Routes rules priority
I can't seem to make the Routes rules work for my need. This is my scenario. I have an IoT VLAN that has a VPN Client set for that VLAN. There are many devices on that VLAN and all are happy to be on the VPN, except for one. I expected to be able to set a Routes rule to route the traffic for that device directly to the WAN, however this doesn't work because it appears that the VPN client for the VLAN takes priority and that the Routes rule is ignored when there's a VPN Client in effect. This is counter-intuitive and not useful. Is this the expected behaviour?
-
Ok, something odd is happening. The example I gave is now working as I would expect (the device is now honouring the route rule that states that the traffic for the device should be routed to WAN rather than the VPN client set for the network). I've no idea why this wasn't working previously, and it definitely wasn't.
After that began working I decided to play around with this to try and get to the bottom of it, and it appears that something is amiss with the routes rules routing. On the face of it it looks like my example flow is honouring test routes rules that no longer exist. Here are some screen shots. I use Surfshark as my VPN provider and so I'm using https://surfshark.com/what-is-my-ip as my method of discovering which network-exit pathway is being used. I'm testing using FF private browser instances.
First off, I have a VPN client for Surfshark London and all devices for my user (Robby) are set to use that VPN client
I have a routes rule that states that all traffic for surfshark.com should be sent to my Surfshark Manchester VPN client:
If I navigate to https://surfshark.com/what-is-my-ip I should expect it to report an IP for Manchester, but in fact it reports my WAN IP. If I check the network flows I can see the surkshark.com flow I can see this:
So the flow indicates that the traffic was sent to the WAN, but there's no rule to do that. The options to 'Undo Route' indicates that a matching routes rule has been found, and so why was the rule ignored? There's a route rule to send the traffic to Surfshark Manchester and the user-level-device-default is Surfshark London, and so how has it decided to send the traffic to the WAN? Interestingly I have previously created and then deleted a route rule to send surfshark.com traffic to the WAN and so could that rule be lingering out of sight somewhere? I thought that is might be a caching issue but rebooting the FW hasn't resolved the issue.
Surfshark is just a example; I'm seeing oddness with other sites, eg bbc.co.uk, duckduckgo.com etc
-
Right, Ok, it seems this is all potentially explicable. I am experiencing something unexpected (and repeatable) : It appears that after changing a Route rule's interface that there's a period of 0-20 seconds (maybe) when the effected flows show that it's the network's VPN client that was used, and not either the new or old route interface setting. So:
1. The network's VPN client is my Surfshark-London VPN client. When no Route rule is set then surfshark.com/what-is-my-ip reports my location as London
2. I set a Route rule to direct surfshark.com to my Surfshark-Manchester VPN client and then check surfshark.com/what-is-my-ip . It reveals Manchester as my location
3. I set a Route rule to direct surfshark.com to my Surfshark-Milan VPN client and then check surfshark.com/what-is-my-ip . It reports London as my location. Yep, London. Checking the Flows reveals that indeed Surfsharf-London was used.
4. I hit F5 a few times and wait a short while, and eventually surfshark.com/what-is-my-ip reports my location as Milan and the flow reports the same.
So, it seems that there's not a clean switch over to from one interface to another when it's changed in the Route rule. This could easily explain my belief that the Route rule did not appear to be working
It that expected behaviour?
-
I've had the same experience trying to get the Ring doorbell app to work from my phone. It doesn't play well with the VPN. The VPN is applied both to some networks as a whole and some devices specifically.
I created a route that would route *.ring.com out of the WAN and applied the rule to a particular network (since I access that service from both phone apps and desktop clients I figured applying it to the network would be easier than having to create duplicate rules for each device). It didn't work.
When I looked at the flow for some .ring.com domains from my phone, it showed that they were still being routed out of the VPN. I changed the route to target the phone as opposed to the network and it worked straight away.
As @Robby asked, is that expected behaviour? -
@Robby, when you say 'set route rule' for #2&3, do you mean change the interface of an existing router rule? When it's done, the box needs to clear the cache and apply a new rule. Also, an established connection will go out through the previous interface, and a new connection should go out to the new one. It's normal to see a few seconds delay after the change.
-
@ArmshouseG, your case sounds different from Robby's. It sounds like a rule-priority issue. Is your phone one of those devices that has VPN applied specifically?
The priority list for device scope is Device > Group > Network > Global (All Devices). When there is conflict, Device/Group rules will take precedence over Network rules. See How do I use Policy-Based Routing?
Please sign in to leave a comment.
Comments
8 comments