Splitting international and local traffic on a Linksys WRT54G

Gatecrasher

Executive Member
Joined
Jan 11, 2005
Messages
6,278
Tx, but that didn't work.

Any other ideas or test that I should do?

Thanx
Still seems like you are having a source routing problem. Which of these are you using? Are you opening the right port for the right server?

-= SGS Q3 CPMA I Server =- 196.4.79.8:27940
-= SGS Q3 CPMA II Server =- 196.4.79.8:27950
-= SGS Q3 CPMA III Server =- 196.4.79.8:27960
-= SGS Q3 CPMA IV Server =- 196.4.79.8:27970
-= SGS Q3 CPMA V Server =- 196.4.79.8:27980
-= SGS Q3 CPMA VI Server =- 196.4.79.8:27990
-= SGS Q3A ROCKET ARENA 1.76 Server =- 196.4.79.30:27960

You could try making

quake3=196.1.79.0/24

just in case there are other ip addresses being used by the servers to login/connect/play.

You also could try switching ppp1 and ppp2 accounts.
 

MythicaL

New Member
Joined
Jul 6, 2009
Messages
4
Local only torrents

Hi all, firstly great job on the script. After several months of searching the net, with only fail results, this saved me a lot of headaches and money.

I've recently started downloading over torrents again and every now and then int users pop up in my up and down traffic.

I've searched through the post and couldn't find a solution that worked.

I did the following:
Dropped the port on my int account
Served it on my loc account
Disabled uPnP and NAT-PMP in utorrent
Made sure no port forwarding is being done by the DD-WRT interface

Below is the config I'm using:
#Configure Connections

conn 0 int $saixsmtp $cod1 $cod2 $cod3
drop tcp 22101
drop udp 22101
link $intname $intpass $amber

conn 1 loc $isnews
serv tcp 22101 $mypc
serv udp 22101 $mypc
link $locname $locpass $dmz

conn 2 aux
news $isnews 333 $mypc
link $locname $locpass $white

conn 3 aux
news $isnews 334 $mypc
link $locname $locpass $white

I'm using DD-WRT v24-sp1 (07/27/08) std with v12c of your script

Thanks in advance for your time
 

MythicaL

New Member
Joined
Jul 6, 2009
Messages
4
Yes it's disabled. I ran the 3 commands you gave Khan about a year ago to check the routing and with my limited knowledge I think it's doing what it's suppose to, routing the port over ppp1, but I can't see that its being blocked on ppp0

Commands:

iptables -nvL
iptables -t nat -nvL
iptables -t mangle -nvL

Results:

Chain PREROUTING (policy ACCEPT 31008 packets, 16M bytes)
pkts bytes target prot opt in out source destination
1955 79709 MARK tcp -- * * 192.168.60.15 0.0.0.0/0 tcp dpt:334 MARK set 0x103
1795 73038 MARK tcp -- * * 192.168.60.15 0.0.0.0/0 tcp dpt:333 MARK set 0x102
0 0 MARK udp -- * * 192.168.60.15 0.0.0.0/0 udp spt:22101 MARK set 0x101
1648 131K MARK tcp -- * * 192.168.60.15 0.0.0.0/0 tcp spt:22101 MARK set 0x101
1478 747K MARK 0 -- ppp0 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x100
8253 3729K MARK 0 -- ppp1 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x101
2746 3442K MARK 0 -- ppp2 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x102
3212 3995K MARK 0 -- ppp3 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x103
Chain INPUT (policy ACCEPT 2330 packets, 219K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 28893 packets, 16M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2393 packets, 2154K bytes)
pkts bytes target prot opt in out source destination
0 0 MARK udp -- * * 192.168.60.15 0.0.0.0/0 udp spt:22101 MARK set 0x101
0 0 MARK tcp -- * * 192.168.60.15 0.0.0.0/0 tcp spt:22101 MARK set 0x101
Chain POSTROUTING (policy ACCEPT 31646 packets, 18M bytes)
pkts bytes target prot opt in out source destination
 

Gatecrasher

Executive Member
Joined
Jan 11, 2005
Messages
6,278
Yes it's disabled. I ran the 3 commands you gave Khan about a year ago to check the routing and with my limited knowledge I think it's doing what it's suppose to, routing the port over ppp1, but I can't see that its being blocked on ppp0

Commands:

iptables -nvL
iptables -t nat -nvL
iptables -t mangle -nvL
That just looks like the mangle table. The drop entries should be in the filter chain. Just run iptables -nvL
 

MythicaL

New Member
Joined
Jul 6, 2009
Messages
4
Ha ok thanks. Here's the results:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 128 ACCEPT icmp -- ppp+ * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:22101
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22101
815 72684 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP udp -- ppp3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 DROP udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 DROP icmp -- ppp3 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
423 34288 logaccept 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
41 2846 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
20745 24M TRIGGER 0 -- ppp+ br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 logaccept udp -- ppp+ * 0.0.0.0/0 224.0.0.0/4 udp
0 0 logaccept udp -- * * 0.0.0.0/0 192.168.60.15 udp dpt:22101
0 0 logaccept tcp -- * * 0.0.0.0/0 192.168.60.15 tcp dpt:22101
0 0 DROP udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:22101
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22101
0 0 ACCEPT 47 -- * ppp3 192.168.60.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * ppp3 192.168.60.0/24 0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 logdrop 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
564 29144 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 tcpmss match 1453:65535 TCPMSS set 1452
35710 26M lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
35405 26M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 TRIGGER 0 -- ppp3 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
305 15820 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
305 15820 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1427 packets, 1304K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp spt:22101
0 0 DROP tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp spt:22101
Chain advgrp_1 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain advgrp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:14:85:72:F8:02
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:14:85:72:F8:02
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:20:ED:53:36:FE
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:20:ED:53:36:FE
Chain grp_10 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_2 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_3 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_4 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_5 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_6 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_7 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_8 (0 references)
pkts bytes target prot opt in out source destination
Chain grp_9 (0 references)
pkts bytes target prot opt in out source destination
Chain lan2wan (1 references)
pkts bytes target prot opt in out source destination
35710 26M grp_1 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logaccept (4 references)
pkts bytes target prot opt in out source destination
423 34288 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp reject-with tcp-reset
Chain trigger_out (1 references)
pkts bytes target prot opt in out source destination

If I'm understanding this correct it's dropped, but then why would there still be traffic on it every know and then?
 
Last edited:

Gatecrasher

Executive Member
Joined
Jan 11, 2005
Messages
6,278
@ MythicaL,

Are you getting the problem at the moment? It doesn't look like any p2p traffic is going through ppp0.

Maybe monitor bandwidth usage when it next happens, running "ifconfig", check if uTorrent is actually using your int ppp0 connection. Maybe some peers are showing up as foreign in the client but are actually on a local route. Also, since you are using IS local, and it is still near the beginning of the month, you might well have some international connectivity on ppp1.

This line

41 2846 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0

Shows there is some incoming traffic being rejected.
 

MythicaL

New Member
Joined
Jul 6, 2009
Messages
4
Thanks a lot, atm I can’t really check for long periods. Business using the line atm, got to wait for them to close first.

Picked up the problem on my int account when we used more than double the amount of data we usually used per day on the log compared to previous months, noticed the int users on the torrents and stopped it and the extra bandwidth consumption also stopped.

Thanks again for your time
 

Gatecrasher

Executive Member
Joined
Jan 11, 2005
Messages
6,278
Thanks a lot, atm I can’t really check for long periods. Business using the line atm, got to wait for them to close first.

Picked up the problem on my int account when we used more than double the amount of data we usually used per day on the log compared to previous months, noticed the int users on the torrents and stopped it and the extra bandwidth consumption also stopped.

Thanks again for your time
When you have the problem happening again and you can see ppp0 traffic ticking over, you can PM those iptables results to me. At the mo, there is nothing obviously wrong in them.
 

Gatecrasher

Executive Member
Joined
Jan 11, 2005
Messages
6,278
I can't seem to get port forwarding working or dyndns ;_:

Please help

http://www.pastebin.co.za/20605

Is there a way to disable the firewall?

You need to use version 12c of the script - the serv command is broken in your version (which seems to be version 12a).

To help diagnose the ddns issue, after the script has run for a while, run the following command:

cat /tmp/ddns0/ddns.log

The firewall shouldn't be an issue if all is working well.
 

mcclod

Active Member
Joined
Jan 28, 2005
Messages
96
Hi Gatecrasher

I've been using your script for a quite a while, very sucessfully, for which much thanks is given to you. I was wondering if you had played with any QOS settings. My problem is I have my news client happily downloading at my full bandwidth (I'm on Telkom 512 Wimax) to the detriment of any other service. I know, I know, not a terrible problem to have, just a tad inconveniant to manually throttle the news client while you're doing something else, and then to rememberto unthrottle it afterwards. Do you have any suggestions as I'm presuming that the normal dd-wrt settingsfor QOS may only influence the first connection (ppp0)
 

JacquesR

Senior Member
Joined
Nov 9, 2006
Messages
546
Related to the using the 626 account, and GC's post quoted below, I'm clearly doing something wrong, as only local traffic is getting through. However, when I manually edit the script, replacing my Telkom international with the 626 account, all works fine with international going through there, and local through an Axxess local only account.

Can anyone answer these troubleshooting questions, please?

1. Does it matter which account number I add the 626 account as?
2. Is it only in the cron commands that I define the 626 account number, or also elsewhere in the additional code below?
3. For the defining of the accounts in the script, does naming them as "int", "aux" or "local" make any difference to the routing? If so, should I call the 626 account "int"?

On a separate issue: is there any way to have my international account switch to a backup one automatically when the Telkom 3gig primary account runs out of bandwidth?

Sorry for the barrage of questions, but any clues would be appreciated.

Adding after "chmod +x /tmp/checklink" in the startup script:

Code:
echo "0">/tmp/def.rt
echo "echo \"\$2\"> /tmp/def.rt
route del default dev ppp\$1
route add default dev ppp\$2"> /tmp/setdr
chmod +x /tmp/setdr
This creates a script setdr <from connection> <to connection>

The firewall script runs after every reconnect, so to restore the desired changes, add this code to the firewall script after "/tmp/build.wall":

Code:
/tmp/setdr 0 `cat def.rt`
Either run /tmp/setdr directly from the GUI command box (for immediate effect) and/or schedule changes in the GUI cron box:

Code:
0 18 * * 1-5 root/tmp/setdr 0 2
0 6 * * 1-5 root/tmp/setdr 2 0
 

Gatecrasher

Executive Member
Joined
Jan 11, 2005
Messages
6,278
Can anyone answer these troubleshooting questions, please?

1. Does it matter which account number I add the 626 account as?
No, but the assumption as it has been written is that it will be conn 2. But you can use any account number, you just have to ensue that you change the cron commands accordingly.

2. Is it only in the cron commands that I define the 626 account number, or also elsewhere in the additional code below?
Only in the cron commands. Unless you want to issue the immediate command:

/tmp/setdir 0 2

which should immediately set the 626 account to the default account.

3. For the defining of the accounts in the script, does naming them as "int", "aux" or "local" make any difference to the routing? If so, should I call the 626 account "int"?
Yes, the "int", "aux" and "local" tags are important. You should only have 1 int, and 1 local, but you can have numerous aux accounts. However, the only difference between "aux" and "int" is that "int" is initially set up as the default route.

Not sure why your are struggling. Make sure the syntax is correct in this line: Use ` not '.

/tmp/setdr 0 `cat def.rt`

You might also try this

echo "0">/tmp/def.rt
echo "echo \"\$2\"> /tmp/def.rt
route del default dev ppp\$1
route add default dev ppp\$2
iptables -t nat -I POSTROUTING -o ppp+ -j MASQUERADE"> /tmp/setdr
chmod +x /tmp/setdr
 

JacquesR

Senior Member
Joined
Nov 9, 2006
Messages
546
Thanks GC, the clarifications will help me to avoid making a further mess of things! I rechecked all the code (in fact, started with a clean copy), and after setting things up, running /tmp/setdir 0 2 gives me an error:

sh: eval: line 1: /tmp/setdir: not found

And when I add the line you mention below, neither international nor local work.

iptables -t nat -I POSTROUTING -o ppp+ -j MASQUERADE"> /tmp/setdr
chmod +x /tmp/setdr
 

Gatecrasher

Executive Member
Joined
Jan 11, 2005
Messages
6,278
Thanks GC, the clarifications will help me to avoid making a further mess of things! I rechecked all the code (in fact, started with a clean copy), and after setting things up, running /tmp/setdir 0 2 gives me an error:

sh: eval: line 1: /tmp/setdir: not found

And when I add the line you mention below, neither international nor local work.
setdir or setdr?
 

JacquesR

Senior Member
Joined
Nov 9, 2006
Messages
546
Doh! Okay - no errors using setdr, but still no international traffic. The 626 does work just fine when I use that as connection 0 instead of my Telkom account, though. I've just run the experiment of having only 3 accounts defined:

0 - Telkom Do3 (int)
1 - IS local (loc)
2 - 626 (aux)

With only these 3, setdr 0 2 has only local traffic, Telkom's usage tracker shows me as connected, and Axxess shows me as not connected on 626. Setdr 2 0 gives me international traffic, though. After a router reboot and setdr 0 2, 626 now shows me as connected, but still no int. traffic. This seems like progress - maybe the 626 accounts are having trouble on Axxess's side? Will try again tomorrow after 6. Thanks again for the help.
 
Top