Hi, I have openwrt installed on a Xiaomi 4A Giga router which has 2 LAN ports. I also have an openconnect vpn interface and my firewall is configured to route all traffic through the vpn interface. What I want to do is when I plug my pc into the first lan port, my traffic routes through the vpn as usual. But, when I plug it into the second port, I want my traffic to go directly through wan interface.
An option to give a specific DNS to the pc when connecting to the second port is arbitrary but really great. Please try and avoid pbr package as I'm struggling with it.
Thanks.
To do this, you'll need to have 2 subnets, one subnet assigned to each physical port.
So, for example, if you currently have 192.168.1.0/24 on your lan, you'll setup a second lan (call it lan2 for now) which will have a different subnet (sa 192.168.5.0/24). That will be assigned to the physical lan2 port.
Then, you'll use policy based routing to ensure that one of the subnets routes through the wan while the other routes through the VPN.
1 Like
I made another interface named lan2, I configured it similar to the original lan interface but gave it an address of 192.168.3.1 and made it a DHCP server. I also configured the firewall to route traffic from lan2 to wan, but the problem is that my pc is still getting address from the original lan interface (192.168.2.X). Even if I manually set IP on my pc, it doesn't appear on the active dhcp leases list and eventually my pc doesn't have internet at all
Let’s see your config.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fdce:931c:0b58::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '8.8.8.8'
option metric '20'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'LT2'
option proto 'openconnect'
option vpn_protocol 'anyconnect'
option server 'LT2.MyVitaminD3.NET'
option port '22'
option username '**********'
option password '**********'
option password2 '**********'
option metric '10'
option serverhash '**********'
option auto '0'
config interface 'IT1'
option proto 'openconnect'
option vpn_protocol 'anyconnect'
option server 'it1.myvitamind3.net'
option port '22'
option username '***********'
option password '*******'
option password2 '********'
option metric '10'
option serverhash '*************'
config interface 'lan2'
option proto 'static'
option device 'lan2'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option ip6assign '60'
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option band '5g'
option htmode 'VHT80'
option channel 'auto'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid '*****'
option encryption 'sae-mixed'
option key '*****'
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'lan2'
option interface 'lan2'
option start '100'
option limit '150'
option leasetime '12h'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option dhcpv6 'server'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'VPN'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
option masq '1'
list network 'LT2'
list network 'IT1'
config forwarding
option src 'lan'
option dest 'VPN'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config zone
option name 'lan2'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'lan2'
option forward 'ACCEPT'
config forwarding
option src 'lan2'
option dest 'wan'
port lan2 is still associated with br-lan (which is used for your first lan), so that's why you're having the issue.
Make it look like this:
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
Then, if the lan2 network will ever be connected to wifi, you'll need to connect it with a bridge that would look like this (this is not necessary if you'll only use this wired on that single port):
config device
option name 'br-lan2'
option type 'bridge'
list ports 'lan2'
If you do make the bridge above, you'll also nee dto update your lan2 interface to use the bridge (like before, this change is not necessary if you'll only use this in a wired context):
config interface 'lan2'
option proto 'static'
option device 'br-lan2'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option ip6assign '60'
This should fix the issue of the lan2 port not working with the right network.
Next, you've got lan2 forwarding allowed to wan -- this is ultimately what you'll want. But if PBR is not configured yet, you'll probably end up with no internet connection since the VPN will probably have taken over the default route and you're not allowing lan2 > vpn. You could temporarily allow this forwarding (or turn off the VPN), and you should get internet on lan2.
Give this a shot and report back.
2 Likes
Exactly, now I get a correct IP address (192.168.3.X) but have no internet connection. Can you please tell me how to configure PBR to reach my final goal?
I’m not an expert on pbr, so I cant really help on this last bit in detail.
But check out the pbr wiki, specifically the vpn policy routing:
You’ll define the rules based on your two subnets 192.168.2.0/24 and 192.168.3.0/24.
1 Like
Ok, thank you anyway. I'm struggling with pbr as I'm trying to route specific domains through different interfaces but haven't succeeded yet.
What I'd recommend here is that you open a new thread specifically for your PBR questions (now that you have a config with the base functionaliy of the two networks working). This way you can get the right eyes on the problem (with PBR in the subject line, for example)
In the meantime, you could mark this one as solved, and reference this thread in the new PBR specific one.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
1 Like
Ok, Thanks
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.