Here is the output, it took a little longer as the format was incorrect, I've added the network config at the end.
Do these sections need to be filled out with IP's?
option target '0.0.0.0'
option netmask '0.0.0.0'
I think it's not picking up the exvpn table
root@LEDE:~# ip -4 rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@LEDE:~# ip -4 route show table all
0.0.0.0/1 via 10.7.10.5 dev tun0
default via 192.168.10.1 dev eth0 proto static src 192.168.10.4
8.8.4.4 via 192.168.2.1 dev br-lan proto static metric 2
8.8.8.8 via 192.168.2.1 dev br-lan proto static metric 2
10.7.10.1 via 10.7.10.5 dev tun0
10.7.10.5 dev tun0 proto kernel scope link src 10.7.10.6
128.0.0.0/1 via 10.7.10.5 dev tun0
168.1.75.54 via 192.168.10.1 dev eth0
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.4
192.168.10.1 dev eth0 proto static scope link src 192.168.10.4
local 10.7.10.6 dev tun0 table local proto kernel scope host src 10.7.10.6
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.2.0 dev br-lan table local proto kernel scope link src 192.168.2.1
local 192.168.2.1 dev br-lan table local proto kernel scope host src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local proto kernel scope link src 192.168.2.1
broadcast 192.168.3.0 dev br-guest table local proto kernel scope link src 192.168.3.1
local 192.168.3.1 dev br-guest table local proto kernel scope host src 192.168.3.1
broadcast 192.168.3.255 dev br-guest table local proto kernel scope link src 192.168.3.1
broadcast 192.168.10.0 dev eth0 table local proto kernel scope link src 192.168.10.4
local 192.168.10.4 dev eth0 table local proto kernel scope host src 192.168.10.4
broadcast 192.168.10.255 dev eth0 table local proto kernel scope link src 192.168.10.4
Ah, thats the problem then - sorry for not being clear about that. While you can encode rules and routes (with references to symbolic table names) in /e/c/network you still need to keep the actual name definition in /etc/iproute2/rt_tables. So add that 10 exvpn line back there and it should work - or alternatively - replace all occurrences of exvpn with 10 to avoid the need for that extra definition in an external file.
Looks like the reserved and DHCP allocated IPs are getting the ISP allocated IP. Normally the DHCP IP's should get the VPN IP.
root@LEDE:~# ip -4 rule
0: from all lookup local
1: from all iif br-lan lookup exvpn
2: from all iif br-lan lookup exvpn
3: from all iif br-lan lookup exvpn
4: from all iif br-lan lookup exvpn
5: from all iif br-lan lookup exvpn
32766: from all lookup main
32767: from all lookup default
Should I have also taken out this section, now that I have the 10 exvpn in /etc/iproute2/rt_tables?
Ah the source IP attribute was not used, possibly my mistake. Replace all option src 192.168.2.25x with option src 192.168.2.25x/32 (add /32 at the end).
Nope, that section is defining the extra default route.
OK, I've tested 1x static IP and it's bypassing the VPN, and also tested 1x DHCP address which is using the VPN IP address!
root@LEDE:~# ip -4 rule
0: from all lookup local
1: from 192.168.2.250 iif br-lan lookup exvpn
2: from 192.168.2.251 iif br-lan lookup exvpn
3: from 192.168.2.252 iif br-lan lookup exvpn
4: from 192.168.2.253 iif br-lan lookup exvpn
5: from 192.168.2.254 iif br-lan lookup exvpn
32766: from all lookup main
32767: from all lookup default
root@LEDE:~# ip -4 route show table all
default via 192.168.10.1 dev eth0 table exvpn proto static
0.0.0.0/1 via 10.86.10.5 dev tun0
default via 192.168.10.1 dev eth0 proto static src 192.168.10.4
8.8.4.4 via 192.168.2.1 dev br-lan proto static metric 2
8.8.8.8 via 192.168.2.1 dev br-lan proto static metric 2
10.86.10.1 via 10.86.10.5 dev tun0
10.86.10.5 dev tun0 proto kernel scope link src 10.86.10.6
128.0.0.0/1 via 10.86.10.5 dev tun0
168.1.112.113 via 192.168.10.1 dev eth0
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.4
192.168.10.1 dev eth0 proto static scope link src 192.168.10.4
local 10.86.10.6 dev tun0 table local proto kernel scope host src 10.86.10.6
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.2.0 dev br-lan table local proto kernel scope link src 192.168.2.1
local 192.168.2.1 dev br-lan table local proto kernel scope host src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local proto kernel scope link src 192.168.2.1
broadcast 192.168.3.0 dev br-guest table local proto kernel scope link src 192.168.3.1
local 192.168.3.1 dev br-guest table local proto kernel scope host src 192.168.3.1
broadcast 192.168.3.255 dev br-guest table local proto kernel scope link src 192.168.3.1
broadcast 192.168.10.0 dev eth0 table local proto kernel scope link src 192.168.10.4
local 192.168.10.4 dev eth0 table local proto kernel scope host src 192.168.10.4
broadcast 192.168.10.255 dev eth0 table local proto kernel scope link src 192.168.10.4
What do you intend to achieve with these routes? Since the router itself is 192.168.2.1 it does not make much sense to have these, essentially looping traffic to itself.
Do you mean to intercept traffic to 8.8.8.8 / 8.8.4.4 and forcibly direct it to the local dnsamsq?
The 2x google static routes (plus more) are to block devices from using that address, and others I haven't mentioned as it was easier to work with these ATM to prove there is a problem with static routes over the exvpn table.
Reason for static routes:
by segregating the 5x IP's, in effect to use the ISP IP address via the exvpn route, they are used to access US Netflix (here in Australia). Without my local ISP IP address, Netflix will recognize the VPN IP and it won't let me view Netflix here.
I use a SmartDNS Proxy service that requires just short of 10x static routes to utilize their service, and for some reason on these 5x exvpn IP addresses the static routes seem to be bypassed ATM.
That helps, in this case remove these special routes but add varied rules instead:
config rule
option in 'lan' # came via (br-)lan
option dest '8.8.8.8/32' # directed to 8.8.8.8
option lookup 'exvpn' # divert to exvpn route table to use the non-vpn default route
If the objective is to completely prevent communication with 45.57.0.0/17 then yes, it would be equivalent. But what it will not do is redirecting such traffic to other destinations.
The problem is that on the 192.168.2.1 host you're installing a route stating that a resource is available via the 192.168.2.1 host - this cannot work and will lead to the destination host unreachable error you see.
Such routes generally only make sense when they utilize a gateway on another host, means a gateway IP that is not bound to any local interface of the router itself.
So, if you want to completely deny traffic to such destinations, use an iptables REJECT rule. If you want traffic to these destinations to bypass the VPN, use a varied rule instead.
Before getting on here tonight, I completely removed all references to exvpn table and routes, disabled the VPN so I could see if the static routes worked, they did.
I don't know the reason as to why they don't work when using the exvpn table?