I am trying to utilize an openvpn connection to be used only when traffic is using specific ports.
I have found several different topics on the subject, each with different solutions.
Below is my config and my attempt to achieve my goal. Unfortunately, it is not working.
Please advise where I am going wrong:
firewall {
all-ping enable
broadcast-ping disable
group {
network-group PRIVATE_NETS {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
port-group DownloadStation {
description "Ports for Download Station"
port 16881
port 6880-6999
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify OPENVPN_ROUTE {
description "traffic from Download Station to vtun0"
rule 10 {
action modify
description "Route traffic from DL Station to vtun0"
modify {
table 2
}
protocol tcp_udp
source {
group {
port-group DownloadStation
}
}
}
}
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth0
}
}
modify {
table main
}
}
rule 30 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth1
}
}
modify {
table main
}
}
rule 70 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 20 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 20 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto
}
ethernet eth1 {
address dhcp
description "WAN 2"
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto
}
ethernet eth2 {
duplex auto
poe {
output 48v
watchdog {
address 192.168.2.2
failure-count 3
interval 900
off-delay 30
start-delay 300
}
}
speed auto
}
ethernet eth3 {
duplex auto
poe {
output 48v
watchdog {
address 192.168.2.3
failure-count 3
interval 900
off-delay 30
start-delay 300
}
}
speed auto
}
ethernet eth4 {
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
openvpn vtun0 {
config-file /home/brian/config/auth/USMidwest.ovpn
description "PIA VPN"
}
switch switch0 {
address 192.168.2.1/24
description Local
firewall {
in {
modify OPENVPN_ROUTE
}
}
mtu 1500
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
load-balance {
group G {
interface eth0 {
}
interface eth1 {
failover-only
}
lb-local enable
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface switch0
rule 1 {
description "IMAP over SSL/TLS"
forward-to {
address 192.168.2.254
}
original-port 993
protocol tcp
}
rule 2 {
description "POP3 over SSL/TLS"
forward-to {
address 192.168.2.254
}
original-port 995
protocol tcp
}
rule 3 {
description "Surveillance Station"
forward-to {
address 192.168.2.254
}
original-port 9900-9901
protocol tcp
}
rule 4 {
description SMTP-SSL
forward-to {
address 192.168.2.254
}
original-port 465
protocol tcp
}
rule 5 {
description SMTP-TLS
forward-to {
address 192.168.2.254
}
original-port 587
protocol tcp
}
rule 6 {
description "VNC PlexServer"
forward-to {
address 192.168.2.200
}
original-port 7995
protocol tcp
}
rule 7 {
description "VNC Brian"
forward-to {
address 192.168.2.225
}
original-port 7996
protocol tcp
}
rule 8 {
description "Synology DSM"
forward-to {
address 192.168.2.254
}
original-port 5001
protocol tcp
}
rule 9 {
description "Tablo TV"
forward-to {
address 192.168.2.227
port 8887
}
original-port 21021
protocol tcp
}
rule 10 {
description "Tablo TV"
forward-to {
address 192.168.2.227
port 80
}
original-port 21020
protocol tcp
}
rule 11 {
description SMTP
forward-to {
address 192.168.2.254
}
original-port 25
protocol tcp
}
rule 12 {
description POP3
forward-to {
address 192.168.2.254
}
original-port 110
protocol tcp
}
rule 13 {
description IMAP
forward-to {
address 192.168.2.254
}
original-port 143
protocol tcp
}
rule 14 {
description Plex
forward-to {
address 192.168.2.200
}
original-port 32400
protocol tcp
}
rule 15 {
description UniFi
forward-to {
address 192.168.2.200
}
original-port 8443
protocol tcp_udp
}
wan-interface eth0
}
protocols {
static {
table 1 {
interface-route 0.0.0.0/0 {
next-hop-interface eth0 {
}
}
}
table 2 {
interface-route 0.0.0.0/0 {
next-hop-interface vtun0 {
}
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.2 {
stop 192.168.2.254
}
static-mapping Arlo_Basestation {
ip-address 192.168.2.9
mac-address c0:ff:d4:85:f7:ef
}
static-mapping BackPorch_Camera {
ip-address 192.168.2.27
mac-address 4c:11:bf:c9:e3:d3
}
static-mapping Bedroom_Hallway_AP {
ip-address 192.168.2.3
mac-address 24:a4:3c:50:1B:4D
}
static-mapping Brian-PC {
ip-address 192.168.2.225
mac-address 90:FB:A6:2D:C8:2E
}
static-mapping Color_Printer {
ip-address 192.168.2.253
mac-address 00:80:92:D8:69:7F
}
static-mapping Front_DoorBell {
ip-address 192.168.2.6
mac-address 44:39:C4:B6:3A:A6
}
static-mapping Harmony_Hub {
ip-address 192.168.2.5
mac-address 00:04:20:EB:1C:3D
}
static-mapping LivingRoom_Roku4 {
ip-address 192.168.2.41
mac-address 08:05:81:e7:4d:3a
}
static-mapping Livingroom_AP {
ip-address 192.168.2.2
mac-address 24:a4:3c:50:1B:5D
}
static-mapping Media-Server {
ip-address 192.168.2.254
mac-address 00:11:32:1F:2D:B6
}
static-mapping Ooma {
ip-address 192.168.2.39
mac-address 00:18:61:29:41:3d
}
static-mapping Plex-Server {
ip-address 192.168.2.200
mac-address AC:22:0B:8C:3A:DE
}
static-mapping Tablo {
ip-address 192.168.2.227
mac-address 50:87:B8:00:82:A2
}
unifi-controller 192.168.2.200
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description "masquerade for VTUN0"
destination {
group {
}
}
log disable
outbound-interface vtun0
protocol tcp_udp
source {
group {
port-group DownloadStation
}
}
type masquerade
}
rule 5001 {
description "masquerade for LAN"
destination {
address 192.168.2.0/24
}
log disable
outbound-interface switch0
protocol tcp_udp
source {
address 192.168.2.0/24
}
type masquerade
}
rule 5002 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
rule 5003 {
description "masquerade for WAN 2"
outbound-interface eth1
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name ubnt
login {
user john {
authentication {
encrypted-password $6$WdVnA9eVwXXIF$V1rUezVXgDKIW.utdhfoHpwUVh4gtXGhNooydVL5dxnqIyxOuPhG2/U4o8LY0Pe0c8WhIK3d7aTYcVqjlZNDT/
}
level admin
}
}
name-server 8.8.8.8
name-server 8.8.4.4
name-server 156.154.70.1
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
host 192.168.2.254 {
facility all {
level debug
}
}
}
time-zone America/New_York
traffic-analysis {
dpi enable
export enable
}
}
traffic-control {
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.9.0.4901118.160804.1131 */