LinuxQuestions.org - Why is static route being blocked by firewall?

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - Why is static route being blocked by firewall? (https://www.linuxquestions.org/questions/linux-networking-3/why-is-static-route-being-blocked-by-firewall-4175648712/)

Why is static route being blocked by firewall?

I've been trying to get router to send specific traffic over to my server to go through an OpenVPN connection.

The OpenVPN connection is working fine; and I can use the server as a gateway with no problems.

I am however wanting to keep my router as my default gateway (Great GUI controls - Asus Merlin), so to do this; I've configured an ip table with a default route...

Quote:

ip route add default via 192.168.1.2 table ovpn
ip rule add from 192.168.1.15 table ovpn

My server also has some routes

Quote:

ip route add default dev tun0 table vpn
ip rule add from 192.168.1.2 table main pref 1
ip rule add from 192.168.1.0/24 table vpn pref 2

Now; I can see that ping and tracert/traceroute are working correctly; however my web browser does not work. I did discover that disabling the windows firewall made this work no problem. It also works on other devices, so guessing it must be just a windows thing

Can anybody suggest why this would be the case? And how I could get around it (ideally without having to configure firewalls across several machines)

Cheers

What's your network topology, default gateway, server and window machine?

Quote:

Originally Posted by nini09 (Post 5965126)

What's your network topology, default gateway, server and window machine?

Quick picture attached. Hopefully should help

Attachment 29884

Yep, it does. VPNs don't allow back doors - nohow. If you use the vpn, route everything through it.

Quote:

Originally Posted by business_kid (Post 5965542)

Yep, it does. VPNs don't allow back doors - nohow. If you use the vpn, route everything through it.

Not sure what you mean by backdoor?

However VPN traffic can be selectively routed. I have this working on a different network. This time with a openwrt router; but it does selectively route traffic

You need use iptable tool to specify IPSec tunnel traffic, not ip rule.

I've using iptables to mark the packets and route them accordingly with ip rule

Code:

e.g. iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.xx.xxx -j MARK --set-mark 0

which works the same as the basic ip rule (routes via vpn server, and through the tunnel, however windows 10 firewall blocks. Everything else works)

Also tried..forwarding with iptables prerouting, postrouting dnat, snat; couldn't get these to work in any way

A backdoor is a security breach, because traffic can get in/out unencrypted. Guys have suggestions. Try them.

Quote:

Originally Posted by nini09 (Post 5965652)

You need use iptable tool to specify IPSec tunnel traffic, not ip rule.

Do you have any more information on how to do this?

Going round in circles

Nothing on there that I am not already doing;

As I said, it is working apart from windows firewall blocking it.

After lots of messing around, I think you were right with the backdoor/IP Sec stuff; because with the same settings I am I able to have it working with a PPTP tunnel between the router and the VPN Client. Even with no encryption.

I could not get this to work with a OpenVPN tunnel; though this may be to do with the peculiar ASUS implementation

Problem with this is; PPTP server is notoriously unsafe, and would have to configure additional rules etc to block it externally

Although the issue is gone after firewall is off on Window machine, it still is dependant on traffic path, what device is walked through.