Multiple Wifi Interface with L2TP Client

Network Config

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd46:03de:bf64::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.2.1'
	option dns '1.1.1.1 1.0.0.1'
	option ifname 'eth0.1'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr 'xx:yy:zz:aa:tt:kk'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option delegate '0'
	option peerdns '0'
	option dns '1.1.1.1 1.0.0.1'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'xx:yy:zz:aa:tt:ll'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'xeonbd'
	option type 'bridge'
	option proto 'static'
	option ifname 'xeonbd'
	option ipaddr '192.168.11.1'
	option netmask '255.255.255.0'
	option dns '1.0.0.1'

config interface 'doindia'
	option proto 'static'
	option ifname 'doindia'
	option ipaddr '192.168.12.1'
	option netmask '255.255.255.0'
	option dns '1.0.0.1'
	option type 'bridge'

config interface 'spectrumusny'
	option proto 'static'
	option ifname 'spectrumusny'
	option ipaddr '192.168.13.1'
	option netmask '255.255.255.0'
	option dns '1.0.0.1'
	option type 'bridge'

config interface 'vpn_xeonbd'
	option proto 'l2tp'
	option server 'bd.example.com'
	option username 'zbt'
	option password 'password'
	option ipv6 'auto'
	option defaultroute '0'

config interface 'vpn_doindia'
	option proto 'l2tp'
	option server 'rg.example.com'
	option username 'zbt'
	option password 'password'
	option ipv6 'auto'
	option defaultroute '0'
	option auto '0'

config interface 'vpn_spcusny'
	option proto 'l2tp'
	option server 'vpn732907837.softether.net'
	option username 'zbt'
	option password 'password'
	option defaultroute '0'
	option auto '0'

DHCP

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option nonwildcard '1'
	option localservice '1'
	option domain 'WE1326-BKC'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '6h'
	option start '101'
	option limit '120'
	list dhcp_option '6,1.1.1.1,1.0.0.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'


config dhcp 'xeonbd'
	option start '101'
	option limit '120'
	option leasetime '6h'
	option interface 'xeonbd'
	list dhcp_option '6,1.1.1.1,1.0.0.1'

config dhcp 'doindia'
	option start '101'
	option limit '120'
	option leasetime '6h'
	option interface 'doindia'
	list dhcp_option '6,1.1.1.1,1.0.0.1'

config dhcp 'spectrumusny'
	option start '101'
	option limit '120'
	option leasetime '6h'
	option interface 'spectrumusny'
	list dhcp_option '6,1.1.1.1,1.0.0.1'

VPN Policy

config vpn-policy-routing 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option boot_timeout '30'
	option SEClient_dscp 'SC'
	option vpn_xeonbd_dscp '11'
	option vpn_doindia_dscp '12'
	option vpn_spcusny_dscp '13'
	option dnsmasq_enabled '1'
	option ipv6_enabled '0'
	option enabled '0'

config policy
	option local_address '192.168.11.1/24'
	option interface 'vpn_xeonbd'
	option comment 'vpn_xeonbd'

config policy
	option local_address '192.168.12.1/24'
	option interface 'vpn_doindia'
	option comment 'vpn_doindia'

config policy
	option local_address '192.168.13.1/24'
	option interface 'vpn_spcusny'
	option comment 'vpn_spcusny'

Wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
	option htmode 'HT20'
	option channel '9'
	option country 'BD'
	option legacy_rates '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'SysOps'
	option key 'password'
	option encryption 'psk2+tkip+ccmp'
	option network 'lan'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option country 'BD'
	option legacy_rates '1'
	option channel '153'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option key 'password'
	option network 'xeonbd'
	option ssid 'XeonBD'
	option encryption 'psk-mixed+tkip+ccmp'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option ssid 'DoIndia'
	option network 'doindia'
	option encryption 'psk-mixed+tkip+ccmp'
	option key 'password'

config wifi-iface
	option device 'radio1'
	option mode 'ap'
	option ssid 'Spectrum US NY'
	option network 'spectrumusny'
	option encryption 'psk-mixed+tkip+ccmp'
	option key 'password'

Firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option name 'virlan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'xeonbd doindia spectrumusny'

config zone
	option name 'virwan'
	option forward 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option input 'REJECT'
	option network 'vpn_xeonbd vpn_doindia vpn_spcusny'

config forwarding
	option dest 'virwan'
	option src 'virlan'

The last three stanzas in your firewall config look suspect to me, but I may be misinterpreting. Perhaps somebody else can offer some advice?

I can remove interface from firewall and let you know.

Try putting vpn_xeonbd, vpn_doindia, and vpn_spcusny in your wan firewall zone. Delete zone virlan and ditch the forwarding rule virlan to virwan.

I attached all3 VPN to WAN zone, and deleted all firewall that I created. Now what zone should I assigned for 3 LAN?

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan vpn_doindia vpn_spcusny vpn_xeonbd'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

Update: Still same issue, router stop responding after connecting two L2TP

Any update to fix this problem?

sorry, no: had a busy end of week and trying to get some family time, too.

What do you mean by "stops responding"? Can you load the LuCI login page? Can you get ssh access? Do you get an IP address from the DHCP pool when you connect?

Yeah can't get any IP from DHCP, it get first time and disconnect after 5 to 7 sec. Then never connect.

You've got three L2PT connections defined. Can you pin the issue down to any one of them in particular? Do they each work by themselves, and it's only when you start running them concurrently that you see problems?

Each of them works fine, but does not work if they run together

One more thing I notice, without virlan and virwan firewall VPN Policy Routing doesn't work.

i'm running out of ideas here, but perhaps you're hitting a hardware limitation?

I tried on two devices, both throws same error