I am currently trying to get a router (Linksys WRT3200ACM / LEDE Reboot 17.01.4 r3560-79f57e422d) setup so that I can ship it off to a friend of mine. Requirements (among other things) are what you may expect from the title of the thread: Primary LAN -> VPN/WAN; Guest LAN -> WAN.
EDIT: It doesn't matter what interface I pick to exclude from the VPN. Whether it is the Guest or the LAN, clients connected to the interface which does not forward to the VPN are unable to access the internet.
There are several threads that are along the same lines of what I am trying to do, but none were of any help to my situation:
I have it setup with two SSIDs per radio, one for the Primary and another for Guest. There are no VLANs in place at this time (VLANs were disabled during Troubleshooting). Feels like it should be a pretty simple setup.
Primary: 192.168.45.x / CC_Secure_02
Guest: 192.168.46.x / CC_Guest_02
Where I'm at:
- Successful connection to the VPN provider (PrivateInternetAccess)
- Successful routing of Primary LAN traffic through VPN
- No internet access on the Guest LAN whenever the VPN is connected
Note: I have been testing internet connectivity from smartphone (Android 7.0 / Chrome).
Config files:
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fddf:9527:7461::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.45.1'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option peerdns '0'
option dns '8.8.8.8 8.8.4.4'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
option peerdns '0'
option reqaddress 'try'
option reqprefix 'auto'
option dns '2001:4860:4860::8888 2001:4860:4860::8844'
config switch
option name 'switch0'
option reset '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6'
option vid '2'
config interface 'guest'
option ifname 'guest'
option proto 'static'
option ipaddr '192.168.46.1'
option netmask '255.255.255.0'
option ip6assign '60'
option type 'bridge'
config interface 'vpn'
option proto 'none'
option ifname 'tun0'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport 'WEB_PORT'
option dest_ip '192.168.45.1'
option dest_port '80'
option name 'Allow-Admin-WAN'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport 'SSH_PORT'
option dest_ip '192.168.45.1'
option dest_port 'SSH_PORT'
option name 'Allow-SSH-WAN'
config zone
option network 'guest'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
option name 'guest'
config rule
option name 'guestzone_DHCP'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option src 'guest'
config rule
option name 'guestzone_DNS'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option src 'guest'
config forwarding
option dest 'wan'
option src 'guest'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'vpn'
option input 'REJECT'
option masq '1'
option network 'vpn'
config forwarding
option dest 'wan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
config dhcp 'guest'
option interface 'guest'
option start '100'
option leasetime '12h'
option limit '150'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'soc/soc:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
option htmode 'VHT80'
option country 'US'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'CC_Secure_02'
option encryption 'psk2+ccmp'
option key 'KEY_HIDDEN'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'HT20'
option country 'US'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'CC_Secure_02'
option encryption 'psk2+ccmp'
option key 'KEY_HIDDEN'
config wifi-device 'radio2'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'LEDE'
option encryption 'none'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'CC_Guest_02'
option network 'guest'
option encryption 'psk2+ccmp'
option key 'KEY_HIDDEN'
config wifi-iface
option device 'radio1'
option mode 'ap'
option ssid 'CC_Guest_02'
option network 'guest'
option encryption 'psk2+ccmp'
option key 'KEY_HIDDEN'
/etc/config/openvpn
config openvpn 'US_SeattleWA_AES_256_CBC_UDP'
option dev 'tun0'
option nobind '1'
option verb '3'
option comp_lzo 'yes'
option persist_tun '1'
option persist_key '1'
option client '1'
option remote 'us-seattle.privateinternetaccess.com'
option auth_user_pass '/etc/openvpn/credentials.txt'
option resolv_retry 'infinite'
option proto 'udp'
option tls_client '1'
option mute_replay_warnings '1'
option auth_nocache '1'
option remote_cert_tls 'server'
option enabled '1'
option port '1197'
option cipher 'AES-256-CBC'
option crl_verify '/etc/openvpn/crl.rsa.4096.pem'
option ca '/etc/openvpn/ca.rsa.4096.crt'
option auth 'SHA256'
I apologize if the configs are all over the place, but I've been at this all day, pulling from all over the net trying to wrap this part of the project.
The Guest Network is my next to last hurdle, with configuring DDNS as my last step. I am setting it up so that I can make changes remotely (in case there are issues), but I want it to arrive with a functional Guest Network that does not pass through the VPN.
Note: I plan to disable the Web_Admin port forwarding rule before I send this off, and will access remotely via SSH / encrypted key-pair.
I anticipate that certain PIA-incompatible services (e.g. Netflix/Hulu) will need to be accessed through the router, and my friend is not savvy enough to log in and turn the VPN on/off (nor would that really even help, as the VPN seems to turn back ON after I hit the "Stop" button by itself.. resolv_retry=infinite?).
Any help would be greatly appreciated. Thank you in advance for reading.