Configure VPN only for 1 VLAN

mgupta80 · April 12, 2022, 8:25pm

Hi, I am new to Openwrt. I am trying to configure 3 VLAN as mentioned below:

99 - Normal Traffic (lan)
3 - IOT devices
4 - Guest (VPN enabled)

tun0 - VPN Tunnel

When I configure and enable openvpn for VLAN 4 - Only the devices connected to VLAN4 have access to Internet whereas the devices connected to lan or IOT lose internet connectivity.

I have configured the firewall rule to forward the traffic from Guest to tun0. Could someone please help.

uci export network Output:

package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf5:d78d:0440::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan.99'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '162.252.172.57'
	list dns '149.154.159.92'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'lan2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'lan1:u*'
	list ports 'lan2:t'

config interface 'IOT'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'Guest'
	option proto 'static'
	option device 'br-lan.4'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

config interface 'surfsharktun'
	option proto 'none'
	option device 'tun0'

uci export firewall Output:

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'Guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'Guest'
	option forward 'ACCEPT'

config zone
	option name 'IOT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'IOT'
	option forward 'ACCEPT'

config forwarding
	option src 'Guest'
	option dest 'wan'

config forwarding
	option src 'IOT'
	option dest 'wan'

config zone
	option name 'vpnfirewall'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'surfsharktun'

config forwarding
	option src 'Guest'
	option dest 'vpnfirewall'

uci export wireless Output:


package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option country 'GB'
	option channel '9'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option encryption 'sae-mixed'
	option key 'PASSWORD1234'
	option ssid 'Guest'
	option network 'Guest'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'
	option country 'GB'
	option channel '60'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option encryption 'sae-mixed'
	option key 'PASSWORD1234'
	option network 'Guest'
	option ssid 'Guest'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Seamless-5G'
	option key 'PASSWORD1234'
	option encryption 'psk2'
	option network 'lan'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option encryption 'psk2'
	option key 'PASSWORD1234'
	option network 'IOT'
	option ssid 'IOT'

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option encryption 'psk2'
	option key 'PASSWORD1234'
	option network 'IOT'
	option ssid 'IOT'

config wifi-iface 'wifinet6'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Seamless-2G'
	option encryption 'psk2'
	option key 'PASSWORD1234'
	option network 'lan'

trendy · April 13, 2022, 10:50am

You need to do Policy Based Routing and you have 3 options:

mwan3 package
pbr package
a set of rules/routes for each internet connection.

mgupta80 · April 13, 2022, 8:54pm

Thanks @trendy. I added the below rule and route and it worked like a charm. Appreciate your help

config rule                                    
        option in 'lan'                        
        option src '192.168.1.1/24'            
        option lookup '100'                    
                                      
config rule                           
        option in 'IOT'               
        option src '192.168.3.1/24'   
        option lookup '100'           
                                      
config route                          
        option interface 'wan'        
        option target '0.0.0.0'       
        option netmask '0.0.0.0'      
        option metric '200'           
        option table '100'

trendy · April 13, 2022, 10:03pm

Don't use the src or fix the address to 192.168.1.0/24 and 192.168.3.0/24

mgupta80 · April 14, 2022, 4:13pm

Hey @trendy, I think you mean the below:

config rule                   
        option in 'lan'                        
        option lookup '100'     
                                
config rule                     
        option in 'IOT'         
        option lookup '100'     
                                
config route                    
        option interface 'wan'  
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option metric '200'  
        option table '100'

system · April 24, 2022, 4:14pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.