Issue with Guest SSID behind a VPN [Solved]


#1

I have almost figured this out, but am running into a very annoying issue.

My goal is to have a guest SSID that is behind a VPN and a default SSID that will have a normal ISP connection.

As it is currently, I can have both the guest/ default SSID's behind the VPN, or both behind the normal ISP connection, but I am having issues separating them. I've tried tinkering with my forwarding rules, and I think this may be the culprit.

When I start the router with the configuration listed below, my default SSID will have no connection, and my guest SSID will be connected behind the VPN.

Once I stop the NORDVPN interface, my default SSID gains connection to the ISP, and the guest SSID loses network connectivity.

If I change the forwarding rules in /etc/config/firewall, to forward both lan and guest to vpnfirewall, they will both have a VPN connection, if I change them both to forward to wan they will both have an ISP connection. It is only when I try forwarding to different destinations that I encounter a problem.

If anyone is experienced with this type of thing and can give me some pointers, I would be very grateful.

/etc/config/firewall

/etc/config/network

PS this is my first post here, so if you think it would be better suited elsewhere, please let me know


#2

Your configuration looks correct. The issue here is that you currently have only one routing table for the whole internet (0.0.0.0/0) and you need to add another one, in order to separate the default gateway of the guest network from the lan.
Have a look here


#3

Or in this forum:

https://forum.openwrt.org/search?q=policy%20based%20routing


#4

Thank you very much for the response. I read over the link you provided, and was hoping to maybe get some clarification.

In that article, it says to do the following:

ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add default via $P1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2
ip route add default via $P2 table T2

I tried to fill out what I think those values should be:

ip route add 192.168.1.1/24 dev br-lan src $IP1 table T1
ip route add default via 192.168.1.1 table T1
ip route add 192.168.3.1/24 dev br-guest src $IP2 table T2
ip route add default via 192.168.3.1 table T2

however, the gude says to let **$IP1** be the IP address associated with **$IF1**. I am trying to do the full range of IP's on that subnet, so should this also be the 192.168.1.1/24 and 192.168.3.1/24 values?

Sorry if this is a silly question, I am not great with networking and still learning.

My interfaces


#5

I think I overwhelmed you with my answer, I should have redirected you to a much less complicated example. Sorry for that.
Let's add only one extra table for the guests and let the lan use the main routing table.
In /etc/iproute2/rt_tables add one line 250 guest

ip rule add from 192.168.3.0/24 table guest
ip route add default via NORDVPN_GW dev NORDVPN_IF table guest


#6

Thank you again for the response/ understanding.

I made the change to /etc/iproute2/rt_tables and added the rule (and verified it with ip route list table).

For the last step when I go to generate the table, I know the interface is tun0 but I'm trying to figure out what my gateway address is so I can complete the command.

I did some research and discovered the route command which gave me the following output, but does not display a gateway for tun0:

root@Router:/etc/iproute2# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         x.x.x.x         0.0.0.0         UG    0      0        0 eth1
10.8.8.0        *               255.255.255.0   U     0      0        0 tun0
x.x.x.x         *               255.255.252.0   U     0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.3.0     *               255.255.255.0   U     0      0        0 br-guest
196.245.9.61    x.x.x.x         255.255.255.255 UGH   0      0        0 eth1

x.x.x.x is my ISP provided IP address and 192.245.9.61 is the VPN server I am connected to.


#7

Try to run the command without the via NORDVPN_GW part. Hopefully it won't mind just sending the packets to the interface, since it is point to point.


#8

Thank you again for your responses; I'd understand if you want to leave the rest as homework for me.

I was able to perform the following:

root@Router:~# ip route add default dev tun0 table guest
root@Router:~# ip route flush cache

However now neither lan or guest networks will work while the VPN interface is running, but both will work with my ISP when I stop the VPN interface.

Results of route command:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         x.x.16.1        0.0.0.0         UG    0      0        0 eth1
x.x.16.0        *               255.255.252.0   U     0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.3.0     *               255.255.255.0   U     0      0        0 br-guest
196.245.9.61    x.x.16.1        255.255.255.255 UGH   0      0        0 eth1

Result of ip route list table local command:

root@Router:~# ip route list table local
local 10.8.8.31 dev tun0 scope host  src 10.8.8.31 
broadcast x.x.16.0 dev eth1 scope link  src x.x.16.36 
local x.x.16.36 dev eth1 scope host  src x.x.16.36 
broadcast x.x.19.255 dev eth1 scope link  src x.x.16.36 
broadcast 127.0.0.0 dev lo scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo scope host  src 127.0.0.1 
local 127.0.0.1 dev lo scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan scope link  src 192.168.1.1 
local 192.168.1.1 dev br-lan scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan scope link  src 192.168.1.1 
broadcast 192.168.3.0 dev br-guest scope link  src 192.168.3.1 
local 192.168.3.1 dev br-guest scope host  src 192.168.3.1 
broadcast 192.168.3.255 dev br-guest scope link  src 192.168.3.1 

#9

Could you post the outputs of

ip rule ls
ip route list table guest

#10

I got an invalid argument for ip rule ls however ip rule gave the following:

root@Router:/etc# ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default

ip route list table guest returned nothing:
root@Router:/etc# ip route list table guest
root@Router:/etc#


#11

This is weird, I just tried it and it works.

root@xeli:~# cat /etc/iproute2/rt_tables 
#
# reserved values
#
250	guest
255	local
254	main
253	default
0	unspec
#
# local
#
#1	inr.ruhep
root@xeli:~# ip rule add from 172.17.18.0/24 table guest
root@xeli:~# ip rule list
0:	from all lookup local 
32765:	from 172.17.18.0/24 lookup guest 
32766:	from all lookup main 
32767:	from all lookup default 

Can you verify that you followed the correct steps?


#13

UPDATE:

I realized I made a silly mistake and did the route command when the NORDVPN interface was not running.

running this command with the interface up gave me the following:

root@Banshee:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.8.8.1        128.0.0.0       UG    0      0        0 tun0
default         x.x.16.1        0.0.0.0         UG    0      0        0 eth1
10.8.8.0        *               255.255.255.0   U     0      0        0 tun0
x.x.16.0        *               255.255.252.0   U     0      0        0 eth1
128.0.0.0       10.8.8.1        128.0.0.0       UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.3.0     *               255.255.255.0   U     0      0        0 br-guest
196.245.9.61    x.x.16.1        255.255.255.255 UGH   0      0        0 eth1

I used this new gateway with your previous instructions, performing the following:

ip rule add from 192.168.3.0/24 table guest
ip route add default via 10.8.8.1 dev tun0 table guest

After this I checked my updated rule list (I realized that this isn't persistent, so I stopped restarting the router and restarted the interfaces instead):

root@Router:~# ip rule list 
0:      from all lookup local 
32765:  from 192.168.3.0/24 lookup guest 
32766:  from all lookup main 
32767:  from all lookup default 

root@Router:~# ip route list table local
broadcast 10.8.8.0 dev tun0 scope link  src 10.8.8.31 
local 10.8.8.31 dev tun0 scope host  src 10.8.8.31 
broadcast 10.8.8.255 dev tun0 scope link  src 10.8.8.31 
broadcast x.x.16.0 dev eth1 scope link  src x.x.16.36 
local x.x.16.36 dev eth1 scope host  src x.x.16.36 
broadcast x.x.19.255 dev eth1 scope link  src x.x.16.36 
broadcast 127.0.0.0 dev lo scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo scope host  src 127.0.0.1 
local 127.0.0.1 dev lo scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan scope link  src 192.168.1.1 
local 192.168.1.1 dev br-lan scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan scope link  src 192.168.1.1 
broadcast 192.168.3.0 dev br-guest scope link  src 192.168.3.1 
local 192.168.3.1 dev br-guest scope host  src 192.168.3.1 
broadcast 192.168.3.255 dev br-guest scope link  src 192.168.3.1

root@Router:~# cat /etc/iproute2/rt_tables 
#
# reserved values
#
128     prelocal
255     local
254     main
253     default
250     guest
0       unspec
#
# local
#
#1      inr.ruhep

Still seems that I can only have one network working at a time, so I can deduce that they are still sharing a common routing table. :thinking:


#14

A few things I have noticed here.

The route command will return only the main routing table. Since you are working with multiple routing tables you should use the command ip route ls table [main|guest] to differentiate them. So the route command you have added should be visible with ip ro ls table guest
The local routing table is not important here, as it shows the local connections only.
Finally it is different to type ip route and ip rule
With ip rule we specify the network that will use the guest routing table.
With ip route we specify the gateway for the guest routing table.
I forgot to mention that the commands are not persistent, so if you reboot or the vpn interface flaps they will be lost. Only the addition in iproute2/rt_tables is persistent. So run the commands when the tunnel is up and once you have it working, you can add them in an if-up script, so they will be applied automatically when the vpn comes up.
Can you post again the output of the commands I mentioned earlier after you applied the rule/route with the vpn up?


#15

Ah, that makes things a lot more clear. Thank you!

I had to disconnect the VPN interface after doing the testing in order to get internet access to respond to you (haha), but while I was connected these were the results:

root@Router:~# ip rule add from 192.168.3.0/24 table guest
root@Router:~# ip route add default via 10.8.8.1 dev tun0 table guest

root@Router:~# ip route list table guest
default via 10.8.8.1 dev tun0 

root@Router:~# ip route
0.0.0.0/1 via 10.8.8.1 dev tun0 
default via x.x.16.1 dev eth1  src x.x.16.36 
10.8.8.0/24 dev tun0 scope link  src 10.8.8.31 
x.x.16.0/22 dev eth1 scope link  src x.x.16.36 
128.0.0.0/1 via 10.8.8.1 dev tun0 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.3.0/24 dev br-guest scope link  src 192.168.3.1 
196.245.9.61 via x.x.16.1 dev eth1

root@Router:~# ip rule
0:      from all lookup local 
32765:  from 192.168.3.0/24 lookup guest 
32766:  from all lookup main 
32767:  from all lookup default

#16

ok much more clear now.
When you enable vpn, everything goes through vpn, because the vpn tunnel adds 2 routes for the whole internet:

0.0.0.0/1 via 10.8.8.1 dev tun0
128.0.0.0/1 via 10.8.8.1 dev tun0

These two override the default gateway of your provider because they are more specific routes.
I don't know if there is an option in Nordvpn not to install a default gateway.
If there isn't, you can do the following

In /etc/iproute2/rt_tables
add a new table 240 lan
then add a rule for lan ip rule add from 192.168.1.0/24 table lan
and add the gateway for that ip route add default via x.x.16.1 table lan
Check if it works now and then we can compile one if-up script for when the vpn connects to apply them automatically.


#17

Thank you for the response. So after performing the ip route add default via x.x.16.1 table lan command, I was disconnected from the router/ no internet access. I did a soft reset to regain access to the router and did it one more time to verify. Same results :o


#18

Try one more thing, if this doesn't work I'll try it myself tonight at home:

#!/bin/sh
ip route add 192.168.1.0/24 dev br-lan table lan
ip route add default via x.x.16.1 src x.x.16.36 table lan
ip route add 192.168.3.0/24 dev br-guest table guest
ip route add default via 10.8.8.1 src 10.8.8.31 table guest
ip rule add from 192.168.3.0/24 to default lookup guest prio 16000
ip rule add from 192.168.1.0/24 to default lookup lan prio 16010

In first two lines we add routes for the lan network and the internet into the lan routing table. This should solve the issue that you got disconnected upon running the commands in your previous post.
In lines 3-4 we do the same for the guest.
The last two lines specify which routing table to use when traffic comes from a specific network.
You can run them directly or paste them in a file, make it executable chmod +x filename and run it ./filename
If it doesn't work either way , a reboot will revert to the initial state.


#19

Holy crap my dude, you did it! :smiley: I was so close to giving up on this; Thank you!!!
Now I just need to figure out the if up script. It looks like this may be a good starting point.


#20

Cool! I am glad it eventually worked.
One more thing, add the router itself to the lan table
ip rule add iif lo to default lookup lan prio 16020

Regarding the ifup script, I cannot help any more. But I'd advise you to search inside the Openwrt forum and documentation, as the other linux distributions use different implementation.


https://forum.archive.openwrt.org/viewtopic.php?id=57967
https://openwrt.org/start?do=search&id=start&q=procd

Good luck!


#21

If your problem is solved, please consider marking this topic as [Solved]. (Click the pencil behind the topic...)

You can also mark the reply that solved your problem:
grafik