Routing inbound 192.168.1.1 traffic to veth?

I have a veth pair (veth-lan and veth-br ) set up with veth-br a member of br-lan so that I can shape on veth-lan download traffic (mixture of VPN and non-VPN traffic) without shaping router<>lan traffic. This trick works very well for all traffic from wan/vpn to 192.168.1.0/24.

image

However, it does not work for traffic from wan/vpn to the router itself on 192.168.1.1.

Why not? And can I fix this so that traffic from wan/vpn to 192.168.1.1 first hits veth-lan, rather than first hitting br-lan?

I have the following ip rules:

0:      from all lookup local
10000:  from 192.168.1.1 lookup br-lan
10000:  from 10.9.7.225 lookup wan
10000:  from 10.5.0.2 lookup vpn
14000:  from all iif wan lookup veth-lan
14000:  from all iif vpn lookup veth-lan
14000:  from 192.168.1.8 iif br-lan lookup wan
14000:  from 192.168.1.9 iif br-lan lookup wan
14000:  from all to 192.168.8.1 iif br-lan lookup wan
15000:  from all iif br-lan lookup vpn
20000:  from all to 192.168.1.1/24 lookup br-lan
20000:  from all to 10.9.7.225/8 lookup wan
20000:  from all to 10.5.0.2 lookup vpn
32766:  from all lookup main
32767:  from all lookup default
40000:  from all iif br-lan lookup wan
90007:  from all iif lo lookup wan
90015:  from all iif lo lookup br-lan
90016:  from all iif lo lookup veth-lan
90069:  from all iif lo lookup vpn

wan/vpn traffic to my lan (not router) gets caught by:

14000:  from all iif wan lookup veth-lan
14000:  from all iif vpn lookup veth-lan

This does not appear to cover traffic to 192.168.1.1? Why not?

Is that because wan/vpn traffic to 192.168.1.1 is getting caught by:

0:      from all lookup local

I wonder?

So here is the local table:

root@OpenWrt:~# ip route show table local
broadcast 10.0.0.0 dev wan scope link  src 10.9.7.225
local 10.5.0.2 dev vpn scope host  src 10.5.0.2
local 10.9.7.225 dev wan scope host  src 10.9.7.225
broadcast 10.255.255.255 dev wan scope link  src 10.9.7.225
broadcast 127.0.0.0 dev lo scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo scope host  src 127.0.0.1
local 127.0.0.1 dev lo scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo scope link  src 127.0.0.1
broadcast 192.168.1.0 dev br-lan scope link  src 192.168.1.1
local 192.168.1.1 dev br-lan scope host  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan scope link  src 192.168.1.1

Actually I do not understand:

local 192.168.1.1 dev br-lan scope host  src 192.168.1.1

But I presume it is this route that is resulting in wan/vpn traffic going to br-lan?

Any thoughts? What static route/rule would I need to get wan/vpn traffic destined for 192.168.1.1 routed to veth-lan?

What kind of WAN traffic would reach the LAN interface IP of 192.168.1.1? I would think incoming WAN traffic meant for the router itself would end up on the WAN IP (e.g. iptables INPUT chain).

1 Like

So far I have seen at least iperf3 traffic from public test server. Or download associated with rclone mount. I must confess my understanding is rather limited about iptables. Does that mean it is not possible to route traffic using ip route / ip rule in the manner I am familiar with?

I'm no routing guru. It just sounded like an odd scenario to me. Wait here. Help is on the way, I'm sure.

1 Like

I need this for auto bandwidth adjustment for CAKE - to ensure the pings from router go through CAKE both ways.

@vgaetera any thoughts?