Currently I’m doing split tunnel by modifying the client configuration settings changing the “Allowed ip:s” from 0.0.0.0/0 to the CIDR I want routed over the VPN (only LAN ranges).
This keeps the router in Global Mode (instead of Policy Mode) and routes all DNS traffic primarily over the VPN (which I want) and drops back to the router configured DNS-servers if the tunnel goes down.
I noticed with the latest GUI update that maybe this is a case where I should do policy based routing on the client (Policy Mode instead of Gloabl). I.e. not modify the VPN config but have that as routing all traffic but then using the “To” setting of a VPN tunnel to “Specific Domains / IP List” and set the LAN ranges there. Would that give me the same behaviour with the DNS and is either way better than the other?
For firmware v4.8.x, the VPN function has been significantly updated compared to v4.7.x and previous firmware versions, v4.8.x have been reconstructed.
The behavior with the DNS is different from the previous. DNS will be diverted according to the "To" rule you set.
If the usage scenario is what you described, please do not upgrade to the v4.8.x firmware of the VPN client router Spitz AX now.
We are evaluating adding support for this scenario to newer v4.8 firmware, please allow us some time.
Ooh, didn’t realize. Why don’t you have it as a semantic version for the Spitz?
Anyway, I have some problems with packets from the Spitz to my Flint being dropped for some reason (other way works fine). I think it’s size related somehow but am not sure how to troubleshoot it. I have a ticket with the support though so I think we’ll figure it out. I think it’s related to my “manual” split tunnel somehow.
I have hosts on each LAN (Spitz and Flint). The host on the Spitz LAN can browse the website on the Flint host but not the other way around. The TCP connection is established and the GET request reaches the Spitz host but none of the response packets reach the Flint host. It just continues to send the request which reaches the Spitz host which in turn tries to resend the response packets.
Pinging works fine in both directions and the SYN-ACK from the Spitz to the Flint host is received. Also MQTT communication between them works fine (small packet size) but the the full size HTTP response packets never reach the Flint host for some reason. Quite weird. If I connect with my Beryl to the Flint I can browse both hosts so it has something to do with the Spitz → Flint LAN connection. Also I can browse the Spitz router GUI from the Flint LAN host so that’s not a problem. But getting a response from the host on the Spitz LAN is sometimes.
I know, very strange. The TCP MSS is set to 1380 on both ends so it looks alright. The response packets are only 1344 bytes so they should fit just fine.
I can see all response packets hit the LAN interface of the Spitz but only the TCP ACK leaves the wgclient1 interface. The other packets are dropped by the router for some reason. I'm just not sure how to debug that.
Why don’t you have it as a semantic version for the Spitz?