Configuring router with openvpn bridged but lock out specific lan ports(hw)

What I got working for a couple of years now:
a Virtual Private Networking running LEDE routers.
Using openVPN
Router (network) 1 is on the segment
router (network) 2 is on the segment
Router (network) 3 is on the segment
.. few more
they are located around the world, every local network a different segment.

using openVPN with all the encryption and client-to-client enabled, etc..
all clients see each other like a big network including upnp, dhcp, etc.

everything works for a few years and still working today.

Now I wanted to add a new segment and I installed latest lede(back to openwrt) version with latest openvpn.

same configuration as the other except this router I want to configure 4 lan ports(the hardware ports) that a client that connects to these ports can't access the whole network.

It can use the router to get into the internet but not see the rest of the network.

So I added a vlan to the switch and now have
vlan1 cpu(eth0) tagged and everything else off
vlan2 vpu(eth1) tagged and wan untagges everything else off
vlan3 cpu(eth0) tagged lan1 to lan4 untagged and eth1 and wan both off

firewall I have an additional zone added as well and now
wan -> reject default
lanbridge (eth0.1 and tap1) -> wan defaults
lanlocal (eth0.3) -> wan defaults

vpn as mentioned is tap1

on the interfaces lanlocal (eth0.3) runs static ip at
lanbridge (eth0.1 and tap1) in bridged config runs static ip

all settings are the same as on all the other routers, except thus the vlan3 and the attempt to lock out these hardware ethernet ports from access to the VPN in a bridged environment.

I want to keep the bridged environment so I can use the as gateway into the internet for all the clients that need it.

Now the problem.

IF one client behind any of the other networks, assume network has a client this client can see all the clients and ping the 172.22.760.1 as it can ping the and and, etc

But client I now tell this client NOT to use gateway anymore but instead to use it can still ping and and but for whatever reason it stops accessing

you can't ping it anymore, nor use it as gateway

even if I now switch back to as gateway, the route to seems to be blocked eternally until I reboot that router.

All of the others routers don't have this issue.

I can switch on all devices to as gateway or or or whatever..

Just when I use the router as a gatewat I get this issue.

Any ideas?

Do you really need bridging to achieve that goal?

well I guess not, but I couldn't find a working alternative example.

# server.conf
dev tun0
topology subnet
redirect-gateway def1

# ccd/rt1

# ccd/rt2

# ccd/rt3
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.