Let traffic goes to a client inside a segregated network

I found this tutorial online https://kiljan.org/2020/03/27/vpn-as-wan-for-guest-network-on-openwrt/ which was pretty much what I needed.
It clearly explains how to separate two internal networks, and how to force traffic from one of the networks to only go through VPN.
My use case is the following: I am running a home assistant server and I put the server and all the third-party managed/untrusted devices on a network in which they don't communicate with my personal devices and don't access the internet outside of VPN tunnel, guest network being the untrusted and lan being the trusted. This works greats.
For the sake of convenience, I would like to access my server (fixed IP in the guest network) from any host in the LAN network. But I am having hard time to figure out what is the simplest way to achieve this.
Do you guys have any tips? I am quite new in doing network stuff and openwrt

Some relevant files:
/etc/config/networks https://pastebin.com/zs6v1Xas
/etc/config/firewall https://pastebin.com/ncKBNdFj
/etc/hotplug.d/iface/99-guest https://pastebin.com/SeeBxbYX

I could also move my server to LAN, but in this case I would like to force the server to not communicate with wan and only communicate with the vpn interface. I tried to achieve this by implementing https://openwrt.org/docs/guide-user/firewall/firewall_configuration#redirects but I failed.

I am not keen on a particular way of solving this, what I basically would like is

  • Keep untrusted devices segregated and not connecting directly to the internet
  • Keep my personal devices isolated from the untrusted ones (I am opened to ignore this point)
  • On the untrusted networks never reach wan directly, always using vpn tunnel.
  • Easy access to the server from my lan (I don't want put my server on the internet)

You need to do Policy Based Routing and you have 3 options:

  1. mwan3 package
  2. pbr package
  3. a set of rules/routes for each internet connection.

I would suggest option #2


Hey @trendy thanks so much for help, I tried using pbr. But it's not working. I'm no network expert, but I have the feeling that the reason why it's not working is because according to the tutorial I followed I am running a script that implements policy-based routing whenever the guest network goes up or down.

#!/usr/bin/env sh



if2dev() {
  dev=$(uci get network.$1.ifname)
  [ $(echo $dev | wc -w) -gt 1 ] && dev=br-$1
  echo $dev

if [ "$INTERFACE" == "$if" ]; then
  if [ "$ACTION" == "ifup" ]; then
    ip rule add iif $dev lookup $table
  elif [ "$ACTION" == "ifdown" ]; then
    # Workaround for missing $DEVICE when interface is going down
    dev=$(if2dev $if)
    ip rule del iif $dev lookup $table

and once the vpn is up/down I add the default route to this routing table:

#!/usr/bin/env sh


if [ "$script_type" == "route-up" ]; then
  ip route add default via $route_vpn_gateway dev $dev table $table proto static
elif [ "$script_type" == "route-pre-down" ]; then
  ip route del default via $route_vpn_gateway dev $dev table $table proto static

With my little knowledge on the subject, I think that what I have to do is to modify the first script to:
Whenever guest interface is up I also let the all traffic coming from to reach my server (

According to the tutorial

When the guest interface is started this script adds a new routing rule which will state that all packets from this interface must use a separate routing table. By default new routing rules are made with a higher priority. Therefore the guest interface will be unable to use the main routing table. When the interface is stopped the script also cleans up the rule.

So I believe that pbr is changing the main routing table, but given this self-made policy based routing, my guest network is using a different routing table.
Does that make sense? If so what could be the command to let all traffic go to my home server?


The VPN-PBR is creating additional routing tables according to each available gateway and assigns the hosts to these tables depending on the rules.
You should not run any other policy routing scripts, as they will conflict with each other.

1 Like

What are the symptoms?

When I set PBR to a specific client the client no longer can access internet, which probably means that WAN is correctly blocked but something is wrong with the routing. One note on that is on the network that all clients are routed to VPN (which the scripts I sent above) they'll have access to internet (through vpn of course).

I always send my clients craft brew, and the internet keeps going... so it's clear the answer is avoid cheap beer!


1 Like

That was what I thought. Given my scenario is actually simpler, don't you think that editing the routing table would be enough? Or there's something that using PBR package will do that the simple script won't be able to do it?

I am reading the docs on how to use ip rule but so far I couldn't graps. something like
ip rule add from priority 41 table guest I am not sure if this is correct though.

BUt thanks guys, you're great.

There are two issues to this, you need the LAN network to route to the guest network for the network, and then you need a firewall rule that allows forwarding from LAN to in the guest network. (actually 3, you need the guest network to route to the LAN network for return packets)

1 Like

Feel free to use the script. However I cannot support it.
If you use one of the supported options we can discuss them.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.