Multiple Wifi Interface with L2TP Client

Hello,

I installed L2TP in my router. I have two interfaces now, LAN and WAN.
So I decided to setup VPN in my router. I created a new interface and connected with my L2TP VPN server. After connecting L2TP my public IP changed to VPN server IP.

So, right now my whole network (LAN, WIFI) are within VPN network. Then I found some issue that I got some packet loss in the VPN network.

Please explain or give me the solution to my cases below:

1. So what I want some of my devices should be connected to my VPN network, and rest other will remain in the direct network to ISP.

2. Let just say I have two VPN server in location and I like to connect them by L2TP also like to make two Wifi. So that any device connects that Wifi will be connected to that VPN networks. While LAN will be still connected with the ISP network.

3. Let's assume I able to make a fix for No.2 case. Now I have four LAN port. I like to assign LAN-1 and LAN-2 as direct ISP network, LAN-3 as a VPN-1 network and LAN-4 as a VPN-2 network.

Thanks in Advance.

Personally, I'd approach this with VLANs and Policy-Based Routing.

For example, create VLAN 10 in subnet 192.168.10.1/24 and then VLAN 20 in 192.168.20.1/24. Use policy-based routing to route, say, VLAN 20 through your VPN connection, whilst VLAN 10 goes through your ISP.

Tag LAN-3 and LAN-4 with VLAN 20; and LAN-1 and LAN-2 with VLAN 10. Bridge your WLAN interface with LAN-1 and LAN-2

Is there any luci application available I can do that? I'm confused which one answer you gave?

Luckily for you there is.

I saw that, but how can I add this in SDK? I like to build firmware.

Is there any other way to make it possible?

See: https://github.com/stangri/openwrt-repo/blob/master/README.md

That one is not working, that's why I asked.

If you're happy using the Image Builder, then adding vpn-policy-routing works fine as described in the README in that repo.

That aside, I'd suggest installing the extra packages you need using opkg first, configuring your router to work as you'd like it to (as described in your original post), and then - only once it's all working - trying to build your own image.

I able to build it, anyway not able to do anything. Guide would be helpful.

Please post your /etc/config/network and /etc/config/dhcp configs.

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd46:03de:bf64::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.2.1'
	option dns '1.1.1.1 1.0.0.1'
	option ifname 'eth0.1'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr **************'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option delegate '0'
	option peerdns '0'
	option dns '1.1.1.1 1.0.0.1'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr '**************''

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'lantwo'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	option ifname 'lantwo'

config interface 'vpntwo'
	option proto 'l2tp'
	option server 'vpn.example.com'
	option username 'zbt'
	option password 'password'
	option ipv6 'auto'
	option defaultroute '0'

DHCP

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '6h'
	option start '101'
	option limit '120'
	list dhcp_option '6,1.0.0.1,1.1.1.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'SEVPN'
	option interface 'SEVPN'
	option start '101'
	option limit '110'
	option leasetime '6h'
	list dhcp_option '6,1.0.0.1,1.1.1.1'

config dhcp 'lantwo'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'lantwo'
	list dhcp_option '6,1.0.0.1,1.1.1.1'

ok, so assuming you want traffic from your lan interface to go over your ISP, and traffic from lantwo to go over your VPN, you'll need to create the appropriate rule using the vpn-policy-routing package.

e.g.

config policy
        option local_addresses '192.168.3.1/24'
        option interface 'vpntwo'
        option comment 'my_vpn'

Once you've got that working, then you can start looking at tasks 2 and 3 on your original post.

Oh god !!! it's worked!

I have created two more VPN and LAN network. But question is do I need to create NEW LAN and VPN firewall for each network or can I add them to existing firewall network that I added before?

New Networks are,
192.168.9.1/24 - vpnthree
192.168.10.1/24 - vpnfour

Can you tell me how can I go case 2 and 3? How can separate lans and tag them?

And I'm getting this error since when I installed this app.

Screenshot_2019-07-17 WE1326-BKC - VPN Policy Routing - LuCI.png739×193 7.18 KB

Firewall: entirely up to you. Depends on how much separation/granular control you'd like

For 2:

Create the wireless networks in LuCI, and then bridge them to the appropriate interface (Network > Interfaces); either your lan interface, or one of your vpn interfaces. Some screenshots that may help can be found here:

For 3:

You need to create VLANs and configure your switch. You said you wanted LAN1 and LAN2 to route over your ISP connection; LAN3 over one VPN connection; LAN4 over the other. There are plenty of forum posts that cover this topic (e.g. Replicating a VLANs scenario - #2 by lleachii), but (very) roughly you'll need to do something like this:

• Assign one VPN to VLAN3 and the other to VLAN4.

Then, for your switch config:

• Create VLANs 3 & 4
• VLAN1: turn off LAN3 and LAN4
• VLAN2: turn off LAN3 and LAN4
• VLAN3: CPU must be tagged; LAN1 off, LAN2 off, LAN3 untagged, LAN4 off
• VLAN4: CPU must be tagged; LAN1 off, LAN2 off, LAN3 off, LAN4 untagged

Let's talk this later.

I found some issues.
I created 3 LAN, 3 WiFi, and 3 L2TP Client.
1st L2TP Client able to connect the VPN. [ It only connect when I restart the router, not instantly, don't know why. Each time I have to reboot the router to connect VPN ]

VPN Policy was enabled, and it was working. So I disabled it. To test other settings.

Then I put 2nd VPN Server info in 2nd VPN interface. Then I restart the router as it only connects if I restart. But the problem is when I put 2nd VPN server router stops responding, it's like LAN is connected to the router for 5 to 10 second then keep connecting and disconnect. So I had to reset again and again to boot it back.

I think two l2TP VPN can not connect at a time. Like to mention that, I disabled "Use default gateway" for each VPN so that it does not affect LAN.

No problem. For what it's worth, I'd try and get it all working first with 1 LAN, 1 L2TP client and 2 WiFi nets, and a couple of VLANs. Once that's sorted, then you can look at additional L2TP clients.

Good luck!

Yeah that's what I'm trying but if I try 2nd VPN Client my router stop responding, more like connect and disconnect loop in LAN. That is what I'm trying to say above.

Any fix?

Does that mean you've got it all working as you would like with 1 VPN Client; with the VLANs configured on your switch and separate WiFi network?

Post configs and logs here, and we'll take a look. Though, this is a slightly different subject to the original thread so it might be worth starting a topic; others will be better-placed to assist than me.