Configure two LANs, one routing traffic to WAN and the other to OpenVPN

I just got a router specifically for OpenWRT and installed it. Now i'm trying to configure it so that i have two LANs, one named "lan" connected to a bridge made of the two physical LAN ports, a 2.4GHz and a 5GHz AP, this LAN should route traffic to standard WAN, and the other named "vpn_lan" connected to another bridge made of the other two physical LAN ports, a different 2.4GHz and a different 5GHz wireless AP, that LAN should route traffic OpenVPN.

Here is my /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0a:98b6:b505::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'
	list dns '9.9.9.9'
	option gateway '192.168.18.1'
	option dns_metric '1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option delegate '0'

config device
	option type 'bridge'
	option name 'br-vpn-lan'
	option ipv6 '0'

config interface 'vpn_lan'
	option proto 'static'
	option device 'br-vpn-lan'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option gateway '18.8.8.1'
	option defaultroute '0'
	option metric '0'

config interface 'vpn'
	option proto 'none'
	option device 'tun0'
	option delegate '0'

config route
	option interface 'lan'
	option target '0.0.0.0/0'
	option gateway '192.168.18.1'
	option table 'default'
	option source '192.168.18.16'

config route
	option interface 'vpn_lan'
	option gateway '10.8.8.1'
	option target '0.0.0.0/0'
	option table 'default'

config rule
	option in 'lan'
	option src '0.0.0.0/0'
	option out 'wan'
	option dest '0.0.0.0/0'
	option lookup 'default'

config rule
	option in 'vpn_lan'
	option src '0.0.0.0/0'
	option out 'vpn'
	option dest '0.0.0.0/0'
	option lookup 'default'

Followed by /etc/config/firewall


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option family 'ipv4'
	option log '1'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	option family 'ipv4'
	option log '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option family 'ipv4'

config zone
	option name 'vpn_lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vpn_lan'
	option family 'ipv4'
	option log '1'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vpn'
	option mtu_fix '1'
	option family 'ipv4'
	option log '1'
	option masq '1'

config forwarding
	option src 'vpn_lan'
	option dest 'vpn'

The local part of both LANs works just fine, different test devices are connecting to all wireless AP and physical LAN ports successfully and local networking works everywhere. But internet only works on devices connected to the "vpn_lan" network and not on those connected to the "lan" network.

So the obvious question is what am i doing wrong?

What i tried so far:

I added routes for interface lan and vpn_lan with the corresponding gateway.
Also rules from lan to wan and from vpn_lan to vpn with 0.0.0.0/0 as sources and destinations.

I found many tutorials on configuring a LAN to go through OpenVPN, but none of them says anything about having another LAN not going though it.

What i think is not working is the that OpenWRT is not using the routes i create no matter which table i use.

Because when i look at the routes through SSH with ip route, the result is a bunch of routes that that i didn't create and i don't see those i created no matter which table i tried to assign them to. I first tried to put my routes in the main table then rebooted, ip route show table main doesn't show anything and ip route shows a bunch of routes from the default table. Then i tried putting the routes in the default table instead since it seems that OpenWRT wanted to use this table no matter what and rebooted, the thing pulled a switch on me. Now ip route show table default shows nothing and ip route shows the same bunch of routes i didn't create which are as follow.

0.0.0.0/1 via 10.8.8.1 dev tun0 
default via 192.168.18.1 dev wan  src 192.168.18.22 
10.8.8.0/24 dev tun0 scope link  src 10.8.8.5 
128.0.0.0/1 via 10.8.8.1 dev tun0 
149.88.16.132 via 192.168.18.1 dev wan 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.2.0/24 dev br-vpn-lan scope link  src 192.168.2.1 
192.168.18.0/24 dev wan scope link  src 192.168.18.22 

But they are now in the main table. OpenWRT keep using a different table then whatever is in /etc/config/network.

How can i fix this? Also Can there be only one table active at a time, and if so how do i know which table will OpenWRT use?

There are too many errors, so it would probably be better to reset to defaults and start over.

Then you should distribute the wired ports to two bridges. Note that some devices do not support more than one bridge and you may need to switch to bridge vlan filtering.

Disable the default gateway for the vpn interface and remove all unnecessary stuff from the LAN interfaces. You only need one ip rule/route to make it work as you want.

...

config device
	    option name 'br-lan'
	    option type 'bridge'
	    list ports 'lan1'
	    list ports 'lan2'
	
config device
	    option name 'br-vpn'
	    option type 'bridge'
	    list ports 'lan3'
	    list ports 'lan4'
	
config interface 'lan'
		option device 'br-lan'
		option proto 'static'
		option ipaddr '192.168.1.1'
		option netmask '255.255.255.0'

config interface 'vpn_lan'
		option proto 'static'
		option device 'br-vpn'
		option ipaddr '192.168.2.1'
		option netmask '255.255.255.0'	

config interface 'wan'
		option device 'wan'
		option proto 'dhcp'
	
config interface 'vpn'
		option proto 'none'
		option device 'tun0'
	
config rule
		option lookup '100'
		option in 'vpn_lan'

config route
		option target '0.0.0.0/0'
		option table '100'
		option interface 'vpn'

For simplicity you could assign vpn_lan to the lan firewall zone and add device tun+ to the wan firewall zone. This way you will avoid creating additional zones and forwardings.

3 Likes

Thanks for your reply!
So if i understand correctly the interface option of a route represent where to route the traffic to and the target option the destination to which apply the rule? Then openwrt will know to apply this route because of the rule above?
So i assume this means openwrt will lookup table '100' only for the the networks assigned to this particular table by a rule and some other default table for the 'lan' network because there are no explicit rule to set a specific table? Which means all routing tables are always active the router don't just choose one at boot?
So, if i wanted to add a third LAN using a different VPN i would just have to create another rule assigning a different table like '200' and a route in this table with the other VPN as interface.
If all that is right it means i have to use different routing tables in order to have different networks using different outgoing interfaces.. What's the point of being able to set a gateway in the LAN interfaces then, wouldn't that conflict if both are ways to configure routing?

That's basically the idea. The rules are processed prior to routes. If a packet meets the criteria defined in a rule (with а higher priority), the traffic is directed to a specific action or routing table. Otherwise, it goes to the main routing table.

That's right.

In some cases the wan interface is not used (dumb AP). In order for the device to access the Internet, you need to set a default gateway and DNS on the LAN interface. The next hop (gateway) must be on the same IP subnet and the DNS server(s) should be directly reachable from that interface, which is not valid in your initial configuration.

Also note that in the example given, there is only a default route set in routing table 100. This means that all requests will be forwarded to the vpn interface. If you don't add network 192.168.1.0/24 to routing table 100, you will lose access vpn_lan => lan.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.