![]() ![]() Verify whether the internal server has been built successfully. For Windows PC, disable the firewall for public and private network will be helpful.Ģ). In general, Firewall thinks VPN packets is unsecure, so PC may block these packets. Firstly check the Firewall and Anti-Virus software on the internal servers. If you want to prevent remote access as well remove -state NEW from those rules.Archer C1200, Archer C5400, Archer A2600, Archer AX55, Archer C4, Archer C5200, Archer AX53, Archer C5, Archer AX10, Archer C2, Archer AX51, Archer AX96, Archer A2200, Archer C6U, Archer AXE95, Archer C8, Archer AX10000, Archer C3150, Archer C9, Archer AX50, Archer C7, Archer AX90, Archer AX6000, Archer C5400X, Archer C25, Archer C24, Archer A20, Archer C60, Archer C2600, Archer A1200, Archer C21, Archer C20, Archer AX1800, Archer AX206, Archer C59, Archer C58, Archer AX4200, Archer C3200, Archer C900, Archer A2, Archer AX75, Archer AX4400, Archer C3000, Archer AX73, Archer C50, Archer A10, Archer A54, Archer AX4800, Archer C50, Archer C1900, Archer C55, Archer C54, Archer A2300, Archer C20i, Archer AXE75, Archer A6, Archer A7, Archer AX72, Archer AXE200 Omni, Archer A5, Archer GX90, Archer A9, Archer AX68, Archer C2300, Archer AX5300, Archer C1210, Archer AX23, Archer AX3000 Pro, Archer AX20, Archer C4000, Archer AX21, Archer A3000, Archer C2700, Archer C7i, Archer AXE300, Archer AX1500, Archer C90, Archer AX60, Archer AX11000, Archer AX3200, Archer AX3000ġ). ![]() By checking for NEW, we’re preventing those devices from initiating outbound connections, but not preventing them from being accessed remotely and sending replies through the WAN (at least when the VPN is down). The state of the connection checked for is NEW.In contrast, REJECT causes the client to quit IMMEDIATELY. DROP doesn’t respond and requires the client to timeout, which can be annoying for users. It uses REJECT instead of DROP since the former it’s a bit friendlier than the latter.Iptables -I FORWARD -p tcp -s 192.168.1.128/25 -o $(nvram get wan_iface) -m state -state NEW -j REJECT -reject-with tcp-reset Now for the second part of the problem, which is denying WAN access to devices that should be on VPN when the VPN is off/fails can be done by entering the following commands in the Save Firewall section: iptables -I FORWARD -s 192.168.1.128/25 -o $(nvram get wan_iface) -m state -state NEW -j REJECT -reject-with icmp-host-prohibited ![]() The devices that should not go thru the VPN should get a static IP 127 thru the VPN).All devices I want on the VPN are assigned static IPs >127.Note that due to a bug in DD-WRT the IP of the router itself cannot be on this list. You have to enter in here the devices which you DO want to go thru the VPN. It is one of the fields where you specify details for the OpenVPN connection. Policy based routing is the proper way to accomplish the selective VPN tunneling part of the problem. Someone in the DD-WRT forum helped me solve this in the best possible (simplest) way. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |