Slate AX Kill Switch [ Security Problems ]

Hello! My router recently arrived and yesterday I was configuring it.

I have installed a VPN client ( with NordVPN ) and I have put the VPN policy based in VLAN ( I just want the traffic from the wifi guest network to go through the VPN )

The problem comes when I activate the kill switch (called in this version: Block non-VPN Traffic)

By having selected that the normal network does not travel traffic through the VPN, if I activate the “ Block non-VPN Traffic “ Then the normal Wi-Fi network stops having access to the internet because of the kill switch.

It seems that the kill switch has a higher priority than the VPN policy, and this should not be the case.

The kill switch becomes unusable. In previous versions and on other routers (beryl for example) this didn’t happen.

Please, I need help with this, I need to use the VPN without running the risk of leak because I don’t have a kill switch

Any suggestions with this problem?

I have tried several ideas using Lucy but nothing worked. :sweat_smile:

Someone had similar issue also using the v4 firmware but on the flint here, they had to revert to firmware v3, there is no v3 for SlateAX, this needs to be looked into.

Thank you for your reply! :blush:

I see that it is a problem related to the base of the firmware, rather than a specific problem of the router.

I would also go back to version 3. X if I could. This seems to me to be a pretty big mistake and makes me unable to use that router.

The Killswitch has the highest priority now.

You do not want to have leak, only one the guest wifi? You just enable vpn for the guest wifi without kill switch is OK.

It’s not a solution. If I lose the connection to the VPN server then the Wi-Fi network with VPN will still have internet.

No. If go lost connection you should not have Internet. Vpn comes with kill switch itself.

@alzhao This information is false, I just checked it.

In the image you can see how the VPN is in “ Enable “ But it haven’t connected yet.

In turn, you can see how the mobile (connected to the guest network where the VPN is enabled) HAS INTERNET and is NOT connected to the VPN (because the router has not yet connected).

It is clear from this test that the alleged kill switch that comes with the VPN does NOT work (or does not exist).

I am very afraid to think that there are such serious security errors in a router designed precisely to make our network more secure.

I hope this is solved. ASAP

What?? Is this real? You have internet with the kill switch angled and no VPN connection yet?
Glint this is bad.
Also why change the name of the Kill switch, so confusing!

Try it yourself.

It’s a serious security flaw :confused:

This is mine.

I connected my phone on the guest wifi and I don’t have Internet. Cannot access any website.

I am using a firmware compiled on 2022-06-27
You can download here Dropbox - openwrt-ipq807x-glinet_axt1800-squashfs-sysupgrade.tar - Simplify your life

1 Like

No. The posted screenshot does not have Global Killswitch enabled.

Also I tested and don’t have this bug in my firmware. Maybe just old firmware.

THIS HAS WORKED! it is clear that it was a problem with the version that came with the router itself (which had been compiled prior to this one that you have shared with me).

I am very grateful for the attention and speed in finding the problem and finally giving me a solution!

Thank you! :blush:

2 Likes

Have I got the correct link to your GitHub, https://github.com/gl-inet/gl-infra-builder/releases? The latest release on GitHub is 2022-06-03.

This version is the one that was installed on the router.

I’m having a similar issue as @mister_mst was having (although I’m using device based policy rather than VLAN)

Basically I only want my macbook to always connect through VPN and if VPN is not available, access to the internet should be blocked but only on this one device. I am using the WireGuard protocol with PrivateInternetAccess VPN

My problem is that when the “Block non-VPN Traffic” option is enabled, the devices on the exception list that are NOT using VPN don’t have access to the internet at all and based on this thread I was under the impression that the exception list would bypass the “kill switch” setting

I guess since “Block non-VPN Traffic” option is a global setting, it may not make a difference if there is an exception list but again, since the behavior described by @mister_mst seemed to work with the firmware update (which I also performed), I thought I would have the same luck.

I did try the VLAN option to have the macbook only connect to the private network and everything else to the Guest network but it still didn’t work when “Block non-VPN Traffic” was enabled.

I don’t have the option activated to block all VPN traffic.

As described by technical support above, the VPN connection has an internal Kill-Switch that works every time the connection to the VPN is lost (hasing the computer not to have an internet connection if the VPN is not connected).

The “Block-Non-VPN-traffic” will not let you browse with your computers that are not connected to the VPN

Ah ok, I thought you still had that option enabled. I understand the behavior now and I was able test it by checking access while the vpn was connecting like you did in your screenshot. Thanks for the clarification!

new account for this post Ive got the Flint, so my journey is as follows, kept getting ‘‘hostapd: ath0: STA MACADRESS IEEE 802.11: disassociated’’ and all my wifi goes down every 10 mins for the past few weeks,
So in a last ditch before I return it ‘‘ill upgrade to the beta’’ and it is better in most ways, but what is this ‘‘built in kill switch’’ no its not, because all it does is soft drop that active task, if you refresh the page you will request a connection and the router grants it, so all thats going to happen is you will just refresh on a device because it didn’t respond and boom juist like that DNS leak!!!

so for the name of the router im aptly ''stuck between a rock and a hard place :D:D:D:D

I stay on sub 4.0 beta firmware and wifif drops out like allday every day all day every day,

or I put up with my router silently killing my P2P connections that are going through a vpn router to be set and forget,

there has to be a more robust fork of VPN policies that was taken away, becuase I will not be trusting the ‘‘in the background’’ kill switch’’ because it does not work, be good if we could find a way to ssd and get VPN policies that work, or a built in kill switch that really does kick a ip or mac address once there has been a vpn related network change…

Have a great day all!!

Help!

@alzhao

OMG We need a real solution!

The main feature of the product is safety.

It is not permissible for such a product to have these security flaws :confused: