Hey all, my current setup is a NanoPI R4S, Ubiquiti access point (AC PRO). I have several clients connected via Ethernet and a mix IOT and other users on the Wireless AP.
I want to segment the clients, where default all of them route through the Wireguard VPN, and i can DHCP static lease the selected clients to route through the WAN without VPN service (Work doesnt like me using that service, some IOT devices also dont like using it either).
the main reason behind using the VPN service, is my ISP (Vexus) decided they wanted to hijack all DNS requests with their own service, they also deny any wrongdoing (punks).
the problem, i cannot get any of my Clients to switch to the other LAN networks, i can setup a different radio SSID with a VLAN tag and get them to switch over that way, but that doesnt cover all of my ethernet connected devices (i also dont have a managed switch).
{
"kernel": "6.1.55",
"hostname": "FriendlyWrt",
"system": "ARMv8 Processor rev 4",
"model": "FriendlyElec NanoPi R4S",
"board_name": "friendlyelec,nanopi-r4s",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "rockchip/armv8",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd00:ab:cd::/48'
config device
option name 'eth0'
option macaddr 'fe:e4:5b:cc:cc:11'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option metric '30'
option peerdns '0'
list dns '162.252.172.57'
list dns '149.154.159.92'
option delegate '0'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
option reqaddress 'none'
option reqprefix 'auto'
option peerdns '0'
list dns '162.252.172.57'
list dns '149.154.159.92'
option disabled '1'
option auto '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config device
option name 'eth1'
option macaddr 'fe:e4:5b:cc:cc:12'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wg0'
option proto 'wireguard'
option private_key ''
list dns '162.252.172.57'
list dns '149.154.159.92'
option metric '20'
list addresses '10.14.0.2/16'
config wireguard_wg0
option description 'Imported peer configuration'
option public_key ''
list allowed_ips '0.0.0.0/0'
option endpoint_host ''
option endpoint_port '51820'
option private_key ''
option route_allowed_ips '1'
config device
option type 'bridge'
option name 'BR-noVPN'
option bridge_empty '1'
config interface 'noVPN'
option proto 'static'
option device 'BR-noVPN'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
option sequential_ip '1'
option logdhcp '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option force '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'reefpi'
option ip '192.168.1.183'
option mac 'DC:A6:32:C3:2D:0F'
config host
option name 'LP-PF3ZC10D'
option ip '192.168.1.107'
option mac '9C:2D:CD:0C:03:50'
config dhcp 'noVPN'
option interface 'noVPN'
option start '100'
option limit '150'
option leasetime '12h'
config host
list mac 'F4:F5:D8:AE:71:CC'
option ip '192.168.10.150'
option leasetime '12h'
option instance 'cfg01411c'
option broadcast '1'
option name 'Chromecast-Ultra'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option fullcone4 '1'
option fullcone6 '1'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Reject-IPv6'
option family 'ipv6'
option src 'wan'
option dest '*'
option target 'REJECT'
option enabled '0'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'vpn'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'noVPN'
option name 'noVPN'
config forwarding
option dest 'wan'
config forwarding
option dest 'wan'
config forwarding
option dest 'wan'
config forwarding
option src 'noVPN'
option dest 'wan'