LAN zones 'not talking ' after VPN up

Hello,

I have several zones, each one with it's own subnet and VLAN and everyone can talk.

Recently installed OpenVPN to use with a single zone, everything is working as supposed, but, if possible, i'd like to have local zones to be able to continue to talk.

192.168.4.x -> VPN
192.168.2.x -> WAN

Extra info:
Guest 192.168.5.x -> WAN
iot 192.168.3.x No extrernal access
iotwan 192.168.4.x iot devices with VPN access
kids 192.168.6.x > WAN + some firewall rules
lan -> 192.168.2.x -> WAN

Untitled1203×699 38.6 KB

/etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fdd9:4989:7c9b::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'm5.99'
        list ports 'm24.99'
        list ports 'mg5.5'
        list ports 'miot5.3'
        list ports 'miot24.3'
        list ports 'miotwan5.4'
        list ports 'miotwan24.4'
        list ports 'mkids5.6'
        list ports 'mkids24.6'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        option device 'br-lan.99'
        option delegate '0'
        option ipaddr '192.168.2.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option delegate '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option peerdns '0'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'

config interface 'modem'
        option proto 'static'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'
        option device 'wan'
        option gateway '192.168.1.1'

config interface 'guest'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.5.1'
        option device 'br-lan.5'
        option delegate '0'
        option gateway '192.168.2.1'

config interface 'iot'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.3.1'
        option device 'br-lan.3'
        option delegate '0'
        option gateway '192.168.2.1'

config device
        option type 'bridge'
        option name 'br-iot'
        list ports 'br-lan.3'
        list ports 'miot5.3'
        list ports 'miot24.3'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'br-lan.5'
        list ports 'mg5.5'

config interface 'iotwan'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option device 'br-lan.4'
        option delegate '0'
        option gateway '192.168.2.1'

config device
        option type 'bridge'
        option name 'br-iotwan'
        list ports 'br-lan.4'
        list ports 'miotwan5.4'
        list ports 'miotwan24.4'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan3:t'
        list ports 'miot5.3:u*'
        list ports 'miot24.3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'lan3:t'
        list ports 'miotwan5.4:u*'
        list ports 'miotwan24.4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '5'
        list ports 'lan3:t'
        list ports 'mg5.5:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '6'
        list ports 'lan3:t'
        list ports 'mkids5.6:u*'
        list ports 'mkids24.6:u*'

config device
        option type '8021q'
        option ifname 'm5'
        option vid '99'
        option name 'm5.99'

config device
        option type '8021q'
        option ifname 'm24'
        option vid '99'
        option name 'm24.99'

config device
        option type '8021q'
        option ifname 'miot5'
        option vid '3'
        option name 'miot5.3'

config device
        option type '8021q'
        option ifname 'miot24'
        option vid '3'
        option name 'miot24.3'

config device
        option type '8021q'
        option ifname 'miotwan5'
        option vid '4'
        option name 'miotwan5.4'

config device
        option type '8021q'
        option ifname 'mg5'
        option vid '5'
        option name 'mg5.5'

config device
        option type '8021q'
        option ifname 'miotwan24'
        option vid '4'
        option name 'miotwan24.4'

config interface 'kids'
        option device 'br-lan.6'
        option proto 'static'
        option ipaddr '192.168.6.1'
        option netmask '255.255.255.0'
        option gateway '192.168.2.1'

config device
        option type 'bridge'
        option name 'br-kids'
        list ports 'br-lan.6'
        list ports 'mkids5.6'
        list ports 'mkids24.6'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:t'
        list ports 'm5.99:u*'
        list ports 'm24.99:u*'

config device
        option type '8021q'
        option ifname 'mkids5'
        option vid '6'
        option name 'mkids5.6'

config device
        option type '8021q'
        option ifname 'mkids24'
        option vid '6'
        option name 'mkids24.6'

config interface 'vpn'
        option proto 'none'
        option device 'tun0'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone 'wan'
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        list network 'wan'
        list network 'wan6'

config zone
        option name 'modem'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'modem'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun+'
        option input 'REJECT'
        option forward 'ACCEPT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'iotwan'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option input 'ACCEPT'
        list network 'iotwan'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'iot'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'iot'
        option input 'ACCEPT'

config zone
        option name 'kids'
        option output 'ACCEPT'
        list network 'kids'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'guest'
        option output 'ACCEPT'
        list network 'guest'
        option forward 'ACCEPT'
        option input 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'iot'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Guest DNS & DHCP'
        option src 'guest'
        option dest_port '53 67 68'
        option target 'ACCEPT'
        option enabled '0'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'

config forwarding
        option src 'iot'
        option dest 'lan'

config rule
        option name 'Kids DNS & DHCP'
        option src_port '53 67 68'
        option dest_port '53 67 68'
        option target 'ACCEPT'
        option src 'kids'
        option enabled '0'

config forwarding
        option src 'iotwan'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'iotwan'

config forwarding
        option src 'iot'
        option dest 'iotwan'

config forwarding
        option src 'iotwan'
        option dest 'iot'

config forwarding
        option src 'kids'
        option dest 'wan'

config rule
        option name 'Parental Semana'
        option src 'kids'
        option target 'REJECT'
        option weekdays 'Sun Mon Tue Wed Thu'
        option start_time '23:00:00'
        option stop_time '06:00:00'

config rule
        option src 'iot'
        option target 'REJECT'
        option src_port '53'
        option dest_port '53'
        option name 'IOT no DNS'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
        option src 'iotwan'
        option dest 'wan'

config forwarding
        option src 'iotwan'
        option dest 'vpn'

/etc/openvpn/configfile

client
dev tun
proto udp
remote XXXXX XXXX
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server

auth-user-pass /etc/openvpn/XXXXX
compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----

-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

disable-occ
route-up /etc/openvpn/route-up.sh
script-security 2

/etc/openvpn/route-up.sh

#!/bin/sh
echo "$dev : $ifconfig_local -> $ifconfig_remote gw: $route_vpn_gateway"
# Remove default routes pushed by VPN server
# (we don't want to route # all network traffic through the VPN gateway)
/sbin/ip route del 128.0.0.0/1 via ${route_vpn_gateway}
/sbin/ip route del 0.0.0.0/1 via ${route_vpn_gateway}

# Search route for traffic coming from 192.168.0.4/24 in table 'vpn'
# (unicast: This rule type simple causes the kernel to refer to the
# specified routing table in the search for a route.)
/sbin/ip rule add from 192.168.4.0/24 table vpn

# Search route for traffic going to 192.168.0.4/24 in table 'vpn'
/sbin/ip rule add to 192.168.4.0/24 table vpn

# Use 'vpn' table as default for tun0
/sbin/ip route add table vpn default dev ${dev}

# Route traffic from/to 192.168.4.0/24 on br-lan2 using the 'vpn'.
# table. (192.168.4.1 is the source address for outgoing packets)
/sbin/ip route add 192.168.4.0/24 dev br-lan.4 src 192.168.4.1 table vpn

Is this possible? If so, how should i proceed?

Thanks in advance!
L

Have you checked that route-up is working in your OpenWRT Version?

Some versions (23.05 and Main) have a bug which prevents this from working

Logs don't show any error upon turning the VPN off and on.

If you want to reach other subnets I would also add all the local routes to the vpn table e.g.:
/sbin/ip route add 192.168.6.0/24 dev br-lan.6 src table vpn
etc.
I usually just add all local routes to my vpn table, lazy as I am, with:

/sbin/ip route show | grep -Ev '^default |^0.0.0.0/1 |^128.0.0.0/1 ' | while read route; do
	/sbin/ip route add $route table vpn
done

check with:
ip ro
ip ro show table all
ip ru

This looks very wrong to me... you seem to be bridging all the VLANs in a very strange, and very incorrect way. Bridging this way defeats the purpose of setting up VLANs, and will cause problems. In addition, you have some "ports" that are used in multiple bridges.

I I think your best path forward is to reset to defaults and start over. You should work on one additional network at a time to come up with the right recipe (which you can then apply to the other networks). If you describe the desired subnets and how they physically map (to ethernet ports and/or radios), we can help you build the correct configuration.

Thanks for the feedbak.

Gonna review all my settings before trying to use vpn.

Marked post as closed.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.