Openconnect and vpn-policy-routing

dubyte · October 7, 2020, 6:32am

Hello Everyone:

I am trying and trying but without success, I read the openconnect section and the vpn-policy-routing and the forum.

What I want is have 1 laptop to connect exclusively to open connect.
open connect works and I create a firewall zone for it too. But I can not get this exlusivity.

Or I have vpn in my laptop but also in all devices or I dont have any.

So I am wondering what I am missing?
Could you help me?

Network

config interface 'vpnc'
	option proto 'openconnect'
	option username <user.lastname>
	option usergroup <my group>
	option server <vpn host>
	option auto '0'
	option password <password>
	option defaultroute '0'

Firewall:

config zone
	option name 'vpnc'
	option output 'ACCEPT'
	option input 'REJECT'
	option network 'vpnc'
	option mtu_fix '1'
	option forward 'REJECT'
	option masq '1'

config forwarding
	option dest 'vpnc'
	option src 'lan'

vpn-policy-routing

config policy
	option src_addr '192.168.1.209'
	option interface 'vpnc'
	option chain 'FORWARD'
	option name 'dubyte'
	option proto 'all'

config vpn-policy-routing 'config'
	option verbosity '2'
	option src_ipset '0'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option iprule_enabled '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option webui_enable_column '1'
	option enabled '1'
	option dest_ipset 'dnsmasq.ipset'
	list supported_interface 'vpnc'
	option webui_protocol_column '1'
	option webui_chain_column '1'
	option strict_enforcement '1'

Package: vpn-policy-routing
Version: 0.2.1-13

Thanks for your help in advance.

trendy · October 7, 2020, 7:30am

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button.
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; uci export vpn-policy-routing; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

dubyte · October 7, 2020, 5:48pm

Thanks for the help, I will do what you mentioned.

this is the output:

 ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; uci export vpn-policy-routing; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
{
	"kernel": "4.14.195",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,rango",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.4",
		"revision": "r11208-ce6496d796",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 19.07.4 r11208-ce6496d796"
	}
}
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0c:2e7b:96b1::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '1.1.1.1'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '2'

config interface 'vpnc'
	option proto 'openconnect'
	option username 'sinuhe.tellez'
	option usergroup 'anyconnect'
	option server REDACTED
	option auto '0'
	option defaultroute '0'
	option password REDACTED

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option rebind_protection '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option mac 'B8:27:EB:A5:9D:54'
	option leasetime 'infinite'
	option dns '1'
	option name 'azul'
	option ip '192.168.1.169'

config host
	option mac '74:EE:2A:54:FF:C4'
	option leasetime 'infinite'
	option dns '1'
	option name 'impresora'
	option ip '192.168.1.167'

config host
	option mac 'D4:6D:6D:A1:56:3A'
	option leasetime 'infinite'
	option dns '1'
	option name 'ix'
	option ip '192.168.1.209'

config host
	option mac 'DC:A6:32:BA:EF:E2'
	option leasetime 'infinite'
	option dns '1'
	option name 'trantor'
	option ip '192.168.1.151'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpnc'
	option output 'ACCEPT'
	option input 'REJECT'
	option network 'vpnc'
	option mtu_fix '1'
	option forward 'REJECT'
	option masq '1'

config forwarding
	option dest 'vpnc'
	option src 'lan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
package vpn-policy-routing

config policy
	option src_addr '192.168.1.209'
	option interface 'vpnc'
	option chain 'FORWARD'
	option name 'dubyte'
	option proto 'all'

config vpn-policy-routing 'config'
	option verbosity '2'
	option src_ipset '0'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option iprule_enabled '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option webui_enable_column '1'
	option dest_ipset 'dnsmasq.ipset'
	list supported_interface 'vpnc'
	option webui_protocol_column '1'
	option webui_chain_column '1'
	option strict_enforcement '0'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
10: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 23.91.240.253/27 brd 23.91.240.255 scope global eth1.2
       valid_lft forever preferred_lft forever
14: vpn-vpnc: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1250 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 10.3.60.101/32 brd 255.255.255.255 scope global vpn-vpnc
       valid_lft forever preferred_lft forever
default via 23.91.240.225 dev eth1.2 proto static src 23.91.240.253 
8.36.162.210 dev vpn-vpnc proto static scope link 
10.3.0.0/16 dev vpn-vpnc proto static scope link 
10.4.0.0/14 dev vpn-vpnc proto static scope link 
10.30.0.0/16 dev vpn-vpnc proto static scope link 
10.74.0.0/16 dev vpn-vpnc proto static scope link 
10.96.0.0/16 dev vpn-vpnc proto static scope link 
10.100.0.0/19 dev vpn-vpnc proto static scope link 
10.100.32.0/19 dev vpn-vpnc proto static scope link 
10.100.127.0/24 dev vpn-vpnc proto static scope link 
10.100.128.0/19 dev vpn-vpnc proto static scope link 
10.100.160.0/19 dev vpn-vpnc proto static scope link 
10.100.255.0/24 dev vpn-vpnc proto static scope link 
10.199.0.0/16 dev vpn-vpnc proto static scope link 
10.200.0.0/22 dev vpn-vpnc proto static scope link 
10.201.0.0/24 dev vpn-vpnc proto static scope link 
10.255.192.0/19 dev vpn-vpnc proto static scope link 
10.255.252.0/22 dev vpn-vpnc proto static scope link 
23.91.240.224/27 dev eth1.2 proto kernel scope link src 23.91.240.253 
34.224.164.110 dev vpn-vpnc proto static scope link 
192.139.80.13 dev vpn-vpnc proto static scope link 
192.139.80.20 via 23.91.240.225 dev eth1.2 proto static 
192.139.80.43 dev vpn-vpnc proto static scope link 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
local 10.3.60.101 dev vpn-vpnc table local proto kernel scope host src 10.3.60.101 
broadcast 23.91.240.224 dev eth1.2 table local proto kernel scope link src 23.91.240.253 
local 23.91.240.253 dev eth1.2 table local proto kernel scope host src 23.91.240.253 
broadcast 23.91.240.255 dev eth1.2 table local proto kernel scope link src 23.91.240.253 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 Sep  6 16:19 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Oct  7 17:44 /tmp/resolv.conf
-rw-r--r--    1 root     root           226 Oct  7 17:40 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface vpnc
nameserver 10.3.10.41
nameserver 10.3.10.42
search indexexchange.com
# Interface lan
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 1.1.1.1
# Interface wan
nameserver 209.197.128.2
nameserver 209.197.128.5

dubyte · October 7, 2020, 5:53pm

Hi
I just realize that vpn-policy-routing was disabled when I run the command

I just enable it. The same result, all in the internal network have access to the vpn but I want only 1 IP to have access to the vpn.

trendy · October 8, 2020, 7:21am

Remove these nameservers from the lan interface and add them under wan instead. Nameservers should be declared under the interface where they are reachable from.

	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '1.1.1.1'

In the policy add /32 after the .209 address and restart vpn-policy-routing.
If it still doesn't work post also the iptables-save -c

dubyte · October 9, 2020, 1:33pm

After doing this changes I can still connect throught vpn from a host that is not in the policy

This is the output of iptables-save

iptables-save -c
# Generated by iptables-save v1.8.3 on Fri Oct  9 13:31:48 2020
*nat
:PREROUTING ACCEPT [4293:489863]
:INPUT ACCEPT [1473:113156]
:OUTPUT ACCEPT [1300:91363]
:POSTROUTING ACCEPT [38:3635]
:postrouting_vpnc_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_vpnc_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_vpnc_postrouting - [0:0]
:zone_vpnc_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[4293:489863] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[3456:414878] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[837:74985] -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i vpn-vpnc -m comment --comment "!fw3" -j zone_vpnc_prerouting
[2792:240097] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[4:1322] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[2587:224502] -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[167:11960] -A POSTROUTING -o vpn-vpnc -m comment --comment "!fw3" -j zone_vpnc_postrouting
[167:11960] -A zone_vpnc_postrouting -m comment --comment "!fw3: Custom vpnc postrouting rule chain" -j postrouting_vpnc_rule
[167:11960] -A zone_vpnc_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_vpnc_prerouting -m comment --comment "!fw3: Custom vpnc prerouting rule chain" -j prerouting_vpnc_rule
[4:1322] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[3456:414878] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[2587:224502] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[2587:224502] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[837:74985] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri Oct  9 13:31:48 2020
# Generated by iptables-save v1.8.3 on Fri Oct  9 13:31:48 2020
*mangle
:PREROUTING ACCEPT [150952:110438617]
:INPUT ACCEPT [12118:10049084]
:FORWARD ACCEPT [137914:100216731]
:OUTPUT ACCEPT [6474:841044]
:POSTROUTING ACCEPT [144334:101054843]
:VPR_FORWARD - [0:0]
:VPR_INPUT - [0:0]
:VPR_OUTPUT - [0:0]
:VPR_PREROUTING - [0:0]
[150958:110439045] -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
[12121:10049356] -A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
[696:39536] -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[690:38656] -A FORWARD -i eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[7:420] -A FORWARD -o vpn-vpnc -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpnc MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[7:420] -A FORWARD -i vpn-vpnc -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpnc MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[137917:100216887] -A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
[6478:841396] -A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
[14843:2086088] -A VPR_FORWARD -s 192.168.1.209/32 -m comment --comment dubyte -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_FORWARD -m set --match-set vpnc dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_FORWARD -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_INPUT -m set --match-set vpnc dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_INPUT -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_OUTPUT -m set --match-set vpnc dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_OUTPUT -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set vpnc dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
COMMIT
# Completed on Fri Oct  9 13:31:48 2020
# Generated by iptables-save v1.8.3 on Fri Oct  9 13:31:48 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_vpnc_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_vpnc_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_vpnc_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_vpnc_dest_ACCEPT - [0:0]
:zone_vpnc_dest_REJECT - [0:0]
:zone_vpnc_forward - [0:0]
:zone_vpnc_input - [0:0]
:zone_vpnc_output - [0:0]
:zone_vpnc_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[248:22756] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[13959:11385021] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[11287:11164790] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[498:22804] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[1733:141134] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[939:79097] -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i vpn-vpnc -m comment --comment "!fw3" -j zone_vpnc_input
[139999:100921564] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[138673:100754418] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1326:167146] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i vpn-vpnc -m comment --comment "!fw3" -j zone_vpnc_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[248:22756] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[9209:10465049] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[7910:10373333] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[6:1978] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[1131:78058] -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
[162:11680] -A OUTPUT -o vpn-vpnc -m comment --comment "!fw3" -j zone_vpnc_output
[465:20436] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[400:52779] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[498:22804] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_vpnc_dest_ACCEPT -o vpn-vpnc -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[169:12100] -A zone_vpnc_dest_ACCEPT -o vpn-vpnc -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpnc_dest_REJECT -o vpn-vpnc -m comment --comment "!fw3" -j reject
[0:0] -A zone_vpnc_forward -m comment --comment "!fw3: Custom vpnc forwarding rule chain" -j forwarding_vpnc_rule
[0:0] -A zone_vpnc_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpnc_forward -m comment --comment "!fw3" -j zone_vpnc_dest_REJECT
[0:0] -A zone_vpnc_input -m comment --comment "!fw3: Custom vpnc input rule chain" -j input_vpnc_rule
[0:0] -A zone_vpnc_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpnc_input -m comment --comment "!fw3" -j zone_vpnc_src_REJECT
[162:11680] -A zone_vpnc_output -m comment --comment "!fw3: Custom vpnc output rule chain" -j output_vpnc_rule
[162:11680] -A zone_vpnc_output -m comment --comment "!fw3" -j zone_vpnc_dest_ACCEPT
[0:0] -A zone_vpnc_src_REJECT -i vpn-vpnc -m comment --comment "!fw3" -j reject
[6:1978] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[1326:167146] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[1326:167146] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[7:420] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpnc forwarding policy" -j zone_vpnc_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1733:141134] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1733:141134] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[6:1978] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[6:1978] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1733:141134] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[54:2932] -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[2396:241852] -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[939:79097] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[1:328] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[62:5158] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[11:396] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[865:73215] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1131:78058] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[1131:78058] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[865:73215] -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Oct  9 13:31:48 2020

Thanks

trendy · October 9, 2020, 3:05pm

I don't see anything unusual here.
[14843:2086088] -A VPR_FORWARD -s 192.168.1.209/32 -m comment --comment dubyte -j MARK --set-xmark 0x20000/0xff0000
The designated host is having its packets marked to use the vpn connection. Everything else will use the routing table. (which by the way it has a lot of entries via vpn)
Which host is having the issue? Which address is it trying to reach?

dubyte · October 9, 2020, 6:22pm

Thanks, @trendy for the help.

The thing is also the next ips have access and I would want only 192.168.1.209/32 to have it.
192.168.1.173
192.168.1.169

Do you think is ok?

config forwarding
	option dest 'vpnc'
	option src 'lan'

Basically there I said forward lan to vpnc that works if I want everything to be forwarded, but if I want to limit only one ip that config is ok?

trendy · October 9, 2020, 8:49pm

If you want only that IP from lan to have access to vpn, then you need to delete this forwarding and add a rule:

config rule
        option src 'lan'
        option name 'Allow host to vpn'
        list src_ip '192.168.1.209'
        option family 'ipv4'
        option target 'ACCEPT'
        option dest 'vpnc'
        list proto 'all

dubyte · October 10, 2020, 12:53am

Thanks @trendy, it works but I am confused

In that situation I am not really using vpn policy routing right?

Can this be archived using vpn policy routing?

Maybe I am not understanding what is for.

Thanks

trendy · October 10, 2020, 4:23pm

I am not sure what is your use case, as you didn't mention earlier when I asked you the destination address.
VPR will use an alternative routing table for the specified host, which may have a different default gateway. If you have it disabled (option enable is '0') it won't affect routing.

dubyte · October 10, 2020, 6:54pm

Thanks @trendy, I think you resolved my use case, the only thing is it would be nice to use Vpn policy routing, it will be hard to instead of use the firewall rules use the VPR?

trendy · October 10, 2020, 7:18pm

I think you are missing the function of each component. In a nutshell

Firewall rules will allow or deny traffic
Regular routing will make a decision based on the destination address using the main routing table.
Policy based routing will take in consideration the source address and can make a routing decision using an alternative routing table.
Therefore you cannot do with the firewall the things that PBR does.

dubyte · October 11, 2020, 3:15am

I see, Thank you

system · October 21, 2020, 3:15am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.