OpenVPN client working, need access to SMB on LAN side

DonJuane · February 2, 2026, 4:07pm

I have an OpenWRT router in my home serving a fiber connection. The network is 192.168.8.x

In one of the LAN ports I have another OpenWRT router that boots a OpenVPN client to a remote VPN service. This network is 192.168.9.x. On the dedicated OpenVPN router, I would like to add a CIFS mount to 192.168.8.88 NAS server on the WAN side of the dedicated OpenVPN client router. The software running on the OpenVPN client would not be able to route via the WAN gateway other than to this Samba share. (Having the entire 192.168.8.x subnet on the WAN side of the OpenVPN dedicated router would be acceptibel as long as at least Samba share could be CIFS mounted. Is this possible?

I can access the gateway router control panel of 192.168.8.1 on the OpenVPN-routed network but I can’t reach any other device on the 192.168.8.x network (WAN gateway connection of the 192.168.9.1 dedicated OpenVPN client).

Adding the following to the firewall just halted OpenVPN from working:

config rule
option name 'Allow-NetBIOS-UDP-WAN'
option src 'wan'
option dest 'lan'
option proto 'udp'
option dest_port '137 138'
option target 'ACCEPT'

config rule
option name 'Allow-NetBIOS-TCP-WAN'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_port '139'
option target 'ACCEPT'

egc · February 2, 2026, 4:12pm

It can help if you show us your configs. Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses as that is not needed:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip -6 route show

DonJuane · February 2, 2026, 4:42pm

root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.119",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT1200AC",
"board_name": "linksys,wrt1200ac",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.5",
"revision": "r29087-d9c5716d1d",
"target": "mvebu/cortexa9",
"description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
"builddate": "1766005702"
}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd00:6d1a:(redacted)::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option ip6assign '60'

config device
option name 'wan'


config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'

user add:

    list dns '103.86.96.100'
    list dns '103.86.99.100'

config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'

config interface 'ovpn'
option proto 'none'
option device 'tun0'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config include
option path '/etc/firewall.user'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone 'ovpnfw'
option forward 'REJECT'
option network 'ovpn'
option output 'ACCEPT'
option name 'ovpnfw'
option masq '1'
option mtu_fix '1'
option input 'REJECT'

config forwarding
option dest 'ovpnfw'
option src 'lan'

root@OpenWrt:~# ip route show
0.0.0.0/1 via 10.100.0.1 dev tun0
default via 192.168.8.1 dev wan proto static src 192.168.8.107
10.100.0.0/16 dev tun0 proto kernel scope link src 10.100.0.2
128.0.0.0/1 via 10.100.0.1 dev tun0
192.154.(redacted).(redacted) via 192.168.8.1 dev wan
192.168.8.0/24 dev wan proto kernel scope link src 192.168.8.107
192.168.9.0/24 dev br-lan proto kernel scope link src 192.168.9.1

root@OpenWrt:~# ip -6 route show
fd00:6d1a:(redacted)::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd00:6d1a:(redacted)::/48 dev lo proto static metric 2147483647 pref medium
fd69:5a34:(redacted)::/48 from fd69:5a34:(redacted)::710 via fe80::9683:c4ff:fec4:(redacted) dev wan proto static metric 512 pref medium
fd69:5a34:(redacted)::/48 from fd69:5a34:(redacted)::/64 via fe80::9683:c4ff:fec4:(redacted) dev wan proto static metric 512 pref medium
fd69:5a34:(redacted)::/48 from fd69:5a34:(redacted):4::/62 via fe80::9683:c4ff:fec4:(redacted) dev wan proto static metric 512 pref medium
fd69:5a34:(redacted)::/64 dev wan proto static metric 256 pref medium
unreachable fd69:5a34:(redacted)::/64 dev lo proto static metric 2147483647 pref medium
fd69:5a34:(redacted):4::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd69:5a34:(redacted):4::/62 dev lo proto static metric 2147483647 pref medium
fd69:5a34:(redacted):8::/64 from fd69:5a34:(redacted)::710 via fe80::1c68:7690:de88:(redacted) dev wan proto static metric 512 pref medium
fd69:5a34:(redacted):8::/64 from fd69:5a34:(redacted)::/64 via fe80::1c68:7690:de88:(redacted) dev wan proto static metric 512 pref medium
fd69:5a34:(redacted):8::/64 from fd69:5a34:(redacted):4::/62 via fe80::1c68:7690:de88:(redacted) dev wan proto static metric 512 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
root@OpenWrt:~#

egc · February 2, 2026, 4:56pm

DonJuane:

config rule
option name 'Allow-NetBIOS-UDP-WAN'
option src 'wan'
option dest 'lan'
option proto 'udp'
option dest_port '137 138'
option target 'ACCEPT'

config rule
option name 'Allow-NetBIOS-TCP-WAN'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_port '139'
option target 'ACCEPT'

switch src and dest

You already have a route to 192.168.8.0/24 so opening up the firewall to allow traffic should suffice.
If that does not help for testing just add:

config rule
	option src 'lan'
	option dest 'wan'
	option name 'allow-to-8'
	list proto 'all'
	list dest_ip '192.168.8.0/24'
	option target 'ACCEPT'

That should allow all traffic from lan zone to 192.168.8.0/24

DonJuane · February 2, 2026, 7:06pm

That works well - THANKS!

Another question, would I be guaranteed that a software package such as transmission daemon would be communicating strictly over the active client tunnel to the commercial VPN offering I am attached to? I can’t read these but can you decipher? Thanks in advance.

root@OpenWrt:~# ip route show
0.0.0.0/1 via 10.100.0.1 dev tun0
default via 192.168.8.1 dev wan proto static src 192.168.8.107
10.100.0.0/16 dev tun0 proto kernel scope link src 10.100.0.2
128.0.0.0/1 via 10.100.0.1 dev tun0
192.154.(red).(red) via 192.168.8.1 dev wan
192.168.8.0/24 dev wan proto kernel scope link src 192.168.8.107
192.168.9.0/24 dev br-lan proto kernel scope link src 192.168.9.1

root@OpenWrt:~# ip -6 route show
fd00:6d1a:5d0c::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd00:6d1a:5d0c::/48 dev lo proto static metric 2147483647 pref medium
fd69:5a34:(red)::/48 from fd69:5a34:(red)::710 via fe80::9683:c4ff:fec4:(red) dev wan proto static metric 512 pref medium
fd69:5a34:(red)::/48 from fd69:5a34:(red)::/64 via fe80::9683:c4ff:fec4:(red) dev wan proto static metric 512 pref medium
fd69:5a34:(red)::/48 from fd69:5a34:(red):4::/62 via fe80::9683:c4ff:fec4:(red) dev wan proto static metric 512 pref medium
fd69:5a34:(red)::/64 dev wan proto static metric 256 pref medium
unreachable fd69:5a34:(red)::/64 dev lo proto static metric 2147483647 pref medium
fd69:5a34:(red):4::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd69:5a34:(red):4::/62 dev lo proto static metric 2147483647 pref medium
fd69:5a34:(red):8::/64 from fd69:5a34:(red)::710 via fe80::1c68:7690:de88:(red) dev wan proto static metric 512 pref medium
fd69:5a34:(red):8::/64 from fd69:5a34:(red)::/64 via fe80::1c68:7690:de88:(red) dev wan proto static metric 512 pref medium
fd69:5a34:(red):8::/64 from fd69:5a34:(red):4::/62 via fe80::1c68:7690:de88:(red) dev wan proto static metric 512 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
root@OpenWrt:~#

(red) = redacted info

egc · February 2, 2026, 7:16pm

If you run transmission on the router that is not guaranteed as the router itself has access via the wan. Transmission usually uses defined ports and you can make traffic rules to block those ports going out via the wan

If you run transmission on one of your lan clients then you should be good as lan clients can only have access via the VPN or to 192.168.8.X

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!