Hi,
I am trying to create a network that looks like this:
Points to note:
I am a newbie and I realize I might be a simple problem, pointers to documentation will helpful in that case.
I have configured LAN1 and VPN. Infact, I have even managed to create LAN2, it just wouldn't talk to WAN.
There is no switch tab in my LuCI (some of the other posts' answer suggested using it)
The working LAN1 with VPN configurations:
# /etc/config/network
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
config interface 'wg0'
option proto 'wireguard'
option private_key 'DUH'
list addresses '11.1.1.1/32'
# /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config zone
option name 'vpn'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option input 'REJECT'
list network 'PROTECT'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
# /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option band '2g'
option htmode 'HT40'
option channel 'auto'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'DUH'
option encryption 'sae'
option key 'DUH'
LAN2 which would do everything but talk to WAN:
# /etc/config/dhcp
config dhcp 'free'
option interface 'free'
option start '100'
option limit '150'
option dhcpv4 'server'
option leasetime '12h'
list ra_flags 'none'
# /etc/config/firewall
config zone
option name 'free'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'free'
option forward 'ACCEPT'
config forwarding
option src 'free'
option dest 'wan'
# /etc/config/network
config device
option type 'bridge'
option name 'free-lan'
option bridge_empty '1'
config interface 'free'
option proto 'static'
option device 'free-lan'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
list dns '1.1.1.1'
option type 'bridge'
# /etc/config/wireless
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option encryption 'psk2'
option key 'DUH2'
option network 'free'
option ssid 'DUH2'
Please let me know if I can provide any further information, thanks in advance.
I'm a bit confused about the two different file listings -- are these separate files? or did you split them up to show the lan2 things separately?
Hi,
I split the LAN2 data in the question just to make things simple. On the device,
Best,
ok... would you mind posting the complete files (don't split them up).. this will make it easier to read.
2 Likes
Sure,
Here are the following files:
/etc/config/dhcp
/etc/config/firewall
/etc/config/network
/etc/config/wireless
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.lease'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.automatic'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'free'
option interface 'free'
option start '100'
option limit '150'
option dhcpv4 'server'
option leasetime '12h'
list ra_flags 'none'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config zone
option name 'vpn'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option input 'REJECT'
list network 'PROTECT'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.custom.user'
config zone
option name 'free'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'free'
option forward 'ACCEPT'
config forwarding
option src 'free'
option dest 'wan'
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wgo'
option proto 'wireguard'
option private_key 'KEY'
list addresses 'IP'
option peerdns '0'
list dns 'DNS'
config wireguard_wgo
option description 'VPN'
option public_key 'KEY'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host 'HOST'
option endpoint_port 'PORT'
option route_allowed_ips '1'
config device
option type 'bridge'
option name 'free-lan'
option bridge_empty '1'
config interface 'free'
option proto 'static'
option device 'free-lan'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
list dns '1.1.1.1'
option type 'bridge'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option band '2g'
option htmode 'HT40'
option channel 'auto'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'AP1'
option encryption 'sae'
option key 'PASSWORD'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option encryption 'psk2'
option key 'DUH2'
option network 'free'
option ssid 'DUH2'
Remove the option type bridge from this network. Also, the DNS specified here will have no function. If you want to advertise this as the DNS for the 'free' clients to use, that is specified in the DHCP options (option 6). for that network.
psherman:
Remove the option type bridge from this network. Also, the DNS specified here will have no function. If you want to advertise this as the DNS for the 'free' clients to use, that is specified in the DHCP options (option 6). for that network.
Hi,
I made the suggested change, and updated the block to:
config interface 'free'
option proto 'static'
option device 'free-lan'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
Yet, the problem remains there and the wireless network wouldn't talk to WAN.
Also, not sure what to conclude from this, but traceroute stops after 1 hop.
$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.3.128 (192.168.3.128) 0.399 ms 0.465 ms 0.512 ms
Can you please post the complete config files again... this way I can see all the latest.
Sure,
Here are the following files:
/etc/config/dhcp
/etc/config/firewall
/etc/config/network
/etc/config/wireless
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'free'
option interface 'free'
option start '100'
option limit '150'
option dhcpv4 'server'
option leasetime '12h'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option input 'REJECT'
list network 'PROTECT'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'free'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'free'
option forward 'ACCEPT'
config forwarding
option src 'free'
option dest 'wan'
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'IPV6'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option type 'bridge'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'PROTECT'
option proto 'wireguard'
option private_key 'KEY'
list addresses 'IP'
list addresses 'IPV6'
option peerdns '0'
list dns 'DNS'
config wireguard_PROTECT
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_port 'PORT'
option route_allowed_ips '1'
option public_key 'KEY'
option endpoint_host 'IP'
option description 'VPN'
config device
option type 'bridge'
option name 'free-lan'
option bridge_empty '1'
option ipv6 '0'
config interface 'free'
option proto 'static'
option device 'free-lan'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'ID'
option band '2g'
option htmode 'HT40'
option channel 'auto'
option cell_density '0'
option legacy_rates '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'R2'
option encryption 'sae'
option key 'R2'
config wifi-device 'radio1'
option type 'mac80211'
option path 'ID'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option txpower '20'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'R2'
option encryption 'sae'
option key 'R2'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option encryption 'psk2'
option ssid 'R3'
option key 'R3'
option network 'free'
I suspect that it is because your VPN is running.
Add the following and it should work
config forwarding
option src 'free'
option dest 'vpn'
If you don't want the 'free' network to use the VPN, you'll need to use Policy Based routing to setup the appropriate rules (so that your LAN uses the VPN and the free network doesn't).
you'll need to use Policy Based routing to setup the appropriate rules
Yes @psherman , you're on the money.
As mention in the question, I want one interface to use VPN and other one to not.
wifi1: connects via VPN
wifi2: connects without VPN
Policy Based routing
Thanks for the tip. This does seem to be the correct path, however, my attempts to make it work all failed.https://openwrt.org/docs/guide-user/network/routing/pbr , is not detailed for me to be able to do it on my own!)
