Far from me to re-open a topic that might have been covered in past threads…
but I am searching the web since 3 days to solve the issue with my config.
Problem:
I need to have a few in/out ports bypassing my tomato router OpenVPN so that some of my server functionalities are accessible directly through the address given to me by my ISP.
My setup:
A modem from my ISP with the address WAN_IP. Internally, IP address set to xxx.xxx.255.2. DMZ set towards xxx.xxx.255.3.
A tomato router connected to my modem (on vlan2). Internally, IP address set to xxx.xxx.255.3 (on br0). A bridge br1 setup with IP xxx.xxx.254.2.
A local server xxx.xxx.254.15 (as well as x other devices on the intranet) connected to my tomato router. Intranet addresses on xxx.xxx.254.100-254.
For temporary simplification, i also have a DMZ in my tomato router set for my server xxx.xxx.254.15.
Tomato router has an OpenVPN client connection with a VPN provider. All traffic is routed there at the moment.
For sake of completeness, my eth1 and eth2 are for my 2 wireless networks (and not involved here).
All that works out-of-the-box.
But now I want to access my server (xxx.xxx.254.15) on port e.g. 80 directly by using my ISP-given WAN_IP (e.g. yy.yy.108.71), through my modem and then through my tomato router. This works when the VPN client is OFF. When ON, it does not as expected.
How should I change my Firewall script and WAN Up script (and VPN config) to allow me to do this?
Here is my ifconfig -a setup WITHOUT VPN activated:
br0 Link encap:Ethernet HWaddr E0:3F:49:EC:2F:A8
inet addr:xxx.xxx.254.2 Bcast:xxx.xxx.254.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
br1 Link encap:Ethernet HWaddr 82:5D:3D:04:48:D8
inet addr:xxx.xxx.255.3 Bcast:xxx.xxx.255.255 Mask:255.255.255.0
eth0 Link encap:Ethernet HWaddr E0:3F:49:EC:2F:A8
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth1 Link encap:Ethernet HWaddr E0:3F:49:EC:2F:A8
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
eth2 Link encap:Ethernet HWaddr E0:3F:49:EC:2F:AC
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
imq0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1500 Metric:1
imq1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
vlan1 Link encap:Ethernet HWaddr E0:3F:49:EC:2F:A8
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
vlan2 Link encap:Ethernet HWaddr E0:3F:49:EC:2F:A9
inet addr:xxx.xxx.255.3 Bcast:xxx.xxx.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Here is my ifconfig -a setup WITH VPN activated:
… same as above…
tun11 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.15.14.130 P-t-P:10.15.14.130 Mask:255.255.255.128
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
… same as above…
What I tried:
As I have mentioned, I tried the solutions found on the web (e.g. openvpn-bypass-on-some-ports, openvpn-client-on-tomato-to-a-server-how-to-bypass-some-ip, ). But nothing worked for my, probably because I did not know how to tailor those parameters to my setup.
I was also confused as to what IP I should use for the routes, e.g. my WAN_IP (given by ISP) or my Modem IP (xxx.xxx255.2).
I am currently trying the following:
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/tun11/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/vlan1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/vlan2/rp_filter
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
ip route add default table 100 via 83.84.108.1
ip rule add fwmark 1 table 100
ip route flush cache
#iptables -t mangle -I PREROUTING -i br0 -p tcp -m multiport --dport 443,25,3001,1194 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -i br0 -p udp -m multiport --dport 443,25,3001,1194 -j MARK --set-mark 1
found on a post called "Route only specific ports through VPN (openvpn)" (sorry, the site does not let me copy links yet).
While it works, it is only for ports of EVERY machine in my intranet, not only on my server's ip 254.15.
Can I get some help please?