I have been searching for a solution in this forum but I couldn't find any and that's why I am posting this here.
So my network is a bit odd, I have an Archer C7 v2 running Openwrt 18.06 in the LAN (10.0.0.100), it acts as an AP and connects to my firewall. The default gateway is configured as the firewall. I have then setup OCserv (OpenConnect Server) on my openwrt router and setup the VPN with split tunnelling. I can connect to the VPN but split tunnelling doesn't work, for example, I have my LAN subnet in 10.0.0.0/24 and I have configured 10.0.20.0/24 as the OpenConnect subnet. In the Openconnect routing table I have added 10.0.0.0/24 which is used for split tunnelling. I have then added routes for the OpenConnect subnet in the firewall.
When I connect to the VPN, I get assigned with an IP address from 10.0.20.0/24 subnet but I am unable to access anything except OpenWRT router (10.0.0.100) in 10.0.0.0/24 subnet and 10.0.20.1 (which is the same openwrt router IP used for VPN as the VPN gateway). It doesn't seems like traffic is hitting br-lan interface from vpns0 interface in the router. Tried capturing using tcpdump, I can see ping packets in vpns0 interface but not in the br-lan interface. I am thinking this is something related to Openwrt Firewall. When I checked the Openwrt firewall config, I wasn't able to find any firewall rules for virtual vpn interface. The traffic doesn't go past the VPN interface and so I am unable to access anything in the LAN network.
Any idea what could be causing the issue?
Thanks in advance.
trendy
May 21, 2020, 11:46pm
2
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '***********::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.100'
option delegate '0'
option gateway '192.168.1.254'
option dns '192.168.1.50'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dynamic'
option type 'bridge'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 1 2t 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '0t 2t 3 5t'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '0t 2t 4 5t'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '4'
option ports '0t 2t 5t'
config interface 'lan4'
option proto 'static'
option ifname 'eth1.4'
option delegate '0'
option ipaddr '192.168.5.100'
option netmask '255.255.255.0'
option gateway '192.168.8.1'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:01/0000:01:00.0'
option htmode 'VHT80'
option country 'JP'
option legacy_rates '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid ' - 5G'
option network 'lan'
option encryption 'psk2+tkip+ccmp'
option key '********'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'platform/qca955x_wmac'
option txpower '20'
option country 'IN'
option htmode 'HT20'
option disabled '0'
option channel '11'
option legacy_rates '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid ' - 2.4G'
option network 'lan'
option encryption 'psk-mixed+tkip+ccmp'
option key '********'
config wifi-iface
option device 'radio1'
option mode 'ap'
option key '********'
option ssid '_Wifi_Management'
option network 'lan'
option disassoc_low_ack '0'
option encryption 'psk-mixed+tkip+ccmp'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid '_5G_Management'
option network 'lan'
option key '********'
option encryption 'psk-mixed+tkip+ccmp'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '0'
option enable_tftp '1'
option tftp_root '/'
config dhcp 'lan'
option interface 'lan'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option network 'lan _WAN _wan wwan_1 lan4'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 Jio wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.6.2 on Fri May 22 06:43:30 2020
*nat
:PREROUTING ACCEPT [199368:63178666]
:INPUT ACCEPT [3782:326536]
:OUTPUT ACCEPT [496:40403]
:POSTROUTING ACCEPT [291:19482]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[199368:63178666] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[189983:62453542] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth1.4 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i br-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[1172:90786] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[881:71304] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth1.4 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o br-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[881:71304] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[881:71304] -A zone_lan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[189983:62453542] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri May 22 06:43:30 2020
# Generated by iptables-save v1.6.2 on Fri May 22 06:43:30 2020
*mangle
:PREROUTING ACCEPT [309113:73846753]
:INPUT ACCEPT [108791:10421934]
:FORWARD ACCEPT [14645:1262695]
:OUTPUT ACCEPT [103876:18308189]
:POSTROUTING ACCEPT [109022:18914153]
[0:0] -A FORWARD -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri May 22 06:43:30 2020
# Generated by iptables-save v1.6.2 on Fri May 22 06:43:30 2020
*filter
:INPUT ACCEPT [694:53174]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [848:71232]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[2514:261813] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[106283:10160521] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[89768:8784012] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[15832:1323907] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth1.4 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i br-wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[14645:1262695] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[1151:256294] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4577:386970] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1.4 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i br-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[9389:645863] -A FORWARD -m comment --comment "!fw3" -j reject
[2514:261813] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[101269:18037068] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[100046:17938081] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[375:27755] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth1.4 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o br-wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[156:7908] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[9233:637955] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[13:520] -A zone_lan_dest_ACCEPT -o br-lan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[4467:387773] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o eth1.4 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o eth1.4 -m comment --comment "!fw3" -j ACCEPT
[4577:386970] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[4577:386970] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[4577:386970] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[15832:1323907] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[15832:1323907] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[375:27755] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[375:27755] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[15821:1323335] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i eth1.4 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o br-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o br-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o br-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i br-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri May 22 06:43:30 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.100/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
10: eth1.4@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.5.100/24 brd 192.168.5.255 scope global eth1.4
valid_lft forever preferred_lft forever
34: vpns0: <POINTOPOINT,UP,LOWER_UP> mtu 1434 qdisc fq_codel state UNKNOWN qlen 500
inet 192.168.1.249 peer 192.168.1.250/32 scope global vpns0
valid_lft forever preferred_lft forever
default via 192.168.1.254 dev br-lan
192.168.1.0/24 dev br-lan scope link src 192.168.1.100
192.168.1.250 dev vpns0 scope link src 192.168.1.249
192.168.5.0/24 dev eth1.4 scope link src 192.168.5.100
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local scope link src 192.168.1.100
local 192.168.1.100 dev br-lan table local scope host src 192.168.1.100
local 192.168.1.249 dev vpns0 table local scope host src 192.168.1.249
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.100
broadcast 192.168.5.0 dev eth1.4 table local scope link src 192.168.5.100
local 192.168.5.100 dev eth1.4 table local scope host src 192.168.5.100
broadcast 192.168.5.255 dev eth1.4 table local scope link src 192.168.5.100
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Does this help?
Remove this from interface lan4.
lan firewall zone has a lot of weird interfaces, like _WAN _wan wwan_1. Do a cleanup.
Actually the issue is not with WAN or LAN interfaces or bridging and my OpenWRT router is not even exposed to the internet except for OCSERV (Openconnect) vpn service (which is port forwarded through my firewall). It doesn't have a WAN interface right now and it's only used as Switch and AP, and the WAN interface is bridged with LAN. The only thing I am trying to do now is setting up OCSERV (Openconnect Server) on my openwrt router and I was able to successfully do that and that's why you are seeing the vpns0 interface in the output I sent, it doesn't show up in GUI and so cannot be managed through GUI. It only comes up when a tunnel is built.
My problem here is with the split tunneling setup in OCSERV. Once connected to OC vpn the only host I can connect to is the OpenWRT router even if I specify the split tunnel in the OCSERV configuration. I think IP table firewall service is blocking traffic between vpns0 and br-lan interfaces, but I couldn't identify any from the config as I don't see anything related to vpns0 in the config.
Any idea where it's getting dropped? I tried tcpdump capture of icmp traffic on both vpns0 and br-lan, I see traffic exiting vpns0 interface but not reaching br-lan interface.
Thank you for taking a look.
Bob
trendy
May 22, 2020, 12:03pm
6
That is not the case with your configuration. Lan is a bridge with eth1.1 interface and wan is another bridge with eth0.2 interface. Furthermore they belong to different firewall zones.
Anyway, since you didn't answer my questions I'll leave the guide here, so you can have a look. It mentions about the firewall settings as well as that ocserver network will be a part of the lan.
Basically there is no WAN in the openwrt router, only LAN is currently configured and OCSERV is also terminating on the LAN and not on the WAN. The ouside traffic will be hitting the inside interface/LAN interface of the openwrt router directly as the traffic is coming through another firewall and the openwrt is on the inside, there is port forward config in place to forward the SSL traffic.
