Your vpn is restarting due to inactivity.
Are you using 4G/5G LTE broadband?
Copy and paste the right script relevant to your version of PBR into putty and hit Enter. Might need to restart router.
Solving why Nord is dropping-out is your best course of action.
This script has solve the problem it seems. NordVPN by nature has to reset it self ever so often I was told so there is no way to avoid that.
Everything is working great after the script though 
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
I spoke too soon, the script does help. But it doesn't always restart or enable after after the VPN goes down and then restarts.
Not sure how to troubleshoot this?
PBR is working correctly. Your problem is Nord is dropping-out.
You may want to try another solution?
Try option 3 from @Trendy's post here.
Would that code be:?
config rule
option in 'lan'
option src '10.10.20.1/24'
option lookup '100'
config route
option interface 'VPN'
option target '0.0.0.0'
option netmask '0.0.0.0'
option metric '200'
option table '100'
I have all my VLANs on the lan firewall, does this need to change now?
This is not correct, either .1/32 or omit it to classify all ingress packets.
config rule
option in 'lan'
option src '10.10.20.1'
option lookup '100'
config route
option interface 'VPN'
option target '0.0.0.0'
option netmask '0.0.0.0'
option metric '200'
option table '100'
Would the above cover the entire VLAN on 10.10.20.1/24 to the VPN? Do I need to change anything on the firewall zone? I have all of my VLANs on the lan firewall zone currently
No, this covers only one address.
Just to make sure that the lan zone is allowed to forward to the vpn zone.
What would I put there to cover the entire 10.10.20.x subnet?
Okay, I will double check this
10.10.20.0/24
Thank you I will give this a shot
This did not work for me, I'm surely doing something wrong
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
root@ROOter:~# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.*
/tmp/resolv.* /tmp/resolv.*/*
{
"kernel": "5.4.158",
"hostname": "ROOter",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Asus RT-AC68U (BCM4708)",
"board_name": "asus,rt-ac68u",
"release": {
"distribution": "OpenWrt",
"version": "21.02-SNAPSHOT",
"revision": " ",
"codename": "",
"target": "bcm53xx/generic",
"description": "GoldenOrb_2022-07-31 ( OpenWrt 21.02-SNAPSHOT )"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd48:1b54:0296::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname ' tap0 tap-server'
config device
option name 'eth0.2'
option macaddr
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option metric '1'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '5t 1 2 3 4'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5t 0'
config interface 'VPN'
option proto 'none'
option auto '0'
option device 'tun0'
config interface 'VPNS'
option proto 'none'
option auto '0'
option device 'tun-server'
config interface 'TAP'
option proto 'none'
option auto '1'
option device 'tap0'
config interface 'TAPS'
option proto 'none'
option auto '0'
option device 'tap-server'
config interface 'wwan'
option proto 'dhcp'
option metric '2'
config interface 'wwan6'
option proto 'dhcpv6'
config switch_vlan
option device 'switch0'
option vlan '10'
option ports '5t 1t 2t 3t 4t'
config switch_vlan
option device 'switch0'
option vlan '20'
option ports '5t 1t 2t 3t 4t'
config switch_vlan
option device 'switch0'
option vlan '30'
option ports '5t 1t 2t 3t 4t'
config switch_vlan
option device 'switch0'
option vlan '40'
option ports '5t 1t 2t 3t 4t'
config interface 'TPLinkAP'
option proto 'static'
option device 'eth0.10'
option ipaddr '10.10.10.1'
option netmask '255.255.255.0'
config interface 'NORDVPN'
option proto 'static'
option device 'eth0.20'
option ipaddr '10.10.20.1'
option netmask '255.255.255.0'
config interface 'SmartDevices'
option proto 'static'
option device 'eth0.30'
option ipaddr '10.10.30.1'
option netmask '255.255.255.0'
config interface 'CCTV'
option proto 'static'
option device 'eth0.40'
option ipaddr '10.10.40.1'
option netmask '255.255.255.0'
config interface 'ZeroTier'
option proto 'none'
option device 'ztxxxdixxx'
config rule
option in 'lan'
option src '10.10.20.0/24'
option lookup '100'
config route
option interface 'VPN'
option target '0.0.0.0'
option netmask '0.0.0.0'
option metric '200'
option table '100'
config interface 'wan1'
option proto 'dhcp'
option metric '10'
option device 'wan1'
config interface 'wan2'
option proto 'dhcp'
option metric '20'
option device 'wan2'
config interface 'wg0'
option proto 'wireguard'
option auto '0'
list addresses ''
config interface 'wg1'
option proto 'wireguard'
option auto '0'
list addresses ''
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '0'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option ' 6,8.8.8.8,8.8.4.4'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'CCTV'
option interface 'CCTV'
option limit '150'
option start '10'
option leasetime '2h'
list dhcp_option ' 6,8.8.8.8,8.8.4.4'
list ra_flags 'none'
config dhcp 'NORDVPN'
option interface 'NORDVPN'
option limit '150'
option start '10'
option leasetime '2h'
list dhcp_option '6,103.86.96.100,103.86.99.100'
list ra_flags 'none'
config dhcp 'SmartDevices'
option interface 'SmartDevices'
option limit '150'
option start '10'
option leasetime '2h'
list dhcp_option ' 6,8.8.8.8,8.8.4.4'
list ra_flags 'none'
config dhcp 'TPLinkAP'
option interface 'TPLinkAP'
option start '100'
option limit '150'
option leasetime '2h'
list dhcp_option ' 6,1.1.1.1,1.0.0.1'
list ra_flags 'none'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'TPLinkAP'
list network 'NORDVPN'
list network 'SmartDevices'
list network 'CCTV'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 wwan wan1 wan2'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone 'vpnzone'
option name 'VPN'
option forward 'REJECT'
option output 'ACCEPT'
option network 'VPN'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding 'vpnforward'
option dest 'VPN'
option src 'lan'
config zone 'vpnzones'
option name 'VPNS'
option forward 'REJECT'
option output 'ACCEPT'
option network 'VPNS'
option input 'ACCEPT'
option masq '1'
option mtu_fix '1'
config forwarding 'vpnforwards'
option dest 'VPNS'
option src 'lan'
config rule
option name 'Allow-ZeroTier-Inbound'
list proto 'udp'
option src '*'
option dest_port '9993'
option target 'ACCEPT'
config zone
option name 'ZEROTIERVPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'ztxxxdixxx'
config forwarding
option src 'ZEROTIERVPN'
option dest 'lan'
config forwarding
option src 'ZEROTIERVPN'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'ZEROTIERVPN'
config zone 'wgzone'
option name 'wg'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'wg0 wg1'
option input 'ACCEPT'
option masq '1'
option mtu_fix '1'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
13: eth0.40@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.10.40.1/24 brd 10.10.40.255 scope global eth0.40
valid_lft forever preferred_lft forever
14: eth0.20@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.10.20.1/24 brd 10.10.20.255 scope global eth0.20
valid_lft forever preferred_lft forever
15: eth0.30@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.10.30.1/24 brd 10.10.30.255 scope global eth0.30
valid_lft forever preferred_lft forever
16: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.10.10.1/24 brd 10.10.10.255 scope global eth0.10
valid_lft forever preferred_lft forever
17: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.2.108/24 brd 192.168.2.255 scope global eth0.2
valid_lft forever preferred_lft forever
18: ztxxxdixxx: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq_codel state UNKNOWN group default qlen 1000
inet 172.xx.xxx.xxx/16 brd 172.23.255.255 scope global ztxxxdixxx
valid_lft forever preferred_lft forever
76: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
inet 10.8.0.6/24 scope global tun0
valid_lft forever preferred_lft forever
default via 192.168.2.1 dev eth0.2 proto static src 192.168.2.108 metric 1
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.6
10.10.10.0/24 dev eth0.10 proto kernel scope link src 10.10.10.1
10.10.20.0/24 dev eth0.20 proto kernel scope link src 10.10.20.1
10.10.30.0/24 dev eth0.30 proto kernel scope link src 10.10.30.1
10.10.40.0/24 dev eth0.40 proto kernel scope link src 10.10.40.1
172.23.0.0/16 dev ztxxxdixxx proto kernel scope link src 172.xx.xxx.xxx
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth0.2 proto static scope link metric 1
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.6
local 10.8.0.6 dev tun0 table local proto kernel scope host src 10.8.0.6
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.6
broadcast 10.10.10.0 dev eth0.10 table local proto kernel scope link src 10.10.10.1
local 10.10.10.1 dev eth0.10 table local proto kernel scope host src 10.10.10.1
broadcast 10.10.10.255 dev eth0.10 table local proto kernel scope link src 10.10.10.1
broadcast 10.10.20.0 dev eth0.20 table local proto kernel scope link src 10.10.20.1
local 10.10.20.1 dev eth0.20 table local proto kernel scope host src 10.10.20.1
broadcast 10.10.20.255 dev eth0.20 table local proto kernel scope link src 10.10.20.1
broadcast 10.10.30.0 dev eth0.30 table local proto kernel scope link src 10.10.30.1
local 10.10.30.1 dev eth0.30 table local proto kernel scope host src 10.10.30.1
broadcast 10.10.30.255 dev eth0.30 table local proto kernel scope link src 10.10.30.1
broadcast 10.10.40.0 dev eth0.40 table local proto kernel scope link src 10.10.40.1
local 10.10.40.1 dev eth0.40 table local proto kernel scope host src 10.10.40.1
broadcast 10.10.40.255 dev eth0.40 table local proto kernel scope link src 10.10.40.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.23.0.0 dev ztxxxdixxx table local proto kernel scope link src 172.xx.xxx.xxx
local 172.xx.xxx.xxx dev ztxxxdixxx table local proto kernel scope host src 172.xx.xxx.xxx
broadcast 172.23.255.255 dev ztxxxdixxx table local proto kernel scope link src 172.xx.xxx.xxx
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.2.0 dev eth0.2 table local proto kernel scope link src 192.168.2.108
local 192.168.2.108 dev eth0.2 table local proto kernel scope host src 192.168.2.108
broadcast 192.168.2.255 dev eth0.2 table local proto kernel scope link src 192.168.2.108
0: from all lookup local
1: from 10.10.20.0/24 iif br-lan lookup 100
32766: from all lookup main
32767: from all lookup default
lrwxrwxrwx 1 root root 16 Nov 7 2021 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 47 Aug 9 14:50 /tmp/resolv.conf
-rw-r--r-- 1 root root 50 Aug 9 14:47 /tmp/resolv.conf.d/resolv.conf.auto
/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 50 Aug 9 14:47 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 192.168.2.1
search lan
Lan interface has IP 192.168.1.1
Nordvpn interface has IP 10.10.20.1
The rule is using the nordvpn IPs in lan interface. You could omit the IP from the rule as I told you earlier.
So add this instead:
config rule
option in 'lan'
option lookup '100'
config route
option interface 'VPN'
option target '0.0.0.0'
option netmask '0.0.0.0'
option metric '200'
option table '100'
Just to confirm, this will route just the VLAN (NORDVPN subnet 10.10.20.1/24) through the VPN and all the other VLANs and LAN will be normal, not through the VPN?
This will route everything coming in from lan interface, that is 192.168.1.0/24 via the VPN interface.
Everything else will use the default route of the main routing table.
Is there a way to route just the 10.10.20.1/24 VLAN through the VPN, I still want the lan interface to not be routed though the VPN.
I'm sorry if I'm not understanding, I am new to most of this