Mac Based VPN Policy is blocking access to domains

TL;DR MAC Based policy is screwing with certain domains on devices not being routed over the VPN

Ok so this is one that has been annoying to debug but i managed to find the root cause being the policy.

I am running the GL router behind another router (ISP). When connected to the ISP router with a device i can use the internet and visit various domains with no issue. when i am behind the GL router which has a MAC BASED VPN Policy in place, my devices that are not in this list are not able to load certain websites such as amazon.co.uk or bbc news. Yet i can google to my hearts content.

If i turn these policies off and disconnect from the VPN all is good. (I am using NordVPN OpenVPN)

Has anyone got any idea why this is happening as i wanted to use the VPN Policies to route one MAC Address over the VPN and leave the rest of the network untouched.

EDIT:

Router: GL-AR300M
Firmware: 3.024

I have updated my OpenVPN client config to include route-nopull and this might have fixed it but need to verify.

edit: Seems the issue persists

might relate to VPN Policy-Based Routing + Web UI -- Discussion - #429 by Dewey - Community Builds, Projects & Packages - OpenWrt Forum

ok so the above link is to a different package. glinet have their own route policy called gl-route-policy which is what is throwing this issue. I have found another thread similar but again seems to go cold turkey around Dec. VPN Policies Issues - #17 by wildtang3nt

I can’t remember where exactly, but I rdo emember reading that they were on the case and in newer firmwares this will be fixed.

I am currently on 3.101 and VPN policies is not working as expected or in a usable manner.

I am hoping that next stable firmware update addresses this so that I can use this feature too.

ok thanks, i’m running 3.0.24 currently (the one thats available for GL-AR300M) but i just downloaded their image builder and i can compile a version for 3.0.27.

I do find it weird that actually on my router web ui the VPN policies show up but this is not the same as the gl-route-policy so am i correct in assuming that the VPN policies are actually a part of gl-vpn? I think the gl-* stuff is closed source though as i can’t seem to find it on their github

So i have compiled the image for 3.0.27 using the image_builder . (For those interested i can throw the Vagrant file up i used to spin up a Ubuntu box locally)

I then ran

# change directory and compile the image for my router
cd gl_imagebuilder && ./gl_image -p ar300m

# run `./gl_image -l` to see a list of all available images

I then uploaded the .tar file to my router and upgraded to 3.0.27 and it appears to be working. But will report back

VPN policies turns to have problem with speedtest dot net etc. which heavily relay CDN. But the latest beta firmware (3.10x) should works fine.

how do i go about trying that? Since i have the image_builder from the glinet org on github. Can’t seem to see it in there, unless its on a different branch?

Sorry for AR300M the firmware are still old. You can find here GL.iNet download center

Yes thanks, although the versions in ar300m is infact 0.0.3 behind. Since the image i have build for ar300m from image-builder comes out as 3.0.27. Is there a roadmap we can see of when support for 3.10x would be released for public consumption?

What I always do is and I had this in every v3 firmware I think but couldn’t solve it until recently, I made it a habit to set a “victim” mac address, some device I connect and then block from VPN usage there, after that the config really works reliable. If it’s completely empty somehow not.