How to make guest wifi bypass VPN with (firewall) rules / routes only?

Hi everyone, I am having trouble making my guest wifi bypass VPN, I am hoping you expert here can help me.

I am using Openwrt 21.02 build, and have setup my main wifi (5GHz) and VPN, everything works as I wanted. I now want to set my 2.4G wifi up as guest wifi, for guests and my old 11g laptop (the only thing having a Ethernet port, its very important to have if you use Openwrt).

I followed the User Guide for guest wifi basics and extra, now i can connect to guest wifi, get dhcp & dns, but can't get to Internet while VPN is connected. When I disconnect VPN, the devices connected to guest wifi work.

After searching this forum, I found this post, saying I have 3 options: mwan3, pbr or (firewall) rules/routes. I don't want to install another package, so mwan3 is out. I have tried policy based routing, but it didn't work, also it broke my set-up, I had to connect to my router with a network cable and used fixed IP 172.16.17.2 to revert the changes. It still didn't work after the changes were reverted. I don't know why. Had to factory reset my router and went through the set-up all over again.

So pbr is out for now, this leaves me with (firewall) rules/routes. Here is my set-up, by the way, 2.4GHz wifi is on br-slow.

Network:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd29:28ee:9adb::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '172.18.17.16'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr 'xx:c6:xx:16:xx:d8'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'guess'
	option proto 'static'
	option ipaddr '172.18.71.61'
	option netmask '255.255.255.0'
	option delegate '0'
	option device 'br-slow'

config interface 'VPN'
	option proto 'none'
	option device 'tun0'

config device
	option name 'br-slow'
	option type 'bridge'
	option bridge_empty '1'
	option ipv6 '0'

DHCP:


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option noresolv '1'
	list server '1xx.xx.xx.100'
	list server '1xx.xx.x9.100'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guess'
	option interface 'guess'
	option start '111'
	option limit '123'
	option leasetime '84h'
	list ra_flags 'none'

Firewall:

... ...

config zone
	option name 'VPN443'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'VPN'

config forwarding
	option src 'lan'
	option dest 'VPN443'

config zone
	option name 'GUEST'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guess'
	option input 'REJECT'

config forwarding
	option src 'GUEST'
	option dest 'wan'

config rule
	option name 'Allow-DNS-GUEST'
	option src 'GUEST'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-GUEST'
	option src 'GUEST'
	option src_port '68'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-HTTP/HTTPS-GUEST'
	option src 'GUEST'
	option dest 'wan'
	list dest_port '80'
	list dest_port '443'
	option proto 'tcp'
	option target 'ACCEPT'

Thanks in advance.

[IP] Routes and Rules are not firewall-related - that's a common misconception. Firewall controls if the [already routed] traffic is: Accepted, Dropped or Rejected - depending on if they're Input, Output or a Forward between interfaces (for OpenWrt, this applies for any interfaces that span a Zone). The routing plane (i.e. the Kernel) is controlled by IP Routes and IP Rules, the default gateway on WAN, "Route Allowed IP" settings on some VPN configs, etc.

You do not need to add apps to do policy-based routing.

:spiral_notepad: You do need to know what you're doing. :wink:

See:

Thanks. Given my set-up, what do you think I need to do next?

  • I'm not familiar with the VPN you're using (if I've mistaken, please show/quote it)
  • I see no configs that should have made traffic use VPN - for which you need to therefore bypass

I do the opposite. I use routes/rules to specify what IP/range/intefaces/etc. will use a certain VPN, secondary WAN, etc. I would usually specify the IP range of the VLAN in the IP rule as the SRC and specify it use a new table (e.g. 1). That e.g. Table 1 would have a default route to the VPN. Since no other PBR/mwan3 apps are installed, you can set that IP Rule as Priority No. 1.

:spiral_notepad: Please understand the priority of IP rules matter! They are considered in order - from 0, 1, 2..........etc. Run ip -4 rule to see for IPv4 and and ip -6 rule accordingly.

:spiral_notepad: for routes:

ip -4 route

and

ip -4 route show table x

ip -4 route:

.0.0.0/1 via vpn_network.xx.xx.1 dev tun0 
default via wan_network.xx.xx.1 dev eth0.2 proto static src wan_ip_addr.xx.xx.56 
vpn_network.xx.xx.0/24 dev tun0 proto kernel scope link src vpn_ip_addr.xx.xx.3 
wan_network.xx.xx.0/25 dev eth0.2 proto kernel scope link src wan_ip_addr.xx.xx.56 
128.0.0.0/1 via vpn_network.1 dev tun0 
172.18.17.0/24 dev br-lan proto kernel scope link src 172.18.17.16 
172.18.71.0/24 dev br-slow proto kernel scope link src 172.18.71.61 
vpn_dns_ip via wan_network.xx.xx.1 dev eth0.2 

ip -r route show table 0:

0.0.0.0/1 via vpn_network.xx.xx.1 dev tun0 
default via wan_network.xx.xx.1 dev eth0.2 proto static src wan_ip_addr.xx.xx.56 
vpn_network.xx.xx.0/24 dev tun0 proto kernel scope link src vpn_ip_addr.xx.xx.3 
wan_network.xx.xx.0/25 dev eth0.2 proto kernel scope link src wan_ip_addr.56 
128.0.0.0/1 via vpn_network.xx.xx.1 dev tun0 
172.18.17.0/24 dev br-lan proto kernel scope link src 172.18.17.16 
172.18.71.0/24 dev br-slow proto kernel scope link src 172.18.71.61 
vpn_dns_ip.xx.xx.xx via wan_network.xx.xx.1 dev eth0.2 
broadcast vpn_network.xx.xx.0 dev tun0 table local proto kernel scope link src vpn_ip_addr.xx.xx.3 
local vpn_ip_addr.xx.xx.3 dev tun0 table local proto kernel scope host src vpn_ip_addr.xx.xx.3 
broadcast vpn_network.xx.xx.255 dev tun0 table local proto kernel scope link src vpn_ip_addr.xx.xx.3 
broadcast wan_network.xx.xx.0 dev eth0.2 table local proto kernel scope link src wan_ip_addr.xx.xx.56 
local wan_ip_addr.xx.xx.56 dev eth0.2 table local proto kernel scope host src wan_ip_addr.xx.xx.56 
broadcast wan_network.xx.xx.127 dev eth0.2 table local proto kernel scope link src wan_ip_addr.xx.xx.56 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 172.18.17.0 dev br-lan table local proto kernel scope link src 172.18.17.16 
local 172.18.17.16 dev br-lan table local proto kernel scope host src 172.18.17.16 
broadcast 172.18.17.255 dev br-lan table local proto kernel scope link src 172.18.17.16 
broadcast 172.18.71.0 dev br-slow table local proto kernel scope link src 172.18.71.61 
local 172.18.71.61 dev br-slow table local proto kernel scope host src 172.18.71.61 
broadcast 172.18.71.255 dev br-slow table local proto kernel scope link src 172.18.71.61