Policy based routing with 2.5.x not working (works in 2.4.5.1)
-
I have taken the saved configuration from a working V2.4.5.1 system, then did a fresh install of V2.5.2 (also tried V2.5.0 and V2.5.1) and restored the V2.4.5.1 configuration onto the newly installed system.
The system has an OpenVPN connection and I use policy based routing to send some traffic out through the OpenVPN connection and some traffic out through the WAN.
The Firewall / Rules / LAN settings are as below:
Protocol--Source------------------------Port--Destination--------------------Port---Gateway-----------Queue
*------------*--------------------------------*-------LAN Address-----------------443----*---------------------*
IPv4*------BypassVpnLanSources--*-------*----------------------------------*--------WAN_PPPOE---none
IPv4*------*--------------------------------*-------BypassVpnDestinations---*--------WAN_PPPOE---none
IPv4*------LAN net----------------------*-------*----------------------------------*--------VPN_VPNV4----noneThe BypassVpnLanSources and BypassVpnDestinations are aliases. Regardless of whether the source or destination matches one of the aliases the traffic is always routed out through the VPN in V2.5.X versions whereas they are routed through the WAN in V2.4.5.1
Reading this reddit link
suggests enabling "Don't pull routes" i.e. setting it to Checked but this did not make any difference.Does anyone have any suggestions on what I could try to get this type of set up working in V2.5.2 please?
-
@robbo1 Probably make those rules again? Shouldn't be to problematic.
Maybe your VPN connections in general don't work anymore, that seems to be a common problem. Who is your vpn-provider? -
The VPN provider is Mullvad. The VPN connection works correctly but traffic that should not go via the VPN is routed through the VPN.
-
@robbo1 Show some screens for System / Routing and the rules.
-
System / Routing / Gateways
Has two gateways:- WAN_PPPOE for WAN interface
- VPN_VPN4 for OpenVPN interface
Default gateway IPv4 = Automatic
Default gateway IPv6 = AutomaticBoth of the above gateways have the same settings:
- Address Family = IPv4
- Gateway = dynamic
- Gateway Monitoring = Unchecked
- Gateway Action = Unchecked
- Monitor IP = <blank>
- Force state = Unchecked
No advanced settings have been set up.
System / Routing / Static Routes
- No static routes have been set up.
System / Routing / Gateway Groups
- No gateway groups have been set up.
-
I have done a fresh install of 2.5.2 and then manually applied the minimum configuration (not imported) to carry out the test. This involved adding the WAN configuration and setting up the OpenVPN interface. I then added the minimum of rules to the firewall as shown in the screen shots below. All traffic is still routed out via the VPN.
Routes:
Rules:
-
@robbo1 No wonder, the earth symbol is showing there. Switch from automatic to specific default gateway.
-
I have updated the routes as suggested but all traffic is still routed out via the VPN.
Routes:
-
I decided to rebuild my 2.4.5.1 configuration from scratch in 2.5.2 to work out which settings stopped PBR working. These are the changes I had to make to my 2.4.5.1 configuration to get it working in 2.5.2:
- VPN > OpenVPN > Clients > "Dont pull routes" = Checked
- System > Routing > Default gateway IPv4 = WAN_PPPOE
If the default gateway was set to WAN and PBR forces all traffic through WAN or VPN everything works.
If the default gateway was set to VPN and PBR forces all traffic through VPN everything works but if PBR forces all traffic through WAN then DNS Resolver appears to not work i.e. cant get to any internet sites.
I'm not sure why the default route would make any difference if PBR is ultimately selecting the traffic route regardless of the default route? - System > Advanced > Miscellaneous > "Skip rules when gateway is down" = Unchecked
I would prefer to have this Checked so that a rule is omitted if a particular gateway is down rather than using the rule and selecting another gateway instead. I'm not sure why this setting no longer works in the same way as 2.4.5.1 ?
In summary the above three changes allow my original configuration to work with 2.5.2 although changing the third option alters the original behavior.
-
In order to recreate the original behaviour (of having "Skip rules when gateway is down" = Checked) I set up a floating rule as described here.