I suggest you just change to release, that's what I did.
I'm pleased to report, latest version with web interface configuration of DSCP tag routing is working great for me
I suggest you just change to release, that's what I did.
I'm pleased to report, latest version with web interface configuration of DSCP tag routing is working great for me
If you have access to the packages (like dnsmasq-full, etc) built for your specific snapshot -- install them. If not -- switch from snapshot to the release build.
Have you updated your packages feeds, so your router is aware of what is available to it?
@stangri, how do you add multiple ip ranges to a rule without creating a separate rule for each ip range ?
One IP range per rule I'm afraid.
Packages are now in custom repo (https://stangri.github.io/openwrt-repo/), making installs/updates easier.
Hey @stangri
Really sorry for the late response. Just managed to collect the data for you- been away for sometime. Here you go:
openvpn-policy-routing 4.1.3-3 running on LEDE 17.01.0-rc2
============================================================
Dnsmasq version 2.76 Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
============================================================
Routes/IP Rules
default cpc117248-ldry4 0.0.0.0 UG 10 0 0 eth0
default 10.3.28.1 0.0.0.0 UG 20 0 0 tun0
default 10.3.37.1 0.0.0.0 UG 50 0 0 tun1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
============================================================
IP Tables
iptables: No chain/target/match by that name.
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN /* !fw3: wan (mtu_fix) */ TCPMSS clamp to PMTU
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN /* !fw3: VyprVPN (mtu_fix) */ TCPMSS clamp to PMTU
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN /* !fw3: PIAUK (mtu_fix) */ TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
============================================================
Domain-based routing settings
dnsmasq.cfg02411c.ipset: /whatismyip.com/tun0route
============================================================
Existing IPSets
create wanroute hash:ip family inet hashsize 1024 maxelem 65536
create tun0route hash:ip family inet hashsize 1024 maxelem 65536
create tun1route hash:ip family inet hashsize 1024 maxelem 65536
create wanlist list:set size 8
add wanlist wanroute
create tun0list list:set size 8
add tun0list tun0route
create tun1list list:set size 8
add tun1list tun1route
============================================================
I hope you figure it out!
A few things which are puzzling about that:
So it looks like OPR is spectacularly failing on your router to set things up. Do you get any errors at all while it's loading/reloading? Can you update to the latest version of OPR and run some things from CLI?
My bad. Actually stopped service then ran it with support option.
I just reran it with support option while it's running now:
openvpn-policy-routing 4.1.3-3 running on LEDE 17.01.0-rc2
============================================================
Dnsmasq version 2.76 Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
============================================================
Routes/IP Rules
default cpc117248-ldry4 0.0.0.0 UG 10 0 0 eth0
default 10.3.28.1 0.0.0.0 UG 20 0 0 tun0
default 10.3.37.1 0.0.0.0 UG 50 0 0 tun1
32749: from all fwmark 0x30000 lookup 202
32750: from all fwmark 0x20000 lookup 201
32751: from all fwmark 0x10000 lookup 200
============================================================
IP Tables
OVPBR_MARK all -- anywhere anywhere [goto] mark match 0x0/0xff0000
-N OVPBR_MARK
-A OVPBR_MARK -s 192.168.6.0/24 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A OVPBR_MARK -s 192.168.5.0/24 -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A OVPBR_MARK -s 192.168.4.0/24 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A OVPBR_MARK -s 192.168.3.0/24 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OVPBR_MARK -s 192.168.1.0/24 -c 297 28023 -j MARK --set-xmark 0x10000/0xff0000
-A OVPBR_MARK -m set --match-set wanroute dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OVPBR_MARK -m set --match-set tun0route dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A OVPBR_MARK -m set --match-set tun1route dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
============================================================
Domain-based routing settings
dnsmasq.cfg02411c.ipset: /whatismyip.com/tun0route
============================================================
Existing IPSets
create wanroute hash:ip family inet hashsize 1024 maxelem 65536
create tun0route hash:ip family inet hashsize 1024 maxelem 65536
create tun1route hash:ip family inet hashsize 1024 maxelem 65536
create wanlist list:set size 8
add wanlist wanroute
create tun0list list:set size 8
add tun0list tun0route
create tun1list list:set size 8
add tun1list tun1route
============================================================
To elaborate on the situation, in case you forgot (because it's been a long time), policy-based rules are being honoured while domain-based ones are totally ignored.
For example, for the above config, I still access whatismyip.com via wanroute.
Output from latest version:
openvpn-policy-routing 4.1.4-12 running on LEDE 17.01.0-rc2. WAN (IPv4): wan/80.3.240.1.
============================================================
Dnsmasq version 2.76 Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
============================================================
Routes/IP Rules
default cpc117248-ldry4 0.0.0.0 UG 10 0 0 eth0
default 10.3.28.1 0.0.0.0 UG 20 0 0 tun0
default 10.3.37.1 0.0.0.0 UG 50 0 0 tun1
32754: from all fwmark 0x30000 lookup 202
32755: from all fwmark 0x20000 lookup 201
32756: from all fwmark 0x10000 lookup 200
============================================================
IP Tables
OPR_CHAIN all -- anywhere anywhere [goto] mark match 0x0/0xff0000
-N OPR_CHAIN
-A OPR_CHAIN -s 192.168.6.0/24 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A OPR_CHAIN -s 192.168.5.0/24 -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A OPR_CHAIN -s 192.168.4.0/24 -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A OPR_CHAIN -s 192.168.3.0/24 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -s 192.168.1.0/24 -c 354 38517 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -m set --match-set wanroute dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A OPR_CHAIN -m set --match-set tun0route dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A OPR_CHAIN -m set --match-set tun1route dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
============================================================
IPv6 Tables
OPR_CHAIN all anywhere anywhere [goto] mark match 0x0/0xff0000
-N OPR_CHAIN
============================================================
Domain-based routing settings
dnsmasq.cfg02411c.ipset: /whatismyip.com/tun0route
============================================================
Current ipsets
create wanroute hash:ip family inet hashsize 1024 maxelem 65536
create tun0route hash:ip family inet hashsize 1024 maxelem 65536
create tun1route hash:ip family inet hashsize 1024 maxelem 65536
create wanlist list:set size 8
add wanlist wanroute
create tun0list list:set size 8
add tun0list tun0route
create tun1list list:set size 8
add tun1list tun1route
============================================================
Thank you for the follow up. The rules seem to be in order, however I'm still not seeing dnsmasq adding whatismyip.com IP address to the tun0route.
Did you run the support command before or after trying to access whatismyip.com?
The problem seems to be with dnsmasq not adding whatismyip.com IP addresses to ipset.
Can you please try two things:
Add whatismyip.com ip addresses to ipset manually and then try again to access it
ipset add tun0route 104.27.192.92
ipset add tun0route 104.27.193.92
Add showip.net (or some other web-site you haven't accessed before) ip address to ipset manually and then try to access it
ipset add tun0route 23.253.100.206
will do when I get home tonight and report back!
Also, worth mentioning that I love using OPBR for policy-based domains. So convenient. Thanks a lot for all your work!!!
It could be worth your time to populate the ipset with a few more domain names in dhcp/dnsmasq config to confirm if it at all works. On my box, dnsmasq actually starts filling ipset with the ip addresses just after dnsmasq restart, without waiting for them to be accessed.
Does the ipset make it into the actual dnsmasq config: grep route /var/etc/dnsmasq.conf.*
?
Setting ip addresses for whatismyip.com as per your post works correctly- i access whatismyip.com via tun0 now.
Also:
Following the ipset commands, I can't see the ips added to /etc/config/dhcp or /var/etc/dnsmasq.conf
EDIT:
Sorry, just noticed you're talking about domains. Yes, I can see the ipset for domains in dnsmasq.conf:
ipset=/showip.com/tun0route
ipset=/hbonow.com/tun0route
and dhcp config:
list ipset '/showip.com/tun0route'
list ipset '/hbonow.com/tun0route'
Khm, so it's definitely dnsmasq not populating ipsets with the proper ip addresses, despite having ipset support. I'm out of ideas why it's not doing its job. You can try switching to the built-in domain names-based policies, they should work then. More info is at the bottom of the README.
Okay. I will give it a shot later.
Just as a last attemtp, i am posting the entries from the system log when DNSMasq starts, and my dhcp config file along with dnsmasq.conf. Note that the domain-based entries in OBPR were removed before capturing these logs/configs, but just posting them here in case you think something looks odd or unusual.
Log:
Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: started, version 2.76 cachesize 150 Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: DNS service limited to local subnets Thu Mar 16 08:47:19 2017 daemon.info dnsmasq-dhcp[12270]: DHCP, IP range 192.168.6.100 -- 192.168.6.249, lease time 12h Thu Mar 16 08:47:19 2017 daemon.info dnsmasq-dhcp[12270]: DHCP, IP range 192.168.5.100 -- 192.168.5.249, lease time 12h Thu Mar 16 08:47:19 2017 daemon.info dnsmasq-dhcp[12270]: DHCP, IP range 192.168.4.100 -- 192.168.4.249, lease time 12h Thu Mar 16 08:47:19 2017 daemon.info dnsmasq-dhcp[12270]: DHCP, IP range 192.168.3.100 -- 192.168.3.249, lease time 1h Thu Mar 16 08:47:19 2017 daemon.info dnsmasq-dhcp[12270]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 12h Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using local addresses only for domain lan Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: reading /tmp/resolv.conf.auto Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using local addresses only for domain lan Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.8.8#53 Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.4.4#53 Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.8.8#53 Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.4.4#53 Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.8.8#53 Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.4.4#53 Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.8.8#53 Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.4.4#53 Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.8.8#53 Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.4.4#53 Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.8.8#53 Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: using nameserver 8.8.4.4#53 Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: read /etc/hosts - 4 addresses Thu Mar 16 08:47:19 2017 daemon.info dnsmasq[12270]: read /tmp/hosts/dhcp.cfg02411c - 1 addresses Thu Mar 16 08:47:19 2017 daemon.info dnsmasq-dhcp[12270]: read /etc/ethers - 0 addresses
DHCP config:
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,8.8.8.8,8.8.4.4'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
config dhcp 'Guest'
option start '100'
option limit '150'
option interface 'Guest'
option leasetime '1h'
list dhcp_option '6,8.8.8.8,8.8.4.4'
config dhcp 'USVPN'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'USVPN'
list dhcp_option '6,8.8.8.8,8.8.4.4'
config dhcp 'UKVPN'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'UKVPN'
list dhcp_option '6,8.8.8.8,8.8.4.4'
config dhcp 'virtualinterface'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'virtualinterface'
list dhcp_option '6,8.8.8.8,8.8.4.4'
DNSmasq config:(var/etc/dnsmasq.conf.*):
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
localise-queries
read-ethers
bogus-priv
expand-hosts
local-service
domain=lan
server=/lan/
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq
dhcp-range=lan,192.168.1.100,192.168.1.249,255.255.255.0,12h
dhcp-option=lan,6,8.8.8.8,8.8.4.4
no-dhcp-interface=eth0
dhcp-range=Guest,192.168.3.100,192.168.3.249,255.255.255.0,1h
dhcp-option=Guest,6,8.8.8.8,8.8.4.4
dhcp-range=USVPN,192.168.4.100,192.168.4.249,255.255.255.0,12h
dhcp-option=USVPN,6,8.8.8.8,8.8.4.4
dhcp-range=UKVPN,192.168.5.100,192.168.5.249,255.255.255.0,12h
dhcp-option=UKVPN,6,8.8.8.8,8.8.4.4
dhcp-range=virtualinterface,192.168.6.100,192.168.6.249,255.255.255.0,12h
dhcp-option=virtualinterface,6,8.8.8.8,8.8.4.4
DNSMasq config (/etc/dnsmasq.conf):
EMPTY/All commented out
Thanks for the help.