Route per VLAN


I'm not sure if what I'm wanting is possible, but, if someone could give me a high level overview it would help with my research.

I've got my router flashed and running.

I've separated the switch ports 1 and 2 to vlan 1 and ports 3 and 4 to vlan 2.

Right now if I patch in to vlan 1, I get a DHCP address from broadband router and not the LEDE router. If I patch to vlan 2 I get a DHCP address from the LEDE router.

This is exactly what I want.

I'd like to take it further by configuring OpenVPN client to route just VLAN2 via tun0.

My OpenVPN is currently setup and working perfectly but it's the default route for both vlans (as expected I suppose).

My aim is to plug the LEDE in to my existing router and provide two ports of VPN to expressvpn and two ports straight out to my ISP.

Can anyone point me at what I should be researching?



@utterlyforked - I think you should be able to achieve this by setting the appropriate firewall zones and rules, possibly with a few modifications to the current VLAN setup.

I assume that your system will look like this:
[Internet] ---> [(WAN) {broadband router} (LAN)] ---> [(WAN) {LEDE router} (VLAN1 @ LAN ports 1,2) (VLAN2 @ LAN ports 3, 4)] ---> [{hosts/devices not using VPN on VLAN1}], [{hosts/devices using VPN on VLAN2}]

A few questions:

  1. How is the LEDE router WAN port and VLAN1 configured? (can you post your network and firewall files?)
  2. What level of connectivity do devices on VLAN2 need (in all cases, it is implied that VLAN2 should connects to the internet only via VPN tun)? Example A: Completely isolated from VLAN1. Example B: VLAN2 devices can see and initiate communication with VLAN1, but VLAN1 cannot directly access VLAN2 devices. Example C: VLAN1 and VLAN2 can see and talk to each other as if they were on the same subnet.

If you are trying to achieve Example A, I would recommend simply adding ports LAN1 and LAN2 to the VLAN that currently contains the WAN port. This way the LEDE router acts as a simple switch for everything on this VLAN. The other two ports (3 and 4) will sit on the default VLAN associated with the normal LAN and the standard firewall zones and rules will require minimal modification. Simply remove the forwarding described below. Keep in mind that networks are isolated by means of disallowing forwarding from the LAN to WAN (and all internet traffic goes through the VPN tunnel which is allowed to escape via WAN, but will prevent any interaction between the 2 sides of your network).

Example B and C would be done a bit differently with independent firewall zones for WAN, VLAN1 and VLAN2. It may be tricky to get mDNS devices to work across the subnets. And, in these cases, if there is an OpenVPN directive redirect-gateway def1, that will probably need to be removed (easy to do if it is a client side directive).

Anyway, back to the firewalls... however this is implemented, VLAN2 will need its own firewall zone. The zone will not allow any forwarding to/from the WAN zone, forcing internet all traffic to go through the VPN. The one you will want to remove may look something like this:

> config forwarding
> 	option src 'vlan2'
> 	option dest 'wan'

The hosts getting IP addresses from your broadband router should be getting the broadband router's address for their gateway and should just switch their way to the broadband router -- they should never hit the actual routing table on the LEDE box, just bridge across the br interfaces. Make sure that is happening... check the gateway addresses assigned to hosts on the direct-to-isp ports. In other words the behavior you describe is not "as expected" if your clients really are getting addresses from the broadband router.

Really you wouldn't even need an IP address on the br interface handling the direct broadband traffic, unless you wanted stuff there to route to the other VLAN or the LEDE box itself.

What I'd expect is perhaps some ebtables policy needing to be cleared in the firewall to allow/sanitize that traffic.

Now if you have some reason to, you could instead hand out addresses for both VLANs from the LEDE box. In this case, what you want to look into is "policy based routing" known on linux as "route tables" and "ip rule". Using those you can define a rule that sends all traffic coming in on one of the vlans to use a different route table than the default one, and then define a default route in that table going direct to the cable modem.