Forums:
I've loaded the latest Kong release (06-30-2015) on my router and have succeffully configured the router to create a VPN connection and setup a policy to route a specific IP LAN address through that VPN by using the seemingly common setup of configuring a new route table with a default route for the VPN gateway and a simple "ip rule add from ... via ..." policy. So, I know my VPN and additional route table are setup properly.
Here's where I'm having trouble. I want to exclude certain traffic from this IP address from passing through the VPN. From what I've seen this is best accomplished by using iptables mangle table to mark traffic with a few bits and then setup a rule to route that traffic through the VPN. But I'm having no luck getting that to work.
Here are the key bits I've got in place attempting to accomplish a basic proof of concept for this right now (from memory - I'm not at home to see my exact setup at the moment). And not that this is just trying to get ALL traffic from an IP to flwo through the new table using marks/mangle rather than the "from <ip>" rule:
ip route add default via <vpn_ip> dev <vpn_if> table 200
ip rule add fwmark 0x7 table 200
iptables -I PREROUTING -t mangle -s 192.168.1.5 -j MARK --set-mark 0x7
iptables -A POSTROUTING -t nat -o <vpn_if> -j MASQUERADE
As far as I can tell, the mangle/marking is happening because iptables output shows packets being affected by the mangle/mark entry. But, the ip rule to route marked traffic to the new VPN table doesn't seem to work at all because traffic still flows over the standard ISP gateway. And I know my table setup works because if I use the "ip rule add from <ip> ..." method without marking anything then traffic from that LAN ip is routed over the VPN gateway as expected)
My first thought is that some other ip rule catches that traffic first, but with "ip rule show" and "ip rule list" returning nothing (by design in ddwrt I believe), I really don't know where to go from here.
Can anyone point me in the right direction?