.
I think I might switch over to vpn-policy-routing. It's been suggested to me that it has better support for vlans.
Switched over and I'm sure it's possible but for the moment I don't have the understanding/expertise to do it so may have to do some more reading...
Only thing I could find was this which sounds similar: VPN Policy-Based Routing + Web UI - ARCHIVE #1 but I dont have enough understanding of his solution in order to implement it myself.
You could post the troubleshooting commands to have a look.
I am not sure if they are included, but also the ip -4 addr; ip -4 ro li tab all; ip -4 ru would help.
root@OpenWrt:~# /etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.2.1-13 running on OpenWrt 19.07.4. WAN (IPv4):
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default host 0.0.0.0 UG 0 0 0 pppoe-wan
IPv4 Table 201: default via dev pppoe-wan
10.10.3.0/24 dev br-WRT_Guest proto kernel scope link src 10.10.3.1
192.168.5.0/24 dev eth0.5 proto kernel scope link src 192.168.5.1
IPv4 Table 201 Rules:
0: from all fwmark 0x10000/0xff0000 lookup 201
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.10.89/32 -m comment --comment Wiser_Heat -c 69 11616 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -p udp -m multiport --sports 5000:5001,5005:5006 -m comment --comment Synology_services -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -p tcp -m multiport --sports 5000:5001,5005:5006 -m comment --comment Synology_services -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -p udp -m multiport --sports 32400 -m comment --comment Plex -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -p tcp -m multiport --sports 32400 -m comment --comment Plex -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.10.10/32 -m comment --comment Synology_NAS -c 2372 195226 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.10.165/32 -m comment --comment Laptop__ethernet_ -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.10.129/32 -m comment --comment Laptop__wifi__ -c 1910 453674 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.5.100/32 -m comment --comment VOIP -c 44 5276 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set nordvpntun dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
-A VPR_FORWARD -m set --match-set nordvpntun dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_FORWARD -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables INPUT
-N VPR_INPUT
-A VPR_INPUT -m set --match-set nordvpntun dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_INPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -m set --match-set nordvpntun dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_OUTPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create wan_ip hash:net family inet hashsize 1024 maxelem 65536 comment
add wan_ip 192.168.10.129 comment "Laptop (wifi) : 192.168.10.129"
add wan_ip 192.168.10.10 comment "Synology NAS: 192.168.10.10"
add wan_ip 192.168.5.100 comment "Grandstream VOIP: 192.168.5.100"
add wan_ip 192.168.10.165 comment "Laptop (ethernet): 192.168.10.165"
add wan_ip 192.168.10.89 comment "Wiser Heat: 192.168.10.89"
create wan_mac hash:mac hashsize 1024 maxelem 65536 comment
create nordvpntun hash:net family inet hashsize 1024 maxelem 65536 comment
create nordvpntun_ip hash:net family inet hashsize 1024 maxelem 65536 comment
create nordvpntun_mac hash:mac hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
root@OpenWrt:~# /etc/init.d/vpn-policy-routing reload
Creating table 'wan/pppoe-wan/' [✓]
Creating table 'nordvpntun/tun0/0.0.0.0' [✓]
Routing 'Grandstream VOIP' via wan [✓]
Routing 'Mark-Laptop (wifi) ' via wan [✓]
Routing 'Mark-Laptop (ethernet)' via wan [✓]
Routing 'Synology NAS' via wan [✓]
Routing 'Plex' via wan [✓]
Routing 'Synology services' via wan [✓]
Routing 'Wiser Heat' via wan [✓]
vpn-policy-routing 0.2.1-13 started with gateways:
wan/pppoe-wan/ [✓]
nordvpntun/tun0/0.0.0.0
vpn-policy-routing 0.2.1-13 monitoring interfaces: wan nordvpntun .
root@OpenWrt:~# ip -4 addr; ip -4 ro li tab all; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
14: br-WRT_Guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.10.3.1/24 brd 10.10.3.255 scope global br-WRT_Guest
valid_lft forever preferred_lft forever
17: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.10.1/24 brd 192.168.10.255 scope global br-lan
valid_lft forever preferred_lft forever
19: eth0.5@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.5.1/24 brd 192.168.5.255 scope global eth0.5
valid_lft forever preferred_lft forever
21: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc cake state UNKNOWN group default qlen 3
inet peer scope global pppoe-wan
valid_lft forever preferred_lft forever
192.168.5.0/24 dev eth0.5 table 200 proto static scope link
default via dev pppoe-wan table 201
10.10.3.0/24 dev br-WRT_Guest table 201 proto kernel scope link src 10.10.3.1
192.168.5.0/24 dev eth0.5 table 201 proto kernel scope link src 192.168.5.1
default via dev pppoe-wan proto static
10.10.3.0/24 dev br-WRT_Guest proto kernel scope link src 10.10.3.1
192.168.5.0/24 dev eth0.5 proto kernel scope link src 192.168.5.1
192.168.10.0/24 dev br-lan proto kernel scope link src 192.168.10.1
dev pppoe-wan proto kernel scope link src
broadcast 10.10.3.0 dev br-WRT_Guest table local proto kernel scope link src 10.10.3.1
local 10.10.3.1 dev br-WRT_Guest table local proto kernel scope host src 10.10.3.1
broadcast 10.10.3.255 dev br-WRT_Guest table local proto kernel scope link src 10.10.3.1
local dev pppoe-wan table local proto kernel scope host src
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.5.0 dev eth0.5 table local proto kernel scope link src 192.168.5.1
local 192.168.5.1 dev eth0.5 table local proto kernel scope host src 192.168.5.1
broadcast 192.168.5.255 dev eth0.5 table local proto kernel scope link src 192.168.5.1
broadcast 192.168.10.0 dev br-lan table local proto kernel scope link src 192.168.10.1
local 192.168.10.1 dev br-lan table local proto kernel scope host src 192.168.10.1
broadcast 192.168.10.255 dev br-lan table local proto kernel scope link src 192.168.10.1
0: from all lookup local
0: from 192.168.10.0/24 lookup 200
0: from 192.168.5.0/24 lookup 200
0: from all fwmark 0x10000/0xff0000 lookup 201
32766: from all lookup main
32767: from all lookup default
ip rule del from 192.168.10.0/24 lookup 200
ip rule del from 192.168.5.0/24 lookup 200
These look like leftovers from the vpn bypass.
Also remove this static route if it is still there.
Done 
Behaviour still remains the same
Your VOIP is this one that you cannot access?
You may want to try to exclude the VOIP IPs from the policies
option append_src_rules '! -d 192.168.5.0/24'
Yes; however, I need the VOIP to be routed via wan when vpn enabled. I suppose one solution for this would be to just have some sort of script (if it were possible) to start and stop vpn policy routing as the vpn is connected and disconnected that way I could administrate the VOIP device if/when needed (when VPN is disabled which is most of the time) but also have vpn policy routing working when the VPN is connected.
Then create a rule to route voip via the wan. As long as you don't have it, it is not added in the routing tables.