I am wondering if the following is possible. I have two OpenWRT routers, two ISPs, and (due to structural limitations) the ability to connect the routers only via a single Ethernet cable (no secondary cable, no viable WiFi extension). I would like both routers to serve SSID-1 whose external traffic gets routed exclusively via ISP-1 and SSID-2 whose external traffic gets routed exclusively via ISP-2. My attempt at a picture:
I have read what I can about setting up a second wan (with and without mwan3) as well as the DSA Mini Tutorial, but I'm still unclear whether the above is possible and how to do it.
My assumption is that I have to use a single bridge and handle internal routing via VLANs because of the single cable constraint. But what I don't know is how to route one VLAN's traffic via one WAN and another VLAN's traffic via another.
To complicate matters, I am hoping to be able to set up an OpenVPN client with PBR to handle exceptions exclusively with ISP-1. (No client VPN with ISP-2, and I'll figure out a DNS strategy for ROUTER-1 later.)
Any thoughts on how I can get this to work? If VLANs are the solution, I know how to set those up such that SSID-1 maps to a first tagged VLAN and SSID-2 maps to a second tagged VLAN thanks to the above mentioned tutorial and MarcOneFifty's excellent OpenWRT videos. I think my problem is setting up (and isolating?) the WANs.
What I'm assuming is that I don't need separate routers in each location, but I'm prepared to retreat to that, if necessary.
Helpful guidance is appreciated.
Other solutions that would work for me:
Alternative 1EDIT: No longer an option without a mwan3 replacement, since its development appears to have been abandoned regarding support for nft/domain policies.
Fast-but-evil ISP-1 (primary, OpenVPN client w/ PBR domain routing for exceptions that detect/block VPNs)
Slow-but-benign ISP-2 (fail-over, no OpenVPN client, no PBR)
All SSIDs/VLANs routing external traffic through one of the above as managed (by something like mwan3?)
Alternative 2EDIT: No longer an option for reasons similar to Alterative 1.
Fast-but-evil ISP-1 (primary, OpenVPN client)
Slow-but-benign ISP-2 (fail-over for ISP-1 but primary for exceptions that detect/block VPNs, no OpenVPN client, no PBR)
As I mentioned, I know how to do all this already. I've done so.
How? uci commands or config examples are needed, especially those that will work with OpenVPN/PBR used with ISP-1. As I mentioned, this is the part I'm getting hung up on.
It's difficult to provide specifics without the configuration, but you can use IP routes and IP rules to specify one SRC network to egress, for example, ISP_2 - and the other network will work as normal (i.e., egress via ISP_1). You can also use other methods to specify the traffic (e.g., by inbound interface, DST IPs, etc.).
I looked at those docs you referenced, but that just led to more questions. I don't understand what a table ID is or how to select a good one, nor do I understand what a "mark" is or how to select one of those.
Let's say I limit SSID-1 to 192.168.3.0/24 with VLAN ID 3/br-lan.3 and SSID-2 to 192.168.4.0/24 with VLAN ID 4/br-lan.4. ISP-1 (network name wan) with OpenVPN (network name vpn) has a dynamic address (ISP-1 via DHCP, OpenVPN via its own mechanism) with PBR-managed exceptions to circumvent the VPN, and IPS-2 (network name wan2) has a dynamic address (via DHCP). Is that sufficient detail to land on a minimal working example? Does wan2 need to be part of the default wan firewall zone? How do I route from a network to a particular OpenVPN-managed network (where that VPN connection may go down)?
Not really, your /etc/config/network would have been easier.
Not needed.
You lost me, you pick any number not in use.
You confused me.
Anyways, I only see 2 subnets, so for this example, I will pick a subnet to use ISP_2.
So you want some traffic to traverse a VPN and not the ISP_1 or ISP_2?
Yes, you can do that. (BTW, making major edits in a post is confusing - I happened to noticed before finishing my draft)
My example will assume you want the 192.168.4.0/24 network to use ISP_2.
config route
option target '0.0.0.0'
option netmask '0.0.0.0'
option gateway '<gateway_IP_of_WAN_2>'
option table '1' # <---we will use table No 1 in this example
config rule
option dest '0.0.0.0/0'
option lookup '1' #<---Table No to use
option priority '1' #<---order of rule
option in 'lan2' #<---you never provided names of the VLAN interfaces
You made a lot of edits that mentioned a VPN, if you can't glean from the example, feel free to ask more questions. It's not clear if you want clients in the subnets to use the VPN, or if you want to control with ISP the VPN establishes a connection.
To use the VPN instead of ISP_2
config route
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '1'
option interface 'vpn'
# and use the same config rule above
You can't make a Layer 3 (IP) route on a Layer 2 (Ethernet) network without knowing the Layer 3 address of the Internet gateway. You could make a script to create the route after you've connected and know your gateway.
Regarding your VPN - it is possible to create a route without gateway on e.g. a Layer 3-based OpenVPN tunnel
You must add the interface to some firewall zone
You can add it to WAN, another zone, or you can create on (I merely assumed you want/need similar rules as any other Internet connection)
I merely suggested you add wan2 to the WAN zone for ease and simplicity
