Lan through VPN and guest through WAN: Why it works only for a while and then stops working?

I HAVE PREPARED a simplified config version and restated the question as it seems to have nothing to do with Vlans or pppOE.
Later in this thread is a simplified test environment.
The goal is redirect lan traffic to a protonVPN and guest traffic directly to WAN.
It works at first but after restarting interfaces (no changes in config) it stops working

I have configured in my router a vlan (11) and a WLan that are connected to a guest lan that should access internet directly through the wan interface and not be able to connect to lan or other internal lans.

I can connect to WLAN and to the port 3 that is assigned to guest 11 vlan, I get my IP address correctly.
I can ping the router in guest port (192.168.0.1) but cannot ping out (for exemple to 1.1.1.1)

I have read the openwrt manual about configuring vlans and other threads.

I have looked at the firewall config and and activated the dhcp and dns rules, but still not working.
I cannot finde where the error is.

this is network config

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'lan'
	list network 'wgVPN'

config zone 'wan'
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	list network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'packet-too-big'
	list icmp_type 'router-advertisement'
	list icmp_type 'router-solicitation'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'
	option dest 'lan'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'iot'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'ACCEPT'
	list network 'iot'

config forwarding
	option src 'iot'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'iot'

config redirect
	option target 'DNAT'
	option name 'https al servidor'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_ip '10.100.101.1'
	option dest_port '443'

config redirect
	option target 'DNAT'
	option name 'QBelt al servidor'
	list proto 'udp'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_ip '10.100.101.1'
	option dest_port '443'

config rule 'wg'
	option name 'Allow-WireGuard'
	option proto 'udp'
	option target 'ACCEPT'
	option dest_port '51820'
	option src 'wan'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option dest_port '53'
	option src 'guest'
	option name 'Allow DNS guest'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option src 'guest'
	option dest_port '67'
	option family 'ipv4'
	option name 'Allow DHCP guest'

config forwarding
	option src 'lan'

config zone
	option name 'protonVPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'protonVPNES'

config forwarding
	option src 'lan'
	option dest 'protonVPN'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config zone
	option name 'isplan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'isplan'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'isplan'

And this my network config (there is another iot vlan, a protonvpn to connect lan outside via VPN and a wgguard vgVPN accepting connections from wan to get access to lan from outside).

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd84:a45b:0c21::/48'

config interface 'lan'
	option proto 'static'
	option device 'br-lan.1'
	option delegate '0'
	list ip6class 'local'
	option ip6assign '48'
	option ip6ifaceid '::1'
	list ipaddr '10.100.100.1/22'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username 'xxxxxxxx'
	option password 'xxxxxx'
	option ipv6 'auto'
	option peerdns '0'
	list dns '10.2.0.1'

config device
	option type 'bridge'
	option name 'br-lan'
	option igmp_snooping '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '11'
	list ports 'lan3'
	list ports 'lan4:t'

config interface 'iot'
	option proto 'static'
	option device 'br-lan.10'
	option ipaddr '10.200.200.1'
	option netmask '255.255.252.0'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.11'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	list dns '1.1.1.1'
	list dns '8.8.8.8'

config interface 'wgVPN'
	option proto 'wireguard'
	option listen_port '51820'
	option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX='
	list addresses '192.168.21.1/24'
	option peerdns '0'
	list dns '10.100.100.1'

config wireguard_wgVPN 'wgclient'
	option description 'movilFernando'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option public_key 'XXXXXXXXXXXXXXXXX='
	option private_key 'XXXXXXXXXXXXXXXXXXXX='
	list allowed_ips '192.168.21.3/32'

config interface 'protonVPNES'
	option proto 'wireguard'
	option private_key 'XXXXXXXXXXXXXXXXXXXX='
	list addresses '10.2.0.2/32'
	list dns '10.2.0.1'

config wireguard_protonVPNES
	option description 'Configuración del par importada'
	option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXX='
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '130.195.255.68'
	option endpoint_port '51820'
	option route_allowed_ips '1'

config interface 'isplan'
	option proto 'static'
	option device 'wan'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'

config device
	option type '8021q'
	option ifname 'wan'
	option vid '3'
	option name 'wan.3'

config interface 'voIP'
	option proto 'dhcp'
	option device 'wan.3'

Not sure if this is the problem but remove option type 'bridge' reboot and test again

Thank you for your response.
I have removed it and rebooted.

But still not working neither from VLAN nor from WLAN

I see a bunch of potential issues and odd items in the configs, but I suspect the problem is that you have a commercial VPN connection which causes all traffic to be routed via the tunnel. Your guest network doesn't have a forwarding allowance to the VPN in the firewall.

Add this to the firewall:

config forwarding
	option src 'guest'
	option dest 'protonVPN'

Reboot and test.

Thanks.
Well that was my intention, to direct guest traffic directly to internet through the wan interface and get not access to lan resources or traffic.

The lan traffic is directed through a VPN, protonVPN. protonVPN interface is a wirewall tunnel through wan interface to internet.
All lan outgoing traffic is directed through protonVPN.
So lan traffic is forwarded to protonVPN.

But the idea is to direct guest traffic to wan directly not through the VPN, thus the rule forwarding from guest to wan zones (you can see the rule in the config).

But I will try to change it to protonVPN and see if I can get access through the VPN.

You will need policy based routing if you don’t want the guest network using the vpn.

Thank you.

I have tried forwarding guest ougoing traffic to protonVPN and it works correctly.

But I did not want to direct guest traffic through the VPN.

I did not understand why sending it directly to wan did not work, until I realized that wan interface is PPoE interface, a tcp one. I am not sure but that might be the problem.

I had created another interface (isplan) to be able to expose and access the isp router from my lan without having to unplug my computer and connect it directly to the isp router.

It exposes the isp router local network, so I tried to forward outging traffic from guest to isplan to send it directly to isp router.

I thought of forwarding from guest to isplan as it can access the isp local interface but it does not work (I think the router config does not send traffic to internet from there as it is configured with ppoe).

How should I do it?

image773×595 41.5 KB

Well I have been investigating a bit more about this.

The problem seems not to be in the zone configuration, it was OK although for insulating guest from lan resources it was not properly configured.

If I forward guest and lan traffic thorugh protonVPN it works OK, like this:

image766×791 54.6 KB

If I forward lan and guest through wan taffic and stop protonVPN interface it works correctly too:

image750×437 34.5 KB

But as soon as I activate the protonVPN interface nothing works even if I haven´t changes the zones to forward traffic to protonVPN

Then I have tried the intended scenary, where lan traffic should be forwarded trough protonVPN and guest traffic directed to protonVPN

image747×425 34.6 KB

With the configuration that protonVPN recommends, now lan traffic is correctly forwarded and can access internet, but guest does not.

I have revised the wiredguard configuration of protonVPN interface, and I think I have found the offending parameter.

In the peer config to which the router connects, protonVPN says you have to activate IPS allowed in routes.

image1287×252 26.7 KB

image1274×917 51.9 KB

If I deactivate that option, then guest network works correctly, but lan does not.

I don't know exactly what that option does, but it seems that it creates some rule to redirect traffic to the endpoint in the tunnel and it somehow affects the routes created by the firewall.

So it seems the problem is not misconfigured zones in the firewall, but that thes interfere with the tunel routes.

The problem does not have anything to do with WLANs or VLANS as I thought at the beginning either.

How to correct this?

Perhaps I should create a new thread with a more explicit title that explains the problem better.

As I explained, PBR is the best way to do what you want. You can set routes manually, but PBR makes it much easier.

https://openwrt.org/docs/guide-user/network/routing/pbr

Thank you.

I have PBR installed as it was needed to get isplan working (I was recommended to install it and it made the magic creating the apropiate routes).

But I don't know how to use PBR.

I suppose that to have the offending routes corrected (the ones that seem to be created by wireguard interface) I should first know which is the incorrect one.

May you develope a bit more how can I solve it with PBR.

Thanks in advance.

The idea is that you will set two policies...

1. normal lan routes through the VPN
2. guest network routes through the regular wan/pppoe.

That's it.

Thanks a lot again.

I had thought it was going to be something more complicated.
But it was quite straight forward.

Just added a policy with source ips addresses from guest and directed it to wan interface.

And another with wource in ip addresses from lan to protonVPN.

And it worked I can access internet from guest too and it does through normal access, no vpn.

But a problem remain when I use some tool that requires to connect back.

For example speedtest (speedtest.net) it gives an error informing that cannot open a socket and a firewall can be blocking connections.

I am missing some points.
I am from the era that you just configure some gateway address, some routes and some rules and it was up and running.
But now with tunnels, dynamic address, etc, everything is more complicated.

I don't understand well how firewall, rules and policies (pbr) relate to each other and how they work.

May you recommend some pages about it?

Of course there is the user guide and the help pages about the packages, but I need a more general view of the scenary.

Thank you.

Well I have tried to follow your guidance and create routes using pbr.
I have added the default route to wan in network config file, as it was missed and it seems that some times de default route in the system was lot.

I have begun from scratch and simplified the config a bit in order to have less things to control

I have a parcial success.
I had it working using wan connectio to internet throuth DHCP client and the ISP router.

It worked: lan connects trough vpn interface and guest through wan.

This is the network config

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc0:3751:429e::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan.100'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '10.101.100.1/22'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'lan1'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '101'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '102'
	list ports 'lan2'
	list ports 'lan4:t'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.102'
	list ipaddr '192.168.0.1/24'
	list dns '1.1.1.1'

config interface 'protonVPN'
	option proto 'wireguard'
	option private_key 'XXXXXXXXXXXXXX='
	list addresses '10.2.0.2/32'
	list dns '10.2.0.1'

config wireguard_protonVPN
	option description 'proton VPN routerES84-ES-84.conf'
	option public_key 'XXXXXXXXXXXX='
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '195.181.167.193'
	option endpoint_port '51820'

config rule
	option interface 'wan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'

This is the firewall config

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'guest'
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config zone
	option name 'protonVPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'protonVPN'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'protonVPN'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

And this the pbr

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	list resolver_instance '*'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	option nft_rule_counter '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '0'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config dns_policy
	option name 'Redirect Local IP DNS'
	option src_addr '192.168.0.1'
	option dest_dns '1.1.1.1'

config policy
	option name 'Ignore Local Requests'
	option interface 'ignore'
	option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
	option name 'Interface salida de LAN'
	option src_addr '10.101.100.0/22'
	option interface 'protonVPN'

config policy
	option name 'interface salida de GUEST'
	option src_addr '192.168.0.0/24'
	option interface 'wan'

config policy
	option name 'acceso a router del ISP'
	option dest_addr '192.168.2.1'
	option interface 'wan'

The routes generated and that are working are:

root@router:/etc/config# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         router.casa     0.0.0.0         UG    0      0        0 wan
10.100.0.0      *               255.255.0.0     U     0      0        0 wan
10.101.100.0    *               255.255.252.0   U     0      0        0 br-lan.100
192.168.0.0     *               255.255.255.0   U     0      0        0 br-lan.102
195.181.167.193 router.casa     255.255.255.255 UGH   0      0        0 wan

After stopping and restarting interfaces I have no access to internet, even when I restart the network wiht service network restart.

I have changed nothing just restarting interface (after restarting they are correctly connected).

I don't understand what is going on.

Routes seem to have not changed.

If I reload the config from a backup it works again.

I have restore from that config and tried again.
And changed wan interface to work with pppoE.

I don't know why, because the config is esentially the same, but this time it seems to work

I have restarted seveal times the interfaces and it works, it did not loose the connection.

Now it works as expected, with lan directed to the vpn and guest with direct access to internet.

So it seems the problem has been solved, but my problem is that I don't understand why.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.