I have almost figured this out, but am running into a very annoying issue.
My goal is to have a guest SSID that is behind a VPN and a default SSID that will have a normal ISP connection.
As it is currently, I can have both the guest/ default SSID's behind the VPN, or both behind the normal ISP connection, but I am having issues separating them. I've tried tinkering with my forwarding rules, and I think this may be the culprit.
When I start the router with the configuration listed below, my default SSID will have no connection, and my guest SSID will be connected behind the VPN.
Once I stop the NORDVPN interface, my default SSID gains connection to the ISP, and the guest SSID loses network connectivity.
If I change the forwarding rules in /etc/config/firewall, to forward both lan and guest to vpnfirewall, they will both have a VPN connection, if I change them both to forward to wan they will both have an ISP connection. It is only when I try forwarding to different destinations that I encounter a problem.
If anyone is experienced with this type of thing and can give me some pointers, I would be very grateful.
Your configuration looks correct. The issue here is that you currently have only one routing table for the whole internet (0.0.0.0/0) and you need to add another one, in order to separate the default gateway of the guest network from the lan.
Have a look here
Thank you very much for the response. I read over the link you provided, and was hoping to maybe get some clarification.
In that article, it says to do the following:
ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add default via $P1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2
ip route add default via $P2 table T2
I tried to fill out what I think those values should be:
ip route add 192.168.1.1/24 dev br-lan src $IP1 table T1
ip route add default via 192.168.1.1 table T1
ip route add 192.168.3.1/24 dev br-guest src $IP2 table T2
ip route add default via 192.168.3.1 table T2
however, the gude says to let **$IP1** be the IP address associated with **$IF1**. I am trying to do the full range of IP's on that subnet, so should this also be the 192.168.1.1/24 and 192.168.3.1/24 values?
Sorry if this is a silly question, I am not great with networking and still learning.
I think I overwhelmed you with my answer, I should have redirected you to a much less complicated example. Sorry for that.
Let's add only one extra table for the guests and let the lan use the main routing table.
In /etc/iproute2/rt_tables add one line 250 guest
ip rule add from 192.168.3.0/24 table guest
ip route add default via NORDVPN_GW dev NORDVPN_IF table guest
I made the change to /etc/iproute2/rt_tables and added the rule (and verified it with ip route list table).
For the last step when I go to generate the table, I know the interface is tun0 but I'm trying to figure out what my gateway address is so I can complete the command.
I did some research and discovered the route command which gave me the following output, but does not display a gateway for tun0:
root@Router:/etc/iproute2# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default x.x.x.x 0.0.0.0 UG 0 0 0 eth1
10.8.8.0 * 255.255.255.0 U 0 0 0 tun0
x.x.x.x * 255.255.252.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.3.0 * 255.255.255.0 U 0 0 0 br-guest
196.245.9.61 x.x.x.x 255.255.255.255 UGH 0 0 0 eth1
x.x.x.x is my ISP provided IP address and 192.245.9.61 is the VPN server I am connected to.
Thank you again for your responses; I'd understand if you want to leave the rest as homework for me.
I was able to perform the following:
root@Router:~# ip route add default dev tun0 table guest
root@Router:~# ip route flush cache
However now neither lan or guest networks will work while the VPN interface is running, but both will work with my ISP when I stop the VPN interface.
Results of route command:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default x.x.16.1 0.0.0.0 UG 0 0 0 eth1
x.x.16.0 * 255.255.252.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.3.0 * 255.255.255.0 U 0 0 0 br-guest
196.245.9.61 x.x.16.1 255.255.255.255 UGH 0 0 0 eth1
Result of ip route list table local command:
root@Router:~# ip route list table local
local 10.8.8.31 dev tun0 scope host src 10.8.8.31
broadcast x.x.16.0 dev eth1 scope link src x.x.16.36
local x.x.16.36 dev eth1 scope host src x.x.16.36
broadcast x.x.19.255 dev eth1 scope link src x.x.16.36
broadcast 127.0.0.0 dev lo scope link src 127.0.0.1
local 127.0.0.0/8 dev lo scope host src 127.0.0.1
local 127.0.0.1 dev lo scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan scope link src 192.168.1.1
local 192.168.1.1 dev br-lan scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan scope link src 192.168.1.1
broadcast 192.168.3.0 dev br-guest scope link src 192.168.3.1
local 192.168.3.1 dev br-guest scope host src 192.168.3.1
broadcast 192.168.3.255 dev br-guest scope link src 192.168.3.1
root@xeli:~# cat /etc/iproute2/rt_tables
#
# reserved values
#
250 guest
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
root@xeli:~# ip rule add from 172.17.18.0/24 table guest
root@xeli:~# ip rule list
0: from all lookup local
32765: from 172.17.18.0/24 lookup guest
32766: from all lookup main
32767: from all lookup default
Can you verify that you followed the correct steps?
I realized I made a silly mistake and did the route command when the NORDVPN interface was not running.
running this command with the interface up gave me the following:
root@Banshee:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.8.8.1 128.0.0.0 UG 0 0 0 tun0
default x.x.16.1 0.0.0.0 UG 0 0 0 eth1
10.8.8.0 * 255.255.255.0 U 0 0 0 tun0
x.x.16.0 * 255.255.252.0 U 0 0 0 eth1
128.0.0.0 10.8.8.1 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.3.0 * 255.255.255.0 U 0 0 0 br-guest
196.245.9.61 x.x.16.1 255.255.255.255 UGH 0 0 0 eth1
I used this new gateway with your previous instructions, performing the following:
ip rule add from 192.168.3.0/24 table guest
ip route add default via 10.8.8.1 dev tun0 table guest
After this I checked my updated rule list (I realized that this isn't persistent, so I stopped restarting the router and restarted the interfaces instead):
root@Router:~# ip rule list
0: from all lookup local
32765: from 192.168.3.0/24 lookup guest
32766: from all lookup main
32767: from all lookup default
root@Router:~# ip route list table local
broadcast 10.8.8.0 dev tun0 scope link src 10.8.8.31
local 10.8.8.31 dev tun0 scope host src 10.8.8.31
broadcast 10.8.8.255 dev tun0 scope link src 10.8.8.31
broadcast x.x.16.0 dev eth1 scope link src x.x.16.36
local x.x.16.36 dev eth1 scope host src x.x.16.36
broadcast x.x.19.255 dev eth1 scope link src x.x.16.36
broadcast 127.0.0.0 dev lo scope link src 127.0.0.1
local 127.0.0.0/8 dev lo scope host src 127.0.0.1
local 127.0.0.1 dev lo scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan scope link src 192.168.1.1
local 192.168.1.1 dev br-lan scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan scope link src 192.168.1.1
broadcast 192.168.3.0 dev br-guest scope link src 192.168.3.1
local 192.168.3.1 dev br-guest scope host src 192.168.3.1
broadcast 192.168.3.255 dev br-guest scope link src 192.168.3.1
root@Router:~# cat /etc/iproute2/rt_tables
#
# reserved values
#
128 prelocal
255 local
254 main
253 default
250 guest
0 unspec
#
# local
#
#1 inr.ruhep
Still seems that I can only have one network working at a time, so I can deduce that they are still sharing a common routing table.
The route command will return only the main routing table. Since you are working with multiple routing tables you should use the command ip route ls table [main|guest] to differentiate them. So the route command you have added should be visible with ip ro ls table guest
The local routing table is not important here, as it shows the local connections only.
Finally it is different to type ip route and ip rule
With ip rule we specify the network that will use the guest routing table.
With ip route we specify the gateway for the guest routing table.
I forgot to mention that the commands are not persistent, so if you reboot or the vpn interface flaps they will be lost. Only the addition in iproute2/rt_tables is persistent. So run the commands when the tunnel is up and once you have it working, you can add them in an if-up script, so they will be applied automatically when the vpn comes up.
Can you post again the output of the commands I mentioned earlier after you applied the rule/route with the vpn up?
Ah, that makes things a lot more clear. Thank you!
I had to disconnect the VPN interface after doing the testing in order to get internet access to respond to you (haha), but while I was connected these were the results:
root@Router:~# ip rule add from 192.168.3.0/24 table guest
root@Router:~# ip route add default via 10.8.8.1 dev tun0 table guest
root@Router:~# ip route list table guest
default via 10.8.8.1 dev tun0
root@Router:~# ip route
0.0.0.0/1 via 10.8.8.1 dev tun0
default via x.x.16.1 dev eth1 src x.x.16.36
10.8.8.0/24 dev tun0 scope link src 10.8.8.31
x.x.16.0/22 dev eth1 scope link src x.x.16.36
128.0.0.0/1 via 10.8.8.1 dev tun0
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
192.168.3.0/24 dev br-guest scope link src 192.168.3.1
196.245.9.61 via x.x.16.1 dev eth1
root@Router:~# ip rule
0: from all lookup local
32765: from 192.168.3.0/24 lookup guest
32766: from all lookup main
32767: from all lookup default
ok much more clear now.
When you enable vpn, everything goes through vpn, because the vpn tunnel adds 2 routes for the whole internet:
0.0.0.0/1 via 10.8.8.1 dev tun0
128.0.0.0/1 via 10.8.8.1 dev tun0
These two override the default gateway of your provider because they are more specific routes.
I don't know if there is an option in Nordvpn not to install a default gateway.
If there isn't, you can do the following
In /etc/iproute2/rt_tables
add a new table 240 lan
then add a rule for lan ip rule add from 192.168.1.0/24 table lan
and add the gateway for that ip route add default via x.x.16.1 table lan
Check if it works now and then we can compile one if-up script for when the vpn connects to apply them automatically.
Thank you for the response. So after performing the ip route add default via x.x.16.1 table lan command, I was disconnected from the router/ no internet access. I did a soft reset to regain access to the router and did it one more time to verify. Same results :o
Try one more thing, if this doesn't work I'll try it myself tonight at home:
#!/bin/sh
ip route add 192.168.1.0/24 dev br-lan table lan
ip route add default via x.x.16.1 src x.x.16.36 table lan
ip route add 192.168.3.0/24 dev br-guest table guest
ip route add default via 10.8.8.1 src 10.8.8.31 table guest
ip rule add from 192.168.3.0/24 to default lookup guest prio 16000
ip rule add from 192.168.1.0/24 to default lookup lan prio 16010
In first two lines we add routes for the lan network and the internet into the lan routing table. This should solve the issue that you got disconnected upon running the commands in your previous post.
In lines 3-4 we do the same for the guest.
The last two lines specify which routing table to use when traffic comes from a specific network.
You can run them directly or paste them in a file, make it executable chmod +x filename and run it ./filename
If it doesn't work either way , a reboot will revert to the initial state.
Holy crap my dude, you did it! I was so close to giving up on this; Thank you!!!
Now I just need to figure out the if up script. It looks like this may be a good starting point.
Cool! I am glad it eventually worked.
One more thing, add the router itself to the lan table ip rule add iif lo to default lookup lan prio 16020
Regarding the ifup script, I cannot help any more. But I'd advise you to search inside the Openwrt forum and documentation, as the other linux distributions use different implementation.