Access LAN services through real IP with active VPN client

Thanks for coming back for this issue.
I just upgraded to the last 4.2.1 snapshot firmware (from 2023-03-30) and it’s still not working with the vlan policy.
I’ll send my iptables in private message.

Hi, firmware 4.2.1 release GL.iNet download center
port forward or local service can be accessed while the VPN policy is on.

Hi, thanks for the update.
However I just tested it, I have installed the 4.2.1 beta4 without keeping settings to have a fresh install, set again all my settings, and it’s still not working. My local service responds from the Internet when VPN client is off, and as soon as I turn it on it is not reachable anymore.

Thank you for reporting. Confirmed firmware packaging missing a script.
Add it manually by command:

cat >/etc/firewall.swap_wan_in_conn_mark.sh <<EOF
#!/bin/sh

iptables-save -t mangle |sed '/wan_in_conn_mark/ s/-A PREROUTING/-I PREROUTING/' | iptables-restore -T mangle
EOF

I just tested it and it works very well. Thank you !

Hello,

The router interface just prompted me to upgrade to 4.2.3 release5, which I did, and then this was not working anymore.
I had to manually redo this command to make it work again, so it seems the script it still missing.

Could you add it for the next updates ?
Thanks

1 Like

That script is installed in 4.2.3 release5 but another issue is found, you need to apply the policy mode setting after vpnclient is toggle on. Or the port forward rule will not work. That’s buggy, we’ll fix it later.

Hi, I found the solution, please revise the script by command:

cat >/etc/firewall.swap_wan_in_conn_mark.sh <<EOF
#!/bin/sh

iptables-save -t mangle |sed '/_in_conn_mark/ s/-A PREROUTING/-I PREROUTING/' | iptables-restore -T mangle
EOF
1 Like

@hansome This no longer works after upgrading to v4.5.0

1 Like

A package is missed while we switch mwan3 to kmwan:

opkg update
opkg install iptables-mod-conntrack-extra
/etc/init.d/firewall restart
1 Like

Hi @hansome
Unfortunately, it didn’t work. On my Flint, it broke the internet. It became EXTREMELY SLOW, to the point most webpages won’t even load. I tried restarting the router, no help.

Then I ran opkg remove iptables-mod-conntrack-extra; /etc/init.d/firewall restart, then, it fixed the problem of slow internet.

In both cases, I still can’t access LAN services through real IP with active VPN client ON.

Please export log for analysis. http://192.168.8.1/#/logview

@hansome

Please see attached log. Please note that some sensitive information are redacted.
logread.zip (31.8 KB)

These commands are not necessary to manually input for firmware 4.5:

uci set firewall.wan_in_conn_mark=rule
...
uci set firewall.wan_in_conn_mark.set_xmark='0x80000/0x80000'
...

To revert that:

sh /rom/etc/uci-defaults/99-vpnpolicy
uci commit
/etc/init.d/firewall reload

See if it fixes your issue.

Was this specific to @briar-spoon-celibate’s configuration, or does this need to be updated for everyone in addition to installing the iptables-mod-conntrack-extra package?

1 Like

Only need to install iptables-mod-conntrack-extra package
The correct firewall mark is 0x8000/0xc000 like the following:

root@GL-AX1800:~# uci get firewall.wan_in_conn_mark.set_xmark
0x8000/0xc000

It worked. Thanks.
Do you mind expanding why we no longer need those rules?

We have those rules written in firewall since firmware 4.4.6, but miss that supporting package(iptables-mod-conntrack-extra) in firmware 4.5. :sweat:
And 4.5 change the mark 0x80000 to 0x8000, to make it compatible with upstream tailscale.

Hotfix when?                      

3 Likes

We’ll evaluate to release a minor version to address this ASAP.

4 Likes