Hi everyone, I am having trouble making my guest wifi bypass VPN, I am hoping you expert here can help me.
I am using Openwrt 21.02 build, and have setup my main wifi (5GHz) and VPN, everything works as I wanted. I now want to set my 2.4G wifi up as guest wifi, for guests and my old 11g laptop (the only thing having a Ethernet port, its very important to have if you use Openwrt).
I followed the User Guide for guest wifi basics and extra, now i can connect to guest wifi, get dhcp & dns, but can't get to Internet while VPN is connected. When I disconnect VPN, the devices connected to guest wifi work.
After searching this forum, I found this post, saying I have 3 options: mwan3, pbr or (firewall) rules/routes. I don't want to install another package, so mwan3 is out. I have tried policy based routing, but it didn't work, also it broke my set-up, I had to connect to my router with a network cable and used fixed IP 172.16.17.2 to revert the changes. It still didn't work after the changes were reverted. I don't know why. Had to factory reset my router and went through the set-up all over again.
So pbr is out for now, this leaves me with (firewall) rules/routes. Here is my set-up, by the way, 2.4GHz wifi is on br-slow.
Network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd29:28ee:9adb::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '172.18.17.16'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr 'xx:c6:xx:16:xx:d8'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'guess'
option proto 'static'
option ipaddr '172.18.71.61'
option netmask '255.255.255.0'
option delegate '0'
option device 'br-slow'
config interface 'VPN'
option proto 'none'
option device 'tun0'
config device
option name 'br-slow'
option type 'bridge'
option bridge_empty '1'
option ipv6 '0'
DHCP:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option noresolv '1'
list server '1xx.xx.xx.100'
list server '1xx.xx.x9.100'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guess'
option interface 'guess'
option start '111'
option limit '123'
option leasetime '84h'
list ra_flags 'none'
Firewall:
... ...
config zone
option name 'VPN443'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'VPN'
config forwarding
option src 'lan'
option dest 'VPN443'
config zone
option name 'GUEST'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guess'
option input 'REJECT'
config forwarding
option src 'GUEST'
option dest 'wan'
config rule
option name 'Allow-DNS-GUEST'
option src 'GUEST'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-GUEST'
option src 'GUEST'
option src_port '68'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-HTTP/HTTPS-GUEST'
option src 'GUEST'
option dest 'wan'
list dest_port '80'
list dest_port '443'
option proto 'tcp'
option target 'ACCEPT'
Thanks in advance.