I am using 19.07.5 on a GL.iNet X750. I am using a 3g/4g internet connection from the device and have OpenVPN configured and working.
I would like to enable a 'guest' wifi which does not use the VPN.
I added the guest wifi (called No VPN) but of course both wifi's are using the VPN.
Any help configuring this much appreciated! BTW, if I 'stop' my OpenVPN connection, I loose internet connection - and I would like to maintain this behavior (so if OpenVPN stops, I get no internet on the VPN wifi) - of course my No VPN wifi should keep working....
You seem to assume it's self-evident, but it's not. It shows your 'guest' WiFi is really just piggybacking on your normal WiFi. There's no separation between both.
You should split out your guest network. All you have, at present, is just another SSID, but it's still on your LAN, just like all your other clients. It's nothing more than a façade at this point. To start, assign a different subnet to your guest network (so you really isolate it from the remainder of your network).
When you have done that you will have a different zone in your firewall for the guest network, and your LAN -> VPN forwarding rule will only apply to the devices on your LAN, not on your guest SSID - that will have its own isolated network.
Ok, thank you.... So I have set up a true separate guest wifi, with a different subnet. Do I still need mwan3 installed?
Currently, with OpenVPN started, 'My VPN' wifi works, but the 'guest' wifi has no internet connection.
With OpenVPN stopped, neither wifi has internet.
root@OpenWrt:~# uci show vpn-policy-routing; /etc/init.d/vpn-policy-routing supp
ort
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.src_ipset='0'
vpn-policy-routing.config.dest_ipset='dnsmasq.ipset'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.supported_interface=''
vpn-policy-routing.config.ignored_interface='vpnserver wgserver'
vpn-policy-routing.config.boot_timeout='30'
vpn-policy-routing.config.iptables_rule_option='append'
vpn-policy-routing.config.iprule_enabled='0'
vpn-policy-routing.config.webui_enable_column='0'
vpn-policy-routing.config.webui_protocol_column='0'
vpn-policy-routing.config.webui_chain_column='0'
vpn-policy-routing.config.webui_sorting='1'
vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'
vpn-policy-routing.config.enabled='1'
vpn-policy-routing.@include[0]=include
vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.netflix.user'
vpn-policy-routing.@include[0].enabled='0'
vpn-policy-routing.@include[1]=include
vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.aws.user'
vpn-policy-routing.@include[1].enabled='0'
vpn-policy-routing.wan=policy
vpn-policy-routing.wan.src_addr='192.168.3.0/24'
vpn-policy-routing.wan.interface='wwan'
vpn-policy-routing 0.2.1-13 running on OpenWrt 19.07.5. WAN (IPv4): wwan_4/dev/202.9.116.148.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth nettlehash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 10.8.0.13 128.0.0.0 UG 0 0 0 tun0
default 202.x.xxx.xxx.s 0.0.0.0 UG 0 0 0 wwan0
IPv4 Table 201: 0.0.0.0/1 via 10.8.0.13 dev tun0
unreachable default
10.8.0.9 via 10.8.0.13 dev tun0 metric 1
10.8.0.13 dev tun0 proto kernel scope link src 10.8.0.14
128.0.0.0/1 via 10.8.0.13 dev tun0
173.xxx.xxx.x via 202.x.xxx.xxx dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 201 Rules:
32754: from all fwmark 0x10000/0xff0000 lookup 201
IPv4 Table 202: 0.0.0.0/1 via 10.8.0.13 dev tun0
default via 202.9.116.147 dev wwan0
10.8.0.9 via 10.8.0.13 dev tun0 metric 1
10.8.0.13 dev tun0 proto kernel scope link src 10.8.0.14
128.0.0.0/1 via 10.8.0.13 dev tun0
173.xxx.xxx.x via 202.x.xxx.xxx dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 202 Rules:
32753: from all fwmark 0x20000/0xff0000 lookup 202
IPv4 Table 203: 0.0.0.0/1 via 10.8.0.13 dev tun0
default via 192.168.3.1 dev br-guest
10.8.0.9 via 10.8.0.13 dev tun0 metric 1
10.8.0.13 dev tun0 proto kernel scope link src 10.8.0.14
128.0.0.0/1 via 10.8.0.13 dev tun0
173.xxx.xxx.x via 202.x.xxx.xxx dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 203 Rules:
32761: from all fwmark 0x30000/0xff0000 lookup 203
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
-A VPR_FORWARD -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_FORWARD -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables INPUT
-N VPR_INPUT
-A VPR_INPUT -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_INPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_OUTPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create wwan hash:net family inet hashsize 1024 maxelem 65536 comment
create guest hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
root@OpenWrt:~#
Thank you, I have applied those changes... VPN wifi working, guest wifi no internet.....
root@OpenWrt:~# uci set vpn-policy-routing.wan.dest_addr="!192.168.0.0/22"
root@OpenWrt:~# uci commit vpn-policy-routing
root@OpenWrt:~# /etc/init.d/vpn-policy-routing restart
Creating table 'wan/eth1/0.0.0.0' [✓]
Creating table 'wwan/wwan0/202.x.xxx.xxx' [✓]
Creating table 'vpn/tun0/10.8.0.14' [✓]
Routing 'blank' via wwan [✗]
vpn-policy-routing 0.2.1-13 started with gateways:
wan/eth1/0.0.0.0
wwan/wwan0/202.x.xxx.xxx
vpn/tun0/10.8.0.14 [✓]
ERROR: Unknown protocol 'dhcp' in policy 'blank'##
vpn-policy-routing 0.2.1-13 monitoring interfaces: wan wwan vpn .
root@OpenWrt:~# /etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.2.1-13 running on OpenWrt 19.07.5. WAN (IPv4): wwan_4/dev/202.x.xxx.xxx.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth nettlehash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 10.8.0.13 128.0.0.0 UG 0 0 0 tun0
default 202.x.xxx.xxx.s 0.0.0.0 UG 0 0 0 wwan0
IPv4 Table 201: unreachable default
173.xxx.xxx.x via 202.9.116.148 dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 201 Rules:
32753: from all fwmark 0x10000/0xff0000 lookup 201
IPv4 Table 202: default via 202.x.xxx.xxx dev wwan0
173.xxx.xxx.x via 202.x.xxx.xxx dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 202 Rules:
32752: from all fwmark 0x20000/0xff0000 lookup 202
IPv4 Table 203: default via 10.8.0.14 dev tun0
173.xxx.xxx.x via 202.x.xxx.xxx dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 203 Rules:
32751: from all fwmark 0x30000/0xff0000 lookup 203
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m set --match-set vpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
-A VPR_FORWARD -m set --match-set vpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_FORWARD -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_FORWARD -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables INPUT
-N VPR_INPUT
-A VPR_INPUT -m set --match-set vpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_INPUT -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_INPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -m set --match-set vpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_OUTPUT -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_OUTPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create wwan hash:net family inet hashsize 1024 maxelem 65536 comment
create vpn hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
root@OpenWrt:~#
Thanks for all your help.... sorry we are not quite there yet....
Ping from guest network:
C:\Users\Andrew>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 192.168.3.1: Destination port unreachable.
Reply from 192.168.3.1: Destination port unreachable.
Reply from 192.168.3.1: Destination port unreachable.
Reply from 192.168.3.1: Destination port unreachable.
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
C:\Users\Andrew>ping openwrt.org
Pinging openwrt.org [139.59.209.225] with 32 bytes of data:
Reply from 192.168.3.1: Destination port unreachable.
Reply from 192.168.3.1: Destination port unreachable.
Reply from 192.168.3.1: Destination port unreachable.
Reply from 192.168.3.1: Destination port unreachable.
Ping statistics for 139.59.209.225:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
C:\Users\Andrew>
root@OpenWrt:~# /etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.2.1-13 running on OpenWrt 19.07.5. WAN (IPv4): wwan_4/dev/202.9.116.148.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth nettlehash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 10.8.0.13 128.0.0.0 UG 0 0 0 tun0
default 202.x.xxx.xxx.s 0.0.0.0 UG 0 0 0 wwan0
IPv4 Table 201: unreachable default
173.xxx.xxx.x via 202.x.xxx.xxx dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 201 Rules:
32756: from all fwmark 0x10000/0xff0000 lookup 201
IPv4 Table 202: default via 202.9.116.147 dev wwan0
173.xxx.xxx.x via 202.x.xxx.xxx dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 202 Rules:
32755: from all fwmark 0x20000/0xff0000 lookup 202
IPv4 Table 203: default via 10.8.0.14 dev tun0
173.xxx.xxx.x via 202.x.xxx.xxx dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 203 Rules:
32754: from all fwmark 0x30000/0xff0000 lookup 203
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.3.0/24 ! -d 192.168.0.0/22 -m comment --comment blank -c 1561 98421 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set vpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
-A VPR_FORWARD -m set --match-set vpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_FORWARD -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_FORWARD -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables INPUT
-N VPR_INPUT
-A VPR_INPUT -m set --match-set vpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_INPUT -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_INPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -m set --match-set vpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_OUTPUT -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_OUTPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create wwan hash:net family inet hashsize 1024 maxelem 65536 comment
create vpn hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
root@OpenWrt:~#