OpenWrt 21.02.1 - Multiple VPN with multiple SSID

zcris · December 3, 2021, 9:20am

Hello, I would like to have 2 VPN Clients associated with 2 SSIDs with network killswitch enabled.
I created 2 lan and lan1 networks and activated 2 SSIDs.
I started the 2 VPNs.
Whichever SSID I connect to, I always go out with the VPN Client vpnB which is the last one started.

My configuration is:

VPN Client:
1. vpnA
2. vpnB


Interfaces:
1. lan
protocol: static address
device: br-lsn
ipv4 address: 192.168.2.1
ipv4 netmask: 255.255.255.0
firewall setting - Create / Assign firewall-zone: lan
DHCP Server start: 100
limit 150

2. lan1
protocol: static address
device: br-lsn
ipv4 address: 192.168.2.200
ipv4 netmask: 255.255.255.0
firewall setting - Create / Assign firewall-zone: lan1
DHCP Server start: 210
limit 10

Devices SSID:
1. wifi
network: lan

2. wifi1
network: lan1


The Firewall Zone rules:
1. lan => openvpn
input: accept
output: accept
forward: accept
Masquerading: disable
covered networks: lan
Allow forward to destination zones: openvpn
Covered devices: unspecified

2. lan1 => openvpn
input: accept
output: accept
forward: accept
Masquerading: disable
covered networks: lan1
Allow forward to destination zones: openvpn
Covered devices: unspecified

3. openvpn => reject
input: reject
output: accept
forward: reject
Masquerading: enable
MSS clamping: enable
Covered networks: unspecified
Allow forward to destination zones: unspecified
Allow forward from source zones: lan lan1
Covered devices: tun+

4. wan => reject
input: reject
output: accept
forward: reject
Masquerading: enable
MSS clamping: enable
Covered networks: wan wan6
Allow forward to destination zones: unspecified
Allow forward from source zones: unspecified
Covered devices: tun0 tun1

my big problem is that unfortunately I don't understand much about networks ( but oracle database I am a dba manager )

thanks in advance for the help

trendy · December 3, 2021, 10:57am

You need to do Policy Based Routing and you have 3 options:

mwan3 package
pbr package
a set of rules/routes for each internet connection.

One remark regarding your configuration is that you still have one network, the 192.168.2.0/24 which spans from .2.0-255
Therefore the additional interface and firewall zone have no use there.
If you really want to separate them, you'll have to have a lan 192.168.2.1/24 and lan1 192.168.3.1/24.

zcris · December 3, 2021, 12:46pm

Thanks for looking on my lan configuration, sadly as I wrote I understand very little about it. I will immediately make the change.
I looked at the 3 solutions you sent me and I panicked because I am very complicated. Perhaps the 2.pbr solution looks the least bad, but I get the impression that my skills are too difficult.
Reading the document https://docs.openwrt.melmac.net/vpn-policy-routing/ I seem to understand
that I need to install the following packages:

opkg install vpn-policy-routing luci-app-vpn-policy-routing
opkg install ipset resolveip ip-full kmod-ipt-ipset iptables

then is it sufficient that I configure everything as reported in the paragraph Screenshots (luci-app-vpn-policy-routing)?
Through Luci can I do all the configuration?

Thanks in advance

trendy · December 3, 2021, 1:36pm

The easiest would be #3. However #2 is a good choice if you wish to add more complicated policies.

Not all of them are necessary. For your usecase the pbr and luci-pbr are enough. If you wish to create policy based on ipsets, then you would need extra packages too.

I think yes in 21.02.

zcris · December 3, 2021, 1:49pm

I changed the lan1 to 192.168.3.1/24 as you rightly suggested and tried to connect to the wifi1 SSID which in theory I configured it on lan1 but I am always assigned an IP address of lan 192.168.2.1/24.
I will follow your advice to use point '3 a set of rules / routes 1 for each internet connection' for my setup,
however i think first of all I have to solve this problem between lan and ssid. Where did I go wrong with the configuration?

trendy · December 3, 2021, 2:06pm

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

zcris · December 3, 2021, 2:33pm

Maybe I solved the SSID and lan association problem by changing the lan1 device from br-lsn to wlan1
where wlan1 = Wireless Network: Master wifi1 (lan1).
The change is as follows:

2. lan1
protocol: static address
device: wlan1
ipv4 address: 192.168.2.200
ipv4 netmask: 255.255.255.0
firewall setting - Create / Assign firewall-zone: lan1
DHCP Server start: 210
limit 10

Now if I connect to wifi I have a network address 192.168.2.0/24 while if I connect to wifi1 I have a network address 192.168.3.0/24

I am attaching the log of the command you asked me to execute after the modification described above:
(In the chat wifi = wifi1816vpn in the log and wifi1 = wifi1826vpn1)

root@xxxxxxxx:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
	"kernel": "5.4.154",
	"hostname": "xxxxxxxx",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,wrt3200acm",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.1",
		"revision": "r16325-88151b8303",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 21.02.1 r16325-88151b8303"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxxxxxxxxxxxx/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'

config device
	option name 'wan'
	option macaddr 'xxxxxxxxxxxxx'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'LAN1'
	option proto 'static'
	option auto '0'
	option netmask '255.255.255.0'
	option ipaddr '192.168.3.1'
	option device 'wlan1'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'IT'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option macaddr 'xxxxxxxxxxxxxxxxx'
	option encryption 'psk2'
	option ssid 'wifi1826vpn'
	option key 'xxxxxxxxxxxxxxxxxxxxxxxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option country 'IT'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option macaddr 'xxxxxxxxxxxxxxxx'
	option ssid 'wifi1826vpn1'
	option encryption 'psk2'
	option key 'xxxxxxxxxxxxxxxxxxxxxxxxx'
	option network 'LAN1'

config wifi-device 'radio2'
	option type 'mac80211'
	option channel '34'
	option hwmode '11a'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'LAN1'
	option interface 'LAN1'
	option leasetime '12h'
	option start '100'
	option limit '150'
	list ra_flags 'none'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'LAN1'

config zone
	option name 'OpenVPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun+'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun0'
	list device 'tun1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config forwarding
	option src 'lan'
	option dest 'OpenVPN'

config forwarding
	option src 'lan1'
	option dest 'OpenVPN'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.119/24 brd 192.168.1.255 scope global wan
       valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
60: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    inet 10.28.0.6/16 scope global tun0
       valid_lft forever preferred_lft forever
61: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    inet 10.27.0.4/16 scope global tun1
       valid_lft forever preferred_lft forever
69: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global wlan1
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.27.0.1 dev tun1 
default via 192.168.1.1 dev wan  src 192.168.1.119 
10.27.0.0/16 dev tun1 scope link  src 10.27.0.4 
10.28.0.0/16 dev tun0 scope link  src 10.28.0.6 
128.0.0.0/1 via 10.27.0.1 dev tun1 
xxx.xxx.xxx.xxx via 192.168.1.1 dev wan 
xxx.xxx.xxx.xxx via 192.168.1.1 dev wan 
192.168.1.0/24 dev wan scope link  src 192.168.1.119 
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1 
192.168.3.0/24 dev wlan1 scope link  src 192.168.3.1 
broadcast 10.27.0.0 dev tun1 table local scope link  src 10.27.0.4 
local 10.27.0.4 dev tun1 table local scope host  src 10.27.0.4 
broadcast 10.27.255.255 dev tun1 table local scope link  src 10.27.0.4 
broadcast 10.28.0.0 dev tun0 table local scope link  src 10.28.0.6 
local 10.28.0.6 dev tun0 table local scope host  src 10.28.0.6 
broadcast 10.28.255.255 dev tun0 table local scope link  src 10.28.0.6 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev wan table local scope link  src 192.168.1.119 
local 192.168.1.119 dev wan table local scope host  src 192.168.1.119 
broadcast 192.168.1.255 dev wan table local scope link  src 192.168.1.119 
broadcast 192.168.2.0 dev br-lan table local scope link  src 192.168.2.1 
local 192.168.2.1 dev br-lan table local scope host  src 192.168.2.1 
broadcast 192.168.2.255 dev br-lan table local scope link  src 192.168.2.1 
broadcast 192.168.3.0 dev wlan1 table local scope link  src 192.168.3.1 
local 192.168.3.1 dev wlan1 table local scope host  src 192.168.3.1 
broadcast 192.168.3.255 dev wlan1 table local scope link  src 192.168.3.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default

trendy · December 3, 2021, 3:10pm

A few remarks here. Better use small case letters. OpenWrt is case sensitive and LAN1 is different than lan1. Avoid using the

in LAN1 interface. It is better to use the

in the SSID configuration, as you already have.

Remove tun0 and tun1 from wan zone.
Add 2 new unmanaged interfaces covering tun0 (vpn1) and tun1 (vpn2).
In lan interface go to Advanced settings and for "Override IPv4 routing table" type 100 and Enter at the custom entry. Do the same for LAN1, different number though, say 200.
Go to Network/Static Routes and add 2 new static routes.
Target and netmask is 0.0.0.0 for both. First will use interface vpn1 and route table 100, the second will use vpn2 and rt 200.

zcris · December 3, 2021, 4:57pm

I tried to follow your instructions but I must have done something wrong because I can no longer surf the web.I redid the procedure 2 times but I don't understand where I'm wrong.
I send you the the log:

root@xxxxxxx:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
	"kernel": "5.4.154",
	"hostname": "xxxxxxxxxxx",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,wrt3200acm",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.1",
		"revision": "r16325-88151b8303",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 21.02.1 r16325-88151b8303"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxxxxxxxxxxxxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'
	option ip4table '100'

config device
	option name 'wan'
	option macaddr 'xxxxxxxxxxxxxxxxx'
	
config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'LAN1'
	option proto 'static'
	option auto '0'
	option netmask '255.255.255.0'
	option ipaddr '192.168.3.1'
	option device 'wlan1'
	option ip4table '200'

config interface 'vpn0'
	option proto 'dhcp'
	option device 'tun0'

config interface 'vpn1'
	option proto 'dhcp'
	option device 'tun1'

config route
	option interface 'vpn0'
	option target '0.0.0.0'
	option netmask '0.0.0.0'

config route
	option interface 'vpn1'
	option target '0.0.0.0'
	option netmask '0.0.0.0'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'IT'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option macaddr 'xxxxxxxxxxxxxxxxxx'
	option encryption 'psk2'
	option ssid 'wifi1826vpn'
	option key 'xxxxxxxxxxxxxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option country 'IT'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option macaddr 'xxxxxxxxxxxxxxx'
	option ssid 'wifi1826vpn1'
	option encryption 'psk2'
	option key 'xxxxxxxxxxxxxxxxxxxxxxxxx'
	option network 'LAN1'

config wifi-device 'radio2'
	option type 'mac80211'
	option channel '34'
	option hwmode '11a'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'LAN1'
	option interface 'LAN1'
	option leasetime '12h'
	option start '100'
	option limit '150'
	list ra_flags 'none'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'lan1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'LAN1'

config zone
	option name 'OpenVPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun+'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list device 'vpn1'
	list device 'vpn0'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config forwarding
	option src 'lan'
	option dest 'OpenVPN'

config forwarding
	option src 'lan1'
	option dest 'OpenVPN'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.119/24 brd 192.168.1.255 scope global wan
       valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
71: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global wlan1
       valid_lft forever preferred_lft forever
192.168.2.0/24 dev br-lan table 100 scope link 
192.168.3.0/24 dev wlan1 table 200 scope link 
default via 192.168.1.1 dev wan  src 192.168.1.119 
xxxxxxxxxxx via 192.168.1.1 dev wan 
xxxxxxxxxxx via 192.168.1.1 dev wan 
192.168.1.0/24 dev wan scope link  src 192.168.1.119 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev wan table local scope link  src 192.168.1.119 
local 192.168.1.119 dev wan table local scope host  src 192.168.1.119 
broadcast 192.168.1.255 dev wan table local scope link  src 192.168.1.119 
broadcast 192.168.2.0 dev br-lan table local scope link  src 192.168.2.1 
local 192.168.2.1 dev br-lan table local scope host  src 192.168.2.1 
broadcast 192.168.2.255 dev br-lan table local scope link  src 192.168.2.1 
broadcast 192.168.3.0 dev wlan1 table local scope link  src 192.168.3.1 
local 192.168.3.1 dev wlan1 table local scope host  src 192.168.3.1 
broadcast 192.168.3.255 dev wlan1 table local scope link  src 192.168.3.1 
0:	from all lookup local 
10000:	from 192.168.2.1 lookup 100 
10000:	from 192.168.3.1 lookup 200 
20000:	from all to 192.168.2.1/24 lookup 100 
20000:	from all to 192.168.3.1/24 lookup 200 
32766:	from all lookup main 
32767:	from all lookup default 
90011:	from all iif lo lookup 100 
90071:	from all iif lo lookup 200

trendy · December 3, 2021, 8:11pm

No need for DHCP on VPN interfaces.
Also you didn't add the routing table numbers in the 2 routes.

zcris · December 3, 2021, 9:21pm

I change no DHCP on VPN Interfaces, but when
in Network/Static Routers/vpn0 and vpn1 I change Route Table from 'main (254)' to 'unspecified' when I save come back the value 'main(254)'

..I still don't surf the web...

root@xxxxxxxxxxxxxx:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
	"kernel": "5.4.154",
	"hostname": "xxxxxxxxxxxx",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,wrt3200acm",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.1",
		"revision": "r16325-88151b8303",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 21.02.1 r16325-88151b8303"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxxxxxxxxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'
	option ip4table '100'

config device
	option name 'wan'
	option macaddr 'xxxxxxxxxxxxx'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'vlan1'
	option device 'radio1.network1'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ip4table '200'

config interface 'vpn0'
	option proto 'none'
	option device 'tun0'

config interface 'vpn1'
	option proto 'none'
	option device 'tun1'

config route
	option interface 'vpn0'
	option target '0.0.0.0'
	option netmask '0.0.0.0'

config route
	option interface 'vpn1'
	option target '0.0.0.0'
	option netmask '0.0.0.0'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'IT'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option macaddr 'xxxxxxxxxxxxx'
	option encryption 'psk2'
	option ssid 'wifi1826vpn'
	option key 'xxxxxxxxxxxxxxxxxxxxxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option country 'IT'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option macaddr 'xxxxxxxxxxxxxxxxxxx'
	option ssid 'wifi1826vpn1'
	option encryption 'psk2'
	option key 'xxxxxxxxxxxxxxxxx'
	option network 'vlan1'

config wifi-device 'radio2'
	option type 'mac80211'
	option channel '34'
	option hwmode '11a'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vlan1'
	option interface 'vlan1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'vlan1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vlan1'

config zone
	option name 'OpenVPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun+'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	list network 'wan'
	list network 'wan6'
	list device 'tun0'
	list device 'tun1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config forwarding
	option src 'lan'
	option dest 'OpenVPN'

config forwarding
	option src 'vlan1'
	option dest 'OpenVPN'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.119/24 brd 192.168.1.255 scope global wan
       valid_lft forever preferred_lft forever
78: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
84: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global wlan1
       valid_lft forever preferred_lft forever
192.168.2.0/24 dev br-lan table 100 scope link 
192.168.3.0/24 dev wlan1 table 200 scope link 
default dev tun1 scope link 
xxxxxxxxxxxxxx via 192.168.1.1 dev wan 
xxxxxxxxxxxxxx via 192.168.1.1 dev wan 
192.168.1.0/24 dev wan scope link  src 192.168.1.119 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev wan table local scope link  src 192.168.1.119 
local 192.168.1.119 dev wan table local scope host  src 192.168.1.119 
broadcast 192.168.1.255 dev wan table local scope link  src 192.168.1.119 
broadcast 192.168.2.0 dev br-lan table local scope link  src 192.168.2.1 
local 192.168.2.1 dev br-lan table local scope host  src 192.168.2.1 
broadcast 192.168.2.255 dev br-lan table local scope link  src 192.168.2.1 
broadcast 192.168.3.0 dev wlan1 table local scope link  src 192.168.3.1 
local 192.168.3.1 dev wlan1 table local scope host  src 192.168.3.1 
broadcast 192.168.3.255 dev wlan1 table local scope link  src 192.168.3.1 
0:	from all lookup local 
10000:	from 192.168.2.1 lookup 100 
10000:	from 192.168.3.1 lookup 200 
20000:	from all to 192.168.2.1/24 lookup 100 
20000:	from all to 192.168.3.1/24 lookup 200 
32766:	from all lookup main 
32767:	from all lookup default 
90011:	from all iif lo lookup 100 
90078:	from all iif lo lookup 100 
90084:	from all iif lo lookup 200

I took your suggestion and changed LAN1 to vlan1

trendy · December 3, 2021, 10:52pm

First, remove radio1 device from vlan1. It is properly declared in wireless configuration already.
I see some leftovers from rules there. I'll try to clean it up and enter the correct ones.

uci del network.lan.ip4table
uci del network.vlan1.ip4table

Delete completely the 2 routes, use Luci web interface for that.
Also delete the tun interfaces from wan firewall zone. You have them already in OpenVPN zone.
uci del firewall.wan.device

Add the default route for vpn0 and vpn1 to the respective tables.

uci add network route
uci set network.@route[-1].target='0.0.0.0'
uci set network.@route[-1].table='100'
uci set network.@route[-1].netmask='0.0.0.0'
uci set network.@route[-1].interface='vpn0'
uci add network route
uci set network.@route[-1].target='0.0.0.0'
uci set network.@route[-1].table='200'
uci set network.@route[-1].netmask='0.0.0.0'
uci set network.@route[-1].interface='vpn1'
uci add network rule
uci set network.@rule[-1].in='lan'
uci set network.@rule[-1].lookup='100'
uci add network rule
uci set network.@rule[-1].in='vlan1'
uci set network.@rule[-1].lookup='200'
uci commit network
uci commit firewall
/etc/init.d/network restart

zcris · December 3, 2021, 10:53pm

Here it is night, if you can wait for me, I will immediately make the changes and I have immediate feedback

trendy · December 3, 2021, 10:59pm

Okay, I'll wait for 10-15'.

zcris · December 3, 2021, 11:27pm

I execute step by step

root@xxxxxx:~# uci del network.lan.ip4table
root@xxxxxx:~# uci del network.vlan1.ip4table
root@xxxxxx:~# uci del firewall.wan.device
uci: Entry not found                                    <-----------
root@xxxxxx:~# uci add network route
cfg0bc8b4
root@xxxxxx:~# uci set network.@route[-1].target='0.0.0.0'
root@xxxxxx:~# uci set network.@route[-1].table='100'
root@xxxxxx:~# uci set network.@route[-1].netmask='0.0.0.0'
root@xxxxxx:~# uci set network.@route[-1].interface='vpn0'
root@xxxxxx:~# uci add network route
cfg0cc8b4
root@xxxxxx:~# uci set network.@route[-1].target='0.0.0.0'
root@xxxxxx:~# uci set network.@route[-1].table='200'
root@xxxxxx:~# uci set network.@route[-1].netmask='0.0.0.0'
root@xxxxxx:~# uci set network.@route[-1].interface='vpn1'
root@xxxxxx:~# uci add network rule
cfg0d92bd
root@xxxxxx:~# uci set network.@rule[-1].in='lan'
root@xxxxxx:~# uci set network.@rule[-1].lookup='100'
root@xxxxxx:~# uci add network rule
cfg0e92bd
root@xxxxxx:~# uci set network.@rule[-1].in='vlan1'
root@xxxxxx:~# uci set network.@rule[-1].lookup='200'
root@xxxxxx:~# uci commit network
root@xxxxxx:~# uci commit firewall
root@xxxxxx:~# /etc/init.d/network restart
'radio2' is disabled
root@xxxxxx:~# /etc/init.d/network restart
'radio2' is disabled

New config after commands:

root@xxxxxx:~# ubus call system board; \
> > uci export network; uci export wireless; \
> > uci export dhcp; uci export firewall; \
> > head -n -0 /etc/firewall.user; \
> > ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
	"kernel": "5.4.154",
	"hostname": "xxxxxx",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,wrt3200acm",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.1",
		"revision": "r16325-88151b8303",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 21.02.1 r16325-88151b8303"
	}
}
package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'IT'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option macaddr 'xxxxxx'
	option encryption 'psk2'
	option ssid 'wifi1826vpn'
	option key 'xxxxxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option country 'IT'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option macaddr 'xxxxxx'
	option ssid 'wifi1826vpn1'
	option encryption 'psk2'
	option key 'xxxxxx'
	option network 'vlan1'

config wifi-device 'radio2'
	option type 'mac80211'
	option channel '34'
	option hwmode '11a'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn0'

config zone
	option name 'vlan1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vlan1'
	list network 'vpn1'

config zone
	option name 'OpenVPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun+'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config forwarding
	option src 'lan'
	option dest 'OpenVPN'

config forwarding
	option src 'vlan1'
	option dest 'OpenVPN'

-ash: -n: not found
-ash: -4: not found
default dev tun0 table 100 scope link 
default dev tun1 table 200 scope link 
default via 192.168.1.1 dev wan  src 192.168.1.119 
192.168.1.0/24 dev wan scope link  src 192.168.1.119 
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1 
192.168.3.0/24 dev wlan1 scope link  src 192.168.3.1 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev wan table local scope link  src 192.168.1.119 
local 192.168.1.119 dev wan table local scope host  src 192.168.1.119 
broadcast 192.168.1.255 dev wan table local scope link  src 192.168.1.119 
broadcast 192.168.2.0 dev br-lan table local scope link  src 192.168.2.1 
local 192.168.2.1 dev br-lan table local scope host  src 192.168.2.1 
broadcast 192.168.2.255 dev br-lan table local scope link  src 192.168.2.1 
broadcast 192.168.3.0 dev wlan1 table local scope link  src 192.168.3.1 
local 192.168.3.1 dev wlan1 table local scope host  src 192.168.3.1 
broadcast 192.168.3.255 dev wlan1 table local scope link  src 192.168.3.1 
0:	from all lookup local 
1:	from all iif br-lan lookup 100 
2:	from all iif wlan1 lookup 200 
32766:	from all lookup main 
32767:	from all lookup default

..I still don't surf the web...

I'm going to sleep now, we'll catch up tomorrow. Thanks

trendy · December 3, 2021, 11:34pm

Network configuration is not there. Try to print it like this: cat /etc/config/network

seems that vlan1 interface was renamed to wlan1.

zcris · December 3, 2021, 11:44pm

root@WRT3200ACM:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7c:a833:0eeb::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'

config device
	option name 'wan'
	option macaddr 'xxxxxxxxx'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'vlan1'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'vpn0'
	option proto 'none'
	option device 'tun0'

config interface 'vpn1'
	option proto 'none'
	option device 'tun1'

config route
	option target '0.0.0.0'
	option table '100'
	option netmask '0.0.0.0'
	option interface 'vpn0'

config route
	option target '0.0.0.0'
	option table '200'
	option netmask '0.0.0.0'
	option interface 'vpn1'

config rule
	option in 'lan'
	option lookup '100'

config rule
	option in 'vlan1'
	option lookup '200'

trendy · December 4, 2021, 12:03am

I don't see any mistake. Try to restart the router. If this doesn't help we'll check it tomorrow.

zcris · December 4, 2021, 4:19pm

Hi Panagiotis I have reboot and all work fine!
I don't know how to thank you for all the help you have given me and the patience you have had with me!!!
You are great and cool man !!!
Thank you, thank you very much!!!
Cristiano

ps
for me the thread can be close

trendy · December 4, 2021, 6:14pm

Lovely, you are very welcome!