UPDATE
I now have worked through the VPN guide and have the router using my VPN and all items connected to it now go over the VPN. SO Q3 is now also closed. however it leads me to:
Q4. How do I set up policy based routing so only the specified machines us the VPN?
I have searched through the guides but cannot find anything on this subject. Are there any links you can give me to read up on? I am also going back through my older posts to see if the information is in there.
G
Pleased to report that I have found some guides, followed them and got the network working as I want. Connections now default to the Wan interface and I have set policy routing for the items that need it to go via Tun0 to my VPN.
Thanks for the help offered.
Geoff
I'm glad you got it all working. Regarding Q2, I didn't realize you had it in bridging mode. However when you have bridging mode the hosts connected to the OpenWrt will have the ISP router as gateway as advertised by DHCP and it will be a problem to statically assign OpenWrt as gateway for the VPN to work.
Back to Q2. When I am normally connected to my wireless LAN I can see both 10.0.0.1 and 192.168.1.1.
As soon as I open the VPN connection, I am restricted to 10.0.0.1. So it is the VPN connection causing the issue.
How do I add a link so that even with the VPN on I can still see the two LANs?
Geoff
Did you add a rule in policy routing to send packets to 192.168.1.0/24 via wan interface?
Hi Trendy,
Sorry for the delay in responding but we have been pretty occupied on other issues. Where do I add the rules for the routing? Under Network Static Routes?
Also, just posted another issue on combining two 4G routers via mwan3 and cannot get the second to work and I suspect it is for the same reason. I need the LAN and router to be able to see the two routers and at the moment it is only seing one of them. They are set to 192.168.1.0/24 and 192.168.0.0/24 and at the moment I can only access the 192.168.1.0/24 network router.
Is it a similar solution or something more complex I need to do. The other post is here:
Appreciate any input you can give.
Geoff
If you run mwan3 then it creates rules for all internal networks.
If not you need to add them yourself. I am not sure which version you are running and if rules are available in Luci. If not you can add them manually.
Thanks Trendy.
I have now got it to work.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Unfortunately, I thought it was solved but it is not. Recap of my system. Two 4G SIM card routers on 192.168.0.1 and 192.168.1.1 feeding into Openwrt router managing DHCP for the LAN on 10.0.0.1. Everything connected over wifi.
Without OpenVPN running my LAN machines can access 10.0.0.1 and 192.168.1.1 but not 192.168.0.1.
With OpenVPN running (either locally on the machine or through policy setting on the Openwrt router)
my LAN machines can only access 10.0.0.1 and not 192.168.1.1 or 192.168.0.1.
So there are two issues. Accessing the 192.168.0.1 network under any circumstances and then accessing both under OpenVPN.
I am sure this is not hard to fix but I am not confident on what needs to be done or how to do it.
I assume it is all in static routing AND firewall policies but not sure how to start.
I am reading through previous osts but they tend to be specific and not generic solutions.
Geoff
Have read up and tried lots of options for routing but cannot get through to the 192.168.0.0/24 network. It is also on a router that cannot have static routes added to it. Should I invest in a second private 4G router or can I achieve it without adding routes to the 4G network side?
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
Thanks Trendy, a very merry xmas to you.
I have removed passwords and Mac numbers. Also removed a listing of static routes I tried but have disabled as they are irrelevant (I assume).
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
"kernel": "5.4.179",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Newifi-D2",
"board_name": "d-team,newifi-d2",
"release": {
"distribution": "OpenWrt",
"version": "21.02.2",
"revision": "r16495-bf0c965af0",
"target": "ramips/mt7621",
"description": "OpenWrt 21.02.2 r16495-bf0c965af0"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd33:1ec6:00a8::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.0.0.1'
list dns '192.168.1.1'
list dns '8.8.8.8'
list dns '8.8.4.4'
list dns '10.0.0.1'
list dns '192.168.0.1'
list dns_search 'mbd'
list dns_search 'lan'
config interface 'tun0'
option proto 'none'
option device 'tun0'
config device
option type '8021q'
option ifname 'lan4'
option vid '1'
option name 'lan4.1'
option mtu '1500'
config interface 'wan_free'
option proto 'static'
option device 'wan'
option ipaddr '192.168.1.20'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
option metric '10'
config interface 'wan_sfr'
option proto 'static'
option device 'lan4'
option ipaddr '192.168.0.20'
option netmask '255.255.255.0'
option gateway '192.168.0.1'
option metric '20'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option key ‘xxxxxxxxxxxxxxx’
option ssid 'MBD'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option encryption 'psk2'
option key ‘xxxxxxxxxx’
option ssid 'MBD'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option domain 'mbd'
config dhcp 'lan'
option interface 'lan'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option start '151'
option limit '49'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'GJJ-iMac24'
option mac ‘XX:XX:XX:XX:XX:XX’
option ip '10.0.0.40'
config host
option name 'JCP-Air'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX’
option ip '10.0.0.45'
config host
option name 'GJJ-AIR'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX’
option ip '10.0.0.50'
config host
option name 'HiSenseTV'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX’
option ip '10.0.0.80'
config host
option name 'Humax'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX’
option ip '10.0.0.85'
config host
option name 'SonosOne-L'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX’
option ip '10.0.0.201'
config host
option name 'SonosOne-R'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX’
option ip '10.0.0.202'
config host
option name 'SonosOneTV-Bar'
option dns '1'
option ip '10.0.0.203'
config host
option name 'SonosOneTVBass'
option dns '1'
option ip '10.0.0.204'
config host
option name 'SonosOneTV-L'
option dns '1'
option ip '10.0.0.205'
config host
option name 'SonosOneTV-R'
option dns '1'
option ip '10.0.0.206'
config host
option name 'Play1-L'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX’
option ip '10.0.0.207'
config host
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX’
option name 'Play1-R'
option ip '10.0.0.208'
config domain
option name 'GJJ-iMac24'
option ip '10.0.0.40'
config domain
option name 'Humax'
option ip '10.0.0.85'
config domain
option name 'GJJ-Air'
option ip '10.0.0.50'
config domain
option name 'HiSenseTV'
option ip '10.0.0.80'
config domain
option name 'JCP-Air'
option ip '10.0.0.45'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
list network 'tun0'
list network 'wan_free'
list network 'wan_sfr'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: lan4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.0.20/24 brd 192.168.0.255 scope global lan4
valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.20/24 brd 192.168.1.255 scope global wan
valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.0.0.1/24 brd 10.0.0.255 scope global br-lan
valid_lft forever preferred_lft forever
14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
inet 10.8.0.6/24 scope global tun0
valid_lft forever preferred_lft forever
default via 192.168.1.1 dev wan table 1 proto static metric 10
10.0.0.0/24 dev br-lan table 1 proto kernel scope link src 10.0.0.1
10.8.0.0/24 dev tun0 table 1 proto kernel scope link src 10.8.0.6
192.168.1.0/24 dev wan table 1 proto static scope link metric 10
default via 192.168.0.1 dev lan4 table 2 proto static metric 20
10.0.0.0/24 dev br-lan table 2 proto kernel scope link src 10.0.0.1
10.8.0.0/24 dev tun0 table 2 proto kernel scope link src 10.8.0.6
192.168.0.0/24 dev lan4 table 2 proto static scope link metric 20
default via 10.8.0.6 dev tun0 table tun0
default via 192.168.1.1 dev wan table wan_free
default via 192.168.0.1 dev lan4 table wan_sfr
default via 192.168.1.1 dev wan proto static metric 10
default via 192.168.0.1 dev lan4 proto static metric 20
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.6
192.168.0.0/24 dev lan4 proto static scope link metric 20
192.168.1.0/24 dev wan proto static scope link metric 10
broadcast 10.0.0.0 dev br-lan table local proto kernel scope link src 10.0.0.1
local 10.0.0.1 dev br-lan table local proto kernel scope host src 10.0.0.1
broadcast 10.0.0.255 dev br-lan table local proto kernel scope link src 10.0.0.1
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.6
local 10.8.0.6 dev tun0 table local proto kernel scope host src 10.8.0.6
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.6
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev lan4 table local proto kernel scope link src 192.168.0.20
local 192.168.0.20 dev lan4 table local proto kernel scope host src 192.168.0.20
broadcast 192.168.0.255 dev lan4 table local proto kernel scope link src 192.168.0.20
broadcast 192.168.1.0 dev wan table local proto kernel scope link src 192.168.1.20
local 192.168.1.20 dev wan table local proto kernel scope host src 192.168.1.20
broadcast 192.168.1.255 dev wan table local proto kernel scope link src 192.168.1.20
0: from all lookup local
980: from all fwmark 0x30000/0xff0000 lookup wan_sfr
981: from all fwmark 0x20000/0xff0000 lookup wan_free
982: from all fwmark 0x10000/0xff0000 lookup tun0
1001: from all iif wan lookup 1
1002: from all iif lan4 lookup 2
2001: from all fwmark 0x100/0x3f00 lookup 1
2002: from all fwmark 0x200/0x3f00 lookup 2
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
3001: from all fwmark 0x100/0x3f00 unreachable
3002: from all fwmark 0x200/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~#
Also, I misled you earlier. everything on the LAN is wireless but there are wired connections between the 4G routers and the Openwrt router. I also have an IP phone that avoids the Openwrt router on 192.168.1.65.
Also, you might like to know why I want to do this. Nothing fancy, I just want to be able to access the admin pages 192.168.1.1, 192.168.0.1 and 10.0.0.1 all from my LAN devices to control the network and reboot when problems occur. Currently I have to leave the WiFi on and change from the Openwrt wireless to connect to the SFR wireless to access that router's admin page.
I would also like to be able to do this management whether or not the VPN is connected on the machine I am using.
Geoff
Merry Christmas and a happy new year to you as well!
From lan interface remove the dns entries which are not reachable on this interface, like the google dns. Also remore the 10.0.0.1 as it is its own address.
Assign a metric to tun0 interface as well, say 30.
Also post the uci export pbr
root@OpenWrt:~# uci export pbr
uci: Entry not found
root@OpenWrt:~#
I do not think pbr is installed. I am on 21.02.2.
Do you want me to rerun the previous commands?
Geoff
My wrong, it should be uci export mwan3
Hi Trendy,
Below is the output you requested.
I am a little confused as I have had problems with my network since I made the dns changes you suggested. For some reason the ipv4 gateway had disappeared from the LAN settings and I tried to reinstate it as 10.0.0.1 being the default for the router that manages the LAN and the gateway I use on every machine that is added to the network. However Openwrt would not accept it and I have had to change it to 192.168.1.1 (not sure but I assume I could have also used 192.168.0.1?).
However this is where I am confused as I am trying to load balance the two WANs and if I send the LAN packets via 192.168.1.1 how does it then balance and use(share) the 192.168 .0.1 gateway? Are the packets somehow redirected through the mwan3 policies before finally going out to the internet?
Sorry to ask such basic stuff.
Still cannot see 192.168.0.1 from the LAN 10.0.0.0/24.
Geoff
root@OpenWrt:~# uci export mwan3
package mwan3
config globals 'globals'
option mmx_mask '0x3F00'
config rule 'https'
option sticky '1'
option dest_port '443'
option proto 'tcp'
option use_policy 'load_bal_gjj'
config rule 'default_rule_v4'
option dest_ip '0.0.0.0/0'
option family 'ipv4'
option proto 'all'
option sticky '0'
option use_policy 'load_bal_gjj'
config rule 'default_rule_v6'
option dest_ip '::/0'
option family 'ipv6'
option proto 'all'
option sticky '0'
option use_policy 'load_bal_gjj'
config interface 'wan_free'
option enabled '1'
option initial_state 'online'
option family 'ipv4'
list track_ip '8.8.8.8'
list track_ip '8.8.4.4'
list track_ip '1.1.1.1'
option track_method 'ping'
option reliability '1'
option count '1'
option size '56'
option max_ttl '60'
option check_quality '0'
option timeout '4'
option failure_interval '5'
option recovery_interval '5'
option interval '5'
option down '3'
option up '3'
config interface 'wan_sfr'
option enabled '1'
option initial_state 'online'
option family 'ipv4'
list track_ip '8.8.8.8'
list track_ip '8.8.4.4'
list track_ip '1.1.1.1'
option track_method 'ping'
option reliability '1'
option count '1'
option size '56'
option max_ttl '60'
option check_quality '0'
option timeout '4'
option interval '5'
option failure_interval '5'
option recovery_interval '5'
option down '3'
option up '3'
config member 'wan_sfr_m1_w1'
option interface 'wan_sfr'
option metric '1'
option weight '1'
config member 'wan_free_m1_w1'
option interface 'wan_free'
option metric '1'
option weight '1'
config policy 'load_bal_gjj'
option last_resort 'default'
list use_member 'wan_sfr_m1_w1'
list use_member 'wan_free_m1_w1'
root@OpenWrt:~#
Hi Trendy,
I have been having all sort of problems since making the changes to the network LAN interface. I have now finally removed all custom DNS entries from the LAN and left the public DNS entries on the two WANs (8.8.8.8 and 8.8.4.4) and that appears to be working again.
However, my policyy page on the OpenVPN is now reporting the following Service Error:
Service Gateways
tun0/10.8.0.6
wan_free/wan/192.168.1.1 ✓
wan_sfr/lan4/192.168.0.1
The ✓ indicates default gateway. See the README for details.
Service Errors
Failed to set up 'lan/br-lan/192.168.1.1'
Can you see why this has happened?
Geoff
From mwan3 configuration the tun0 is missing.
In the next post you are showing some output from vpn-policy-routing?
You should not be using both, as they are doing the same thing and their operations can conflict.