What I got working for a couple of years now:
a Virtual Private Networking running LEDE routers.
Router (network) 1 is on the 172.22.56.0/16 segment
router (network) 2 is on the 172.22.57.0/16 segment
Router (network) 3 is on the 172.22.58.0/16 segment
.. few more
they are located around the world, every local network a different segment.
using openVPN with all the encryption and client-to-client enabled, etc..
all clients see each other like a big network including upnp, dhcp, etc.
everything works for a few years and still working today.
Now I wanted to add a new segment 172.22.70.0/16 and I installed latest lede(back to openwrt) version with latest openvpn.
same configuration as the other except this router I want to configure 4 lan ports(the hardware ports) that a client that connects to these ports can't access the whole network.
It can use the router to get into the internet but not see the rest of the network.
So I added a vlan to the switch and now have
vlan1 cpu(eth0) tagged and everything else off
vlan2 vpu(eth1) tagged and wan untagges everything else off
vlan3 cpu(eth0) tagged lan1 to lan4 untagged and eth1 and wan both off
firewall I have an additional zone added as well and now
wan -> reject default
lanbridge (eth0.1 and tap1) -> wan defaults
lanlocal (eth0.3) -> wan defaults
vpn as mentioned is tap1
on the interfaces lanlocal (eth0.3) runs static ip at 192.168.1.1/24
lanbridge (eth0.1 and tap1) in bridged config runs static ip 172.22.70.1/16
all settings are the same as on all the other routers, except thus the vlan3 and the attempt to lock out these hardware ethernet ports from access to the VPN in a bridged environment.
I want to keep the bridged environment so I can use the 172.22.70.1 as gateway into the internet for all the clients that need it.
Now the problem.
IF one client behind any of the other networks, assume 172.22.56.1/16 network has a client 172.22.56.109 this client can see all the 172.22.70.1/16 clients and ping the 172.22.760.1 as it can ping the 172.22.57.1 and 172.22.58.1 and 172.22.59.1, etc
But client 172.22.56.109 I now tell this client NOT to use gateway 172.22.56.1 anymore but instead to use 172.22.70.1 it can still ping 172.22.56.1 and 172.22.57.1 and 172.22.58.1 but for whatever reason it stops accessing 172.22.70.1
you can't ping it anymore, nor use it as gateway
even if I now switch back to 172.22.56.1 as gateway, the route to 172.22.70.1 seems to be blocked eternally until I reboot that router.
All of the others routers don't have this issue.
I can switch on all devices to 172.22.57.1 as gateway or 172.22.58.1 or 172.22.59.1 or whatever..
Just when I use the 172.22.70.1 router as a gatewat I get this issue.