Add static route to other gateway on network (iptables or ebtables professional needed!)

This question is not specific openWRT but since the openWRT community has an answer to all networking related questions and very willing to help people I ask it here anyway.

This question has been modified to express better the network situation and the findings thus far how to accomplish things.

Network setup:

location 1: openWRT router VPN master
location 2: openwrt router VPN client
location 3: openwrt router VPN client
....
location XX: openwrt router VPN client.

Every physical location has their own gateway obviously to connect to the internet:

172.22.56.1 gw1
172.22.57.1 gw2
172.22.58.1 gw3

Example of the network on a map:

The whole network as you can see is a class B network. So every physical location is using their own internet connection for any connection out of the 172.22.0.0/16 but inside they can all connect with each other, UPnP is working, DHCP working, network neighborhood, sharing, etc. all is working.

Practically because on each device eth0 is bridged with wlan0 and tap0 everyone can communicate with everyone else inside the network as well as the internet while the internet itself of course can't access anyone inside the layer 2 network.

Now for 1 specific internet address, assume that's 47.89.88.80 I however want the packets not to be send out using the gateway of each specific physical location but wherever you are, you should use gw1 always.

In windows I simply do this:

route -p ADD 47.89.88.80 MASK 255.255.255.255 172.22.56.1

and instead of using the normal local physical gateway, assume 172.22.58.1 (gw3) windows automatically sends the packets to 172.22.56.1 over the bridge.

This works perfect. No problems!

But I'd have to do this on all computers and other clients everywhere on the network. So I also want this to work for smart phones, tablets, laptops, Linux, OS X, Windows..

As you can imagine, configuring every single device on all physical locations is a daunting task, if possible! Some clients like iOS where Apple claims customers have no rights over how to use their devices and only apple has the right over how customers use their devices I can imagine setting such routing in the device isn't even possible on a non-jailbroken iOS device.

So the solution lies in simply changing how the packets are routed in the openWRT routers so it applies for all clients that send the packets to their corresponding local gateways, catch these packets for the specific target and resend them back into the bridged network to gw1.

Well I thought simply, but obviously can't get it to work.

Is there a way, I can configure the firewall in openWRT, assume the router with 172.22.58.1, my best bet is iptables or ebtables are needed, to catch these incoming packets on the physical device eth0, if they have the target destination 47.89.88.80/32 they must be send back but with the gateway 172.22.56.1? And also of course the rule that the answering packet goes to the proper client where the original packet came from.

when I add

ip route add 47.89.88.80/32 via 172.22.56.1 dev br-lanbridge

at the router, all the packets from the router itself are correctly not being send to it's own gateway 172.22.58.1 to reach the internet location but using the gateway of 172.22.56.1 of the other router over the tap interface. So that works splendid, but only for packets send from itself!

But all the packets from the bridge interface, eth0, wlan0, wlan1 I receive this message:

reports: Destination protocol unreachable.

So obviously these packets aren't send properly over the bridged tap0 interface to the other gateway.

Is this possible in openWRT and if so, example how to configure the firewall, iptables, ebtables how to do this in openWRT

Thank you in advance for explaining this how to do it, if possible.

• All you have to do it setup your fiewall to ALLOW traffic between these Zones
• Then you just make static routes for each subnet or /32
• I'm not quite sure how this works on a Layer 2 tunnel, though, I assume you simply specify the gateway IP in the static route

config route
	option interface 'tun_vpn'
	option target '204.205.22.81/32'
	option gateway '172.22.56.1'

If there's a key relationship between each router, you may have to use the option onlink.

Hi lleachii,

thank you for your answer. Unfortunately it doesn't seem to work.
"All you have to do it setup your fiewall to ALLOW traffic between these Zones"

Since adding this rule in the windows routing table works, I assume that means traffic between zones is guaranteed..

From the windows client I can also manually just set the tcp:ip to the other gateway and then 100% of the traffic goes over the VPN using the other gateway so that assumes traffic between zones is possible?

I simply bridged VPN with the LAN

as for the config route it looks like:
config route
option interface 'VPN'
option gateway '172.22.56.1'
option target '204.205.22.81'

I assume the 255.255.255.255 does that automatically and type is set to unicast automatically?

anyway, not working ..

Not unless your Windows machine is a router. I'm referring to a firewall rule in the OpenWrt router.

No, you use /32 as I noted above.

Do you have VPN software on your Windows computers - or on the OpenWrt router!?!?

so bridging the tap1 with the eth0 (lan) isn't enough?

the problem with the /32 switch is that luci keeps removing it if I refresh using luci interface so my assumption was the /32 can leave that one out.
Luci says to the netmask: "if target is a network" so if not, if single host, it defaults in the GUI to 255.255.255.255 and in the /etc/config/network the /32 is then removed.

the vpn is on the router, sorry for not pointing that out. Everything should be done on the router so it's the same for all clients without digging into windows.

well I can't seem to get it to work.

tried manuall using ip route and adding new tables, prerouting to mark packets, fowarding, setting rules.. nothing seems to work.

So can I accept using openVPN on openWRT in a bridged environment it's impossible to have the router forward packets from 1 router in the VPN network to another router in the VPN network.

I tried this:

ip route add 47.89.88.80/32 via 172.22.56.1 dev br-lanbridge

which is practically the only command per ssh where I don't get an error like "not reachable"
but tracert it gives me:
1 1ms 1ms 1ms 172.22.60.1
2 172.22.60.1 reports: Destination protocol unreachable

ssh root@172.22.60.1 traceroute 47.89.88.80

First reply is without routing set

root@R-BUSINESS:~# traceroute 47.89.88.80
traceroute to 47.89.88.80 (47.89.88.80), 30 hops max, 38 byte packets
 1  192.168.0.1 (192.168.0.1)  1.208 ms  3.191 ms  1.851 ms
 2  *  *  *
 3  *  *  *
 4  *  *  *
 5  *  *  *
 6  *  *  *

the route goes from the openwrt router at 172.22.60.1 directly to the modem-sharing 192.168.0.1

so the router wires the signal to the modem(which is also a build in router) - so a router behind router.

I don't trust mass-production routers so either I put openWRT directly to the ISP connection or if I can't i put openWRT between my network and the ISP router (which I done in this case)

Next i'll copy paste the result of the tracerouter after adding the static routing command

This is a traceroute using the static route for that IP:

root@R-BUSINESS:~# traceroute 47.89.88.80
traceroute to 47.89.88.80 (47.89.88.80), 30 hops max, 38 byte packets
 1  172.22.56.1 (172.22.56.1)  762.087 ms  328.166 ms  319.977 ms
 2  192.168.2.254 (192.168.2.254)  383.473 ms  389.386 ms  344.158 ms
 3  195.190.228.129 (195.190.228.129)  326.266 ms  356.929 ms  378.939 ms
 4  145.54.103.68 (145.54.103.68)  348.098 ms  325.586 ms  433.086 ms
 5  asd2-rou-1022.NL.eurorings.net (134.222.129.236)  330.432 ms  355.814 ms  342.226 ms
 6  asd2-rou-1043.NL.eurorings.net (134.222.48.223)  382.938 ms  450.013 ms  331.994 ms
 7  asd-s8-rou-1041.NL.eurorings.net (134.222.48.231)  601.178 ms  340.865 ms  351.974 ms
 8  134.222.249.250 (134.222.249.250)  330.543 ms  490.671 ms  343.316 ms
 9  if-ae-15-2.tcore1.pye-paris.as6453.net (195.219.194.146)  578.112 ms  575.338 ms  590.239 ms
10  if-ae-8-1600.tcore1.wyn-marseille.as6453.net (80.231.217.5)  576.284 ms  573.885 ms  611.187 ms
11  if-ae-31-6.tcore1.svw-singapore.as6453.net (80.231.217.95)  614.226 ms  if-ae-31-6.tcore1.svw-singapore.as6453.net (80.231.217.89)  641.253 ms  if-ae-31-6.tcore1.svw-singapore.as6453.net (80.231.217.95)  583.864 ms
12  180.87.12.254 (180.87.12.254)  578.952 ms  598.711 ms  589.380 ms
13  116.251.74.217 (116.251.74.217)  581.364 ms  116.251.74.205 (116.251.74.205)  580.873 ms  116.251.80.209 (116.251.80.209)  586.090 ms
14  *  *  *
15  *  *  *
16  *  *  *
17  *  *  *
18  *  *  *
19  *  *  *
20  *  *  *

Again, the other router openwrt is also behind the ISP router and thus goes first through 192.168.2.254 which is the ISP router.

So from the router indeed the packets go over the VPN to the other router, so that's working.

One can also clearly see the * * * are here locally in the country as in Europe using the European gateway the results are actually returning icmp packets where here locally they drop them I guess.

now with the above working at least on the router side, my clients behind the router in the LAN I get this:

tracert 47.89.88.80

Tracing route to 47.89.88.80 over a maximum of 30 hops

  1     1 ms     1 ms     3 ms  172.22.60.1
  2  172.22.60.1  reports: Destination protocol unreachable.

Trace complete.

So obviously the router 172.22.60.1 sets the static routing for itself correct. But the clients behind it (testing this from windows PC) are somewhere blocked I suppose.

I think the problem is the router can't forward back the packets to the incoming interface.

since i bridged the vpn, wlan, lan it's all 1 interface if I'm correct. br-lanbridge exists of tap1, wlan0, wlan1, eth0.1

so any packet coming into the router is usually going to the wan

but now for specific IP targets it should go to the tap1, so basically back into the br-lanbridge

so I guess I have to setup some iptables to catch packets incoming on the eth0.1 and wlan0 and wlan1
and forward them to tap1