Static IP device - static routes bypass routing table

Can you better describe "work" and "not work"? I still do not fully understand the purpose of these routes.

Work = they drop traffic?
Not work = they pass traffic?

Some more thoughts:

In your policy routing setup you redirect all traffic from 192.168.2.25x to a separate routing table exvpn where the flows encounter a sole terminal default via 192.168.10.1 dev eth0 route.

The main routing table which among the standard interface subnet routes etc. contains your static 8.8.8.8 / 8.8.4.4 "blackhole" (I'll call them this way since this appears to be the intent) is entirely bypassed so it is expected that exvpn eligible hosts are not affected by them.

You could either duplicate those static exception routes into the exvpn table or use rules to make routing decisions or use iptables to block the traffic.

Edit:

Yet another possible way would be moving these block-routes into the local routing table which precedes the exvpn and main ones, but I didn't actually test that.

IMHO the cleanest solution to block traffic would be this:

config rule
  option in lan
  option dest 8.8.8.8/32
  option action prohibit

which would be roughly equivalent to iptables -I FORWARD -i br-lan -d 8.8.8.8 -j REJECT

The cleanest solution to make traffic to these IPs always bypass VPN would be

config rule
  option in lan
  option dest 8.8.8.8/32
  option lookup exvpn
1 Like

Yes.
I originally thought I possibly had a corrupt OpenWrt installation, going back to a reasonable default state proved it wasn't when using the 2x google static routes I've mentioned in this topic.

Yes this is what I considered when navigating the static route LUCI page, I thought wouldn't that be useful providing a method to do so.

Using the static rule above, would it be a matter of using the varied rules below?

config rule
	option in 'lan'
	option dest '45.57.0.0/17'
	option lookup 'exvpn'

Yep, that looks correct.

I'll give it a bash tomorrow, it's fairly late here I need to get to bed. Tomorrow I'll review the information you have provided me more closely.

I value this information I have learnt, and appreciate the time and effort you have provided for me today, Thankyou jow ! :+1:

After some required sleep :sleepy:, and somewhat refreshed start today, I initially settled for these rules which indeed work in either exvpn or VPN states.

config rule
	option in 'lan'
	option dest '8.8.8.8/32'
	option action 'prohibit'

config rule
	option in 'lan'
	option dest '8.8.4.4/32'
	option action 'prohibit'

I did add the section: option lookup 'exvpn' in the above rules but for some reason it didn't utilize it, behaved the same as if I didn't insert it.:confused: so left it out.

I also disconnected the ethernet (VPN) & exvpn (WiFi) and re-connected as a guest (WiFi), where I obtained replies to pings to e.g. 8.8.8.8 which was expected!
Reply from 8.8.8.8: bytes=32 time=37ms TTL=118

To further assist anyone reading, this page is a good source of additional information:
IP rules (policy routing)

EDIT I also tested another type of static route that utilized the local routing table (which precedes the exvpn and main routing tables), and covers both lan & guest interfaces.
option table 'local'

config route 'your_route_name'
	option interface 'lan'
	option target '8.8.8.8'
	option netmask '255.255.255.255'
	option gateway '192.168.2.1'
	option metric '2'
	option table 'local'

EDIT I also tested this static route that utilized the exvpn routing table exclusively:
option table 'exvpn'

config route 'your_route_name'
	option interface 'lan'
	option target '8.8.8.8'
	option netmask '255.255.255.255'
	option gateway '192.168.2.1'
	option metric '2'
	option table 'exvpn'

To further assist anyone reading, this page is a good source of additional information:
Static Routes

I finally decided to use this rule type as it specifically targeted my static IP assigned (exvpn) devices ONLY! :smiley:

Once again I truly thank @jow for his overwhelming knowledge and support, the OpenWrt community has indeed a valuable member :wink:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.