VPN Policy based routing using ports confused how this works

ray308 · November 22, 2020, 8:23pm

Hi I,m using vpn-policy-routing 0.2.1-13 (LuCI openwrt-19.07 branch (git-20.311.85693-0e6a8c2 / OpenWrt 19.07.4 r11208-ce6496d796)

I've set the follwing settings in pbr, I think that this means;
-Client 10.0.1.2 internet acces is over VPN
-Ports are going trough wan. is this correct thinking?

(The NAS was completely on WAN because I need port forwarding from internet. With the NAS on VPN the portforwarding is not working, so I need the ports on WAN for this to work) Is this the way to finetune this?

root@MPM-ROUTER:/etc/config# cat vpn-policy-routing

config policy
        option interface 'wan'
        option name 'NAS'
        option src_addr '10.0.1.2'
        option proto 'tcp udp'
        option src_port '500 1701 4500'
        option dest_port '500 1701 4500'

Or do I set the interface to VPN and exclude the ports with ! Like !500 !1701 !4500 etc?

vgaetera · November 22, 2020, 8:50pm

It looks weird to forward ISAKMP/L2TP/IPsec to NAS, so what protocols do you want to forward?

Also when sending replies to queries, the source port is typically fixed but the destination port is dynamic, that's why you should not specify it.

ray308 · November 22, 2020, 9:22pm

They are there as an example (I used L2TP when openwrt router wasn't in place yet) But I need ports like 5001 so I (or some apps on my phone) can reach my nas from inet.

I like to put my NAS behind the VPN if possible, but then some ports needs to be accessable via wan.

maurer · November 23, 2020, 11:33am

I would say this is what you want

config policy
        option name 'NAS'
        option src_addr '10.0.1.2'
        option dest_addr '0.0.0.0/0'
        option interface 'tun0' #name of your vpn interface - could also be ppp1...

I presumed that the vpn (openvpn in this case) was running on the Openwart router you're setting this policy.
As long as you're forewarding ports on your Openwrt device it'll work as the NAS will see the traffic coming from LAN not VPN

ray308 · November 24, 2020, 6:24am

@maurer
the openvpn client is is running on my openwrt router, so is the policy.
When I make the policy rule as suggested and I test this by trying to access my nas at https://fqdn:5001 from the internet there is no connection. The port is offcourse forwarded to the device (nas)

Any idea's?

vgaetera · November 24, 2020, 6:34am

It should be the WAN interface, not VPN.

maurer · November 24, 2020, 7:55am

correct

config policy
        option name 'NAS'
        option src_addr '10.0.1.2'
        option dest_addr '0.0.0.0/0'
        option interface 'wan'

ray308 · November 24, 2020, 3:49pm

That did the trick, thanks.

system · December 4, 2020, 3:49pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.