Please post your /etc/config/network and /etc/config/dhcp configs.
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd46:03de:bf64::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.2.1'
option dns '1.1.1.1 1.0.0.1'
option ifname 'eth0.1'
config device 'lan_dev'
option name 'eth0.1'
option macaddr **************'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option delegate '0'
option peerdns '0'
option dns '1.1.1.1 1.0.0.1'
config device 'wan_dev'
option name 'eth0.2'
option macaddr '**************''
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'lantwo'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option type 'bridge'
option ifname 'lantwo'
config interface 'vpntwo'
option proto 'l2tp'
option server 'vpn.example.com'
option username 'zbt'
option password 'password'
option ipv6 'auto'
option defaultroute '0'
DHCP
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option leasetime '6h'
option start '101'
option limit '120'
list dhcp_option '6,1.0.0.1,1.1.1.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'SEVPN'
option interface 'SEVPN'
option start '101'
option limit '110'
option leasetime '6h'
list dhcp_option '6,1.0.0.1,1.1.1.1'
config dhcp 'lantwo'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'lantwo'
list dhcp_option '6,1.0.0.1,1.1.1.1'
ok, so assuming you want traffic from your lan interface to go over your ISP, and traffic from lantwo to go over your VPN, you'll need to create the appropriate rule using the vpn-policy-routing package.
e.g.
config policy
option local_addresses '192.168.3.1/24'
option interface 'vpntwo'
option comment 'my_vpn'
Once you've got that working, then you can start looking at tasks 2 and 3 on your original post.
1 Like
Oh god !!! it's worked!
I have created two more VPN and LAN network. But question is do I need to create NEW LAN and VPN firewall for each network or can I add them to existing firewall network that I added before?
New Networks are,
192.168.9.1/24 - vpnthree
192.168.10.1/24 - vpnfour
Can you tell me how can I go case 2 and 3? How can separate lans and tag them?
And I'm getting this error since when I installed this app.
Firewall: entirely up to you. Depends on how much separation/granular control you'd like
For 2:
Create the wireless networks in LuCI, and then bridge them to the appropriate interface (Network > Interfaces); either your lan interface, or one of your vpn interfaces. Some screenshots that may help can be found here:
For 3:
You need to create VLANs and configure your switch. You said you wanted LAN1 and LAN2 to route over your ISP connection; LAN3 over one VPN connection; LAN4 over the other. There are plenty of forum posts that cover this topic (e.g. Replicating a VLANs scenario - #2 by lleachii), but (very) roughly you'll need to do something like this:
- Assign one VPN to VLAN3 and the other to VLAN4.
Then, for your switch config:
- Create VLANs 3 & 4
- VLAN1: turn off LAN3 and LAN4
- VLAN2: turn off LAN3 and LAN4
- VLAN3: CPU must be tagged; LAN1 off, LAN2 off, LAN3 untagged, LAN4 off
- VLAN4: CPU must be tagged; LAN1 off, LAN2 off, LAN3 off, LAN4 untagged
1 Like
Let's talk this later.
I found some issues.
I created 3 LAN, 3 WiFi, and 3 L2TP Client.
1st L2TP Client able to connect the VPN. [ It only connect when I restart the router, not instantly, don't know why. Each time I have to reboot the router to connect VPN ]
VPN Policy was enabled, and it was working. So I disabled it. To test other settings.
Then I put 2nd VPN Server info in 2nd VPN interface. Then I restart the router as it only connects if I restart. But the problem is when I put 2nd VPN server router stops responding, it's like LAN is connected to the router for 5 to 10 second then keep connecting and disconnect. So I had to reset again and again to boot it back.
I think two l2TP VPN can not connect at a time. Like to mention that, I disabled "Use default gateway" for each VPN so that it does not affect LAN.
No problem. For what it's worth, I'd try and get it all working first with 1 LAN, 1 L2TP client and 2 WiFi nets, and a couple of VLANs. Once that's sorted, then you can look at additional L2TP clients.
Good luck!
Yeah that's what I'm trying but if I try 2nd VPN Client my router stop responding, more like connect and disconnect loop in LAN. That is what I'm trying to say above.
Any fix?
Does that mean you've got it all working as you would like with 1 VPN Client; with the VLANs configured on your switch and separate WiFi network?
Post configs and logs here, and we'll take a look. Though, this is a slightly different subject to the original thread so it might be worth starting a topic; others will be better-placed to assist than me.
Network Config
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd46:03de:bf64::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.2.1'
option dns '1.1.1.1 1.0.0.1'
option ifname 'eth0.1'
config device 'lan_dev'
option name 'eth0.1'
option macaddr 'xx:yy:zz:aa:tt:kk'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option delegate '0'
option peerdns '0'
option dns '1.1.1.1 1.0.0.1'
config device 'wan_dev'
option name 'eth0.2'
option macaddr 'xx:yy:zz:aa:tt:ll'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'xeonbd'
option type 'bridge'
option proto 'static'
option ifname 'xeonbd'
option ipaddr '192.168.11.1'
option netmask '255.255.255.0'
option dns '1.0.0.1'
config interface 'doindia'
option proto 'static'
option ifname 'doindia'
option ipaddr '192.168.12.1'
option netmask '255.255.255.0'
option dns '1.0.0.1'
option type 'bridge'
config interface 'spectrumusny'
option proto 'static'
option ifname 'spectrumusny'
option ipaddr '192.168.13.1'
option netmask '255.255.255.0'
option dns '1.0.0.1'
option type 'bridge'
config interface 'vpn_xeonbd'
option proto 'l2tp'
option server 'bd.example.com'
option username 'zbt'
option password 'password'
option ipv6 'auto'
option defaultroute '0'
config interface 'vpn_doindia'
option proto 'l2tp'
option server 'rg.example.com'
option username 'zbt'
option password 'password'
option ipv6 'auto'
option defaultroute '0'
option auto '0'
config interface 'vpn_spcusny'
option proto 'l2tp'
option server 'vpn732907837.softether.net'
option username 'zbt'
option password 'password'
option defaultroute '0'
option auto '0'
DHCP
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '1'
option localservice '1'
option domain 'WE1326-BKC'
config dhcp 'lan'
option interface 'lan'
option leasetime '6h'
option start '101'
option limit '120'
list dhcp_option '6,1.1.1.1,1.0.0.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'xeonbd'
option start '101'
option limit '120'
option leasetime '6h'
option interface 'xeonbd'
list dhcp_option '6,1.1.1.1,1.0.0.1'
config dhcp 'doindia'
option start '101'
option limit '120'
option leasetime '6h'
option interface 'doindia'
list dhcp_option '6,1.1.1.1,1.0.0.1'
config dhcp 'spectrumusny'
option start '101'
option limit '120'
option leasetime '6h'
option interface 'spectrumusny'
list dhcp_option '6,1.1.1.1,1.0.0.1'
VPN Policy
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option boot_timeout '30'
option SEClient_dscp 'SC'
option vpn_xeonbd_dscp '11'
option vpn_doindia_dscp '12'
option vpn_spcusny_dscp '13'
option dnsmasq_enabled '1'
option ipv6_enabled '0'
option enabled '0'
config policy
option local_address '192.168.11.1/24'
option interface 'vpn_xeonbd'
option comment 'vpn_xeonbd'
config policy
option local_address '192.168.12.1/24'
option interface 'vpn_doindia'
option comment 'vpn_doindia'
config policy
option local_address '192.168.13.1/24'
option interface 'vpn_spcusny'
option comment 'vpn_spcusny'
Wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
option htmode 'HT20'
option channel '9'
option country 'BD'
option legacy_rates '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'SysOps'
option key 'password'
option encryption 'psk2+tkip+ccmp'
option network 'lan'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'VHT80'
option country 'BD'
option legacy_rates '1'
option channel '153'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option key 'password'
option network 'xeonbd'
option ssid 'XeonBD'
option encryption 'psk-mixed+tkip+ccmp'
config wifi-iface
option device 'radio1'
option mode 'ap'
option ssid 'DoIndia'
option network 'doindia'
option encryption 'psk-mixed+tkip+ccmp'
option key 'password'
config wifi-iface
option device 'radio1'
option mode 'ap'
option ssid 'Spectrum US NY'
option network 'spectrumusny'
option encryption 'psk-mixed+tkip+ccmp'
option key 'password'
Firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config zone
option name 'virlan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'xeonbd doindia spectrumusny'
config zone
option name 'virwan'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option input 'REJECT'
option network 'vpn_xeonbd vpn_doindia vpn_spcusny'
config forwarding
option dest 'virwan'
option src 'virlan'
The last three stanzas in your firewall config look suspect to me, but I may be misinterpreting. Perhaps somebody else can offer some advice?
I can remove interface from firewall and let you know.
Try putting vpn_xeonbd, vpn_doindia, and vpn_spcusny in your wan firewall zone. Delete zone virlan and ditch the forwarding rule virlan to virwan.
I attached all3 VPN to WAN zone, and deleted all firewall that I created. Now what zone should I assigned for 3 LAN?
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan vpn_doindia vpn_spcusny vpn_xeonbd'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
Update: Still same issue, router stop responding after connecting two L2TP
Any update to fix this problem?
sorry, no: had a busy end of week and trying to get some family time, too.
What do you mean by "stops responding"? Can you load the LuCI login page? Can you get ssh access? Do you get an IP address from the DHCP pool when you connect?
Yeah can't get any IP from DHCP, it get first time and disconnect after 5 to 7 sec. Then never connect.
You've got three L2PT connections defined. Can you pin the issue down to any one of them in particular? Do they each work by themselves, and it's only when you start running them concurrently that you see problems?
Each of them works fine, but does not work if they run together