Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
You can remove the dns from lan, WRT_Guest, and VOIP interface. They are fine to be in wan only, where they are reachable from.
You are using the vpn bypass. If one of the hosts that has issues is .10 or .129 or .165 then you need to add the voip network in routing table 200.
root@OpenWrt:~# uci export network; ip -4 ro li tab all
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5e:6f07:7e9a::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ip6assign '60'
option igmp_snooping '1'
list ipaddr '192.168.10.1/24'
config interface 'wan'
option ifname 'eth1.2'
option proto 'pppoe'
option password
option ipv6 'auto'
option username
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '5t 3 2 1 0'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '6t 4'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '3'
option ports '5t 2t 1t'
config switch_vlan
option device 'switch0'
option vlan '5'
option ports '5t 2t'
option vid '4'
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
config interface 'WRT_Guest'
option proto 'static'
option type 'bridge'
list ipaddr '10.10.3.1/24'
option ifname 'eth0.3'
config switch_vlan
option device 'switch0'
option vlan '6'
option ports '5t 0t'
option vid '5'
config interface 'VOIP'
option ifname 'eth0.5'
option proto 'static'
list ipaddr '192.168.5.1/24'
config route
option interface 'VOIP'
option target '192.168.5.0'
option netmask '255.255.255.0'
option table '200'
default via dev pppoe-wan table 200
default via dev pppoe-wan
10.10.3.0/24 dev br-WRT_Guest scope link src 10.10.3.1
192.168.5.0/24 dev eth0.5 scope link src 192.168.5.1
192.168.10.0/24 dev br-lan scope link src 192.168.10.1
dev pppoe-wan scope link src
broadcast 10.10.3.0 dev br-WRT_Guest table local scope link src 10.10.3.1
local 10.10.3.1 dev br-WRT_Guest table local scope host src 10.10.3.1
broadcast 10.10.3.255 dev br-WRT_Guest table local scope link src 10.10.3.1
local dev pppoe-wan table local scope host src
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.5.0 dev eth0.5 table local scope link src 192.168.5.1
local 192.168.5.1 dev eth0.5 table local scope host src 192.168.5.1
broadcast 192.168.5.255 dev eth0.5 table local scope link src 192.168.5.1
broadcast 192.168.10.0 dev br-lan table local scope link src 192.168.10.1
local 192.168.10.1 dev br-lan table local scope host src 192.168.10.1
broadcast 192.168.10.255 dev br-lan table local scope link src 192.168.10.1
It is not there. I suspect that vpnbypass is clearing the routing table 200 before it installs the routes. Check if vpnbypass has some option to add a few more networks.
Switched over and I'm sure it's possible but for the moment I don't have the understanding/expertise to do it so may have to do some more reading...
Only thing I could find was this which sounds similar: VPN Policy-Based Routing + Web UI - ARCHIVE #1 but I dont have enough understanding of his solution in order to implement it myself.
You could post the troubleshooting commands to have a look.
I am not sure if they are included, but also the ip -4 addr; ip -4 ro li tab all; ip -4 ru would help.
root@OpenWrt:~# /etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.2.1-13 running on OpenWrt 19.07.4. WAN (IPv4):
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default host 0.0.0.0 UG 0 0 0 pppoe-wan
IPv4 Table 201: default via dev pppoe-wan
10.10.3.0/24 dev br-WRT_Guest proto kernel scope link src 10.10.3.1
192.168.5.0/24 dev eth0.5 proto kernel scope link src 192.168.5.1
IPv4 Table 201 Rules:
0: from all fwmark 0x10000/0xff0000 lookup 201
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.10.89/32 -m comment --comment Wiser_Heat -c 69 11616 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -p udp -m multiport --sports 5000:5001,5005:5006 -m comment --comment Synology_services -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -p tcp -m multiport --sports 5000:5001,5005:5006 -m comment --comment Synology_services -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -p udp -m multiport --sports 32400 -m comment --comment Plex -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -p tcp -m multiport --sports 32400 -m comment --comment Plex -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.10.10/32 -m comment --comment Synology_NAS -c 2372 195226 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.10.165/32 -m comment --comment Laptop__ethernet_ -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.10.129/32 -m comment --comment Laptop__wifi__ -c 1910 453674 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 192.168.5.100/32 -m comment --comment VOIP -c 44 5276 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set nordvpntun dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
-A VPR_FORWARD -m set --match-set nordvpntun dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_FORWARD -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables INPUT
-N VPR_INPUT
-A VPR_INPUT -m set --match-set nordvpntun dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_INPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -m set --match-set nordvpntun dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_OUTPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create wan_ip hash:net family inet hashsize 1024 maxelem 65536 comment
add wan_ip 192.168.10.129 comment "Laptop (wifi) : 192.168.10.129"
add wan_ip 192.168.10.10 comment "Synology NAS: 192.168.10.10"
add wan_ip 192.168.5.100 comment "Grandstream VOIP: 192.168.5.100"
add wan_ip 192.168.10.165 comment "Laptop (ethernet): 192.168.10.165"
add wan_ip 192.168.10.89 comment "Wiser Heat: 192.168.10.89"
create wan_mac hash:mac hashsize 1024 maxelem 65536 comment
create nordvpntun hash:net family inet hashsize 1024 maxelem 65536 comment
create nordvpntun_ip hash:net family inet hashsize 1024 maxelem 65536 comment
create nordvpntun_mac hash:mac hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
root@OpenWrt:~# /etc/init.d/vpn-policy-routing reload
Creating table 'wan/pppoe-wan/' [✓]
Creating table 'nordvpntun/tun0/0.0.0.0' [✓]
Routing 'Grandstream VOIP' via wan [✓]
Routing 'Mark-Laptop (wifi) ' via wan [✓]
Routing 'Mark-Laptop (ethernet)' via wan [✓]
Routing 'Synology NAS' via wan [✓]
Routing 'Plex' via wan [✓]
Routing 'Synology services' via wan [✓]
Routing 'Wiser Heat' via wan [✓]
vpn-policy-routing 0.2.1-13 started with gateways:
wan/pppoe-wan/ [✓]
nordvpntun/tun0/0.0.0.0
vpn-policy-routing 0.2.1-13 monitoring interfaces: wan nordvpntun .
root@OpenWrt:~# ip -4 addr; ip -4 ro li tab all; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
14: br-WRT_Guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.10.3.1/24 brd 10.10.3.255 scope global br-WRT_Guest
valid_lft forever preferred_lft forever
17: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.10.1/24 brd 192.168.10.255 scope global br-lan
valid_lft forever preferred_lft forever
19: eth0.5@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.5.1/24 brd 192.168.5.255 scope global eth0.5
valid_lft forever preferred_lft forever
21: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc cake state UNKNOWN group default qlen 3
inet peer scope global pppoe-wan
valid_lft forever preferred_lft forever
192.168.5.0/24 dev eth0.5 table 200 proto static scope link
default via dev pppoe-wan table 201
10.10.3.0/24 dev br-WRT_Guest table 201 proto kernel scope link src 10.10.3.1
192.168.5.0/24 dev eth0.5 table 201 proto kernel scope link src 192.168.5.1
default via dev pppoe-wan proto static
10.10.3.0/24 dev br-WRT_Guest proto kernel scope link src 10.10.3.1
192.168.5.0/24 dev eth0.5 proto kernel scope link src 192.168.5.1
192.168.10.0/24 dev br-lan proto kernel scope link src 192.168.10.1
dev pppoe-wan proto kernel scope link src
broadcast 10.10.3.0 dev br-WRT_Guest table local proto kernel scope link src 10.10.3.1
local 10.10.3.1 dev br-WRT_Guest table local proto kernel scope host src 10.10.3.1
broadcast 10.10.3.255 dev br-WRT_Guest table local proto kernel scope link src 10.10.3.1
local dev pppoe-wan table local proto kernel scope host src
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.5.0 dev eth0.5 table local proto kernel scope link src 192.168.5.1
local 192.168.5.1 dev eth0.5 table local proto kernel scope host src 192.168.5.1
broadcast 192.168.5.255 dev eth0.5 table local proto kernel scope link src 192.168.5.1
broadcast 192.168.10.0 dev br-lan table local proto kernel scope link src 192.168.10.1
local 192.168.10.1 dev br-lan table local proto kernel scope host src 192.168.10.1
broadcast 192.168.10.255 dev br-lan table local proto kernel scope link src 192.168.10.1
0: from all lookup local
0: from 192.168.10.0/24 lookup 200
0: from 192.168.5.0/24 lookup 200
0: from all fwmark 0x10000/0xff0000 lookup 201
32766: from all lookup main
32767: from all lookup default
Yes; however, I need the VOIP to be routed via wan when vpn enabled. I suppose one solution for this would be to just have some sort of script (if it were possible) to start and stop vpn policy routing as the vpn is connected and disconnected that way I could administrate the VOIP device if/when needed (when VPN is disabled which is most of the time) but also have vpn policy routing working when the VPN is connected.