I've set up a simple policy-based route set up on an EdgeRouter X. I can get this configuration to work just fine in 1.7.0 but it fails to work on 1.9.0.
I want to have a set of IP addresses forced through an OpenVPN tunnel where all the other LAN devices will go through the default route advertised from the WAN port.
Two configurations were attempted: one where I started from the factory fresh 1.7.0 install, and another where I started after upgrading to 1.9.0. Each configuration was tested on 1.7.0, 1.8.5 and 1.9.0. I'll summarize my results below:
- I had a working configuration on 1.7.0. This was generated by the WAN+2LAN wizard then adding the OpenVPN and policy-based routing sections. I upgraded to 1.9.0 and the EdgeRouter X became unresponsive and requires a reset in order to regain access. I then uploaded the configuration and the EdgeRouter X again became unresponsive after a reboot.
- I then started over on 1.9.0 using the wizard there and again added the OpenVPN and policy-based routing sections. This configuration on 1.9.0 successfully established the OpenVPN tunnel but the policy-based routing never came into effect - that is, when I set a machine to the IP address 192.168.254.10, it still went out the WAN default route and *not* the OpenVPN tunnel.
- Then I took the 1.9.0 configuration and downgraded to 1.8.5. The policy-based routing was still inoperative.
- Then I took the 1.9.0 configuration and downgraded to 1.7.0. The 1.9.0 configuration worked perfectly.
I'd really like to get this working on 1.9.0, any thoughts?
The 1.9.0 configuration is below:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify SOURCE_ROUTE {
rule 10 {
action modify
modify {
table 1
}
source {
address 192.168.254.10/32
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
encryption aes128
mode client
protocol udp
remote-host vpn.endpoint.dns.name
remote-port 443
tls {
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/vpn.crt
key-file /config/auth/vpn.key
}
}
switch switch0 {
address 192.168.254.1/24
description Local
firewall {
in {
modify SOURCE_ROUTE
}
}
mtu 1500
switch-port {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
protocols {
static {
table 1 {
route 0.0.0.0/0 {
next-hop 10.8.254.1 {
}
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.254.0/24 {
default-router 192.168.254.1
dns-server 192.168.254.1
lease 86400
start 192.168.254.20 {
stop 192.168.254.200
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5001 {
outbound-interface vtun0
type masquerade
}
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password $6$passwordhash
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}FYI the diff between the 1.9.0 configuration (works on 1.7 and 1.9) and the 1.7.0 configuration (works on 1.7 but keeps the router from booting in 1.9) is (note this isn't a true diff as I erased lines that contained sensitive information):
--- config.old/config.boot 2016-08-11 00:50:51.000000000 -0400
+++ config.works/config.boot 2016-08-11 23:13:03.000000000 -0400
@@ -5,15 +5,16 @@
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify SOURCE_ROUTE {
rule 10 {
action modify
- description "default route through OpenVPN connection"
modify {
table 1
}
source {
- address 192.168.254.254/32
+ address 192.168.254.10/32
}
}
}
@@ -93,10 +94,6 @@
ethernet eth4 {
description Local
duplex auto
- firewall {
- in {
- }
- }
speed auto
}
loopback lo {
@@ -123,10 +120,15 @@
}
mtu 1500
switch-port {
- interface eth1
- interface eth2
- interface eth3
- interface eth4
+ interface eth1 {
+ }
+ interface eth2 {
+ }
+ interface eth3 {
+ }
+ interface eth4 {
+ }
+ vlan-aware disable
}
}
}
@@ -145,20 +147,17 @@
disabled false
hostfile-update disable
shared-network-name LAN {
- authoritative disable
+ authoritative enable
subnet 192.168.254.0/24 {
default-router 192.168.254.1
dns-server 192.168.254.1
lease 86400
- start 192.168.254.38 {
- stop 192.168.254.243
- }
+ start 192.168.254.20 {
+ stop 192.168.254.200
}
}
}
+ use-dnsmasq disable
}
dns {
forwarding {
@@ -167,10 +166,12 @@
}
}
gui {
+ http-port 80
https-port 443
+ older-ciphers enable
}
nat {
- rule 5000 {
+ rule 5001 {
outbound-interface vtun0
type masquerade
}Thanks for any help!