Router connected, pc can't access the internet

I try to create a setup like:

• on an access point: only the router can connect to the wan
• on another access point: everything is router to a vpn and all devices can connect to the wan through this vpn

the first point is because when I go to a hotel and they have a captive portal I don't want to leak from vpn and I must log in with their interface. I plan on using ssh -L ... to log into the captive portal and switch to the vpn-only AP to browse the internet.

my pc => captive =||
captive => wan
my pc => vpn => wan

alternatively I can switch the zone after enabling the connection through the captive portal

I have these interfaces:

• captive (DHCP)
• lan, wan, wan6, wwan (default)
• vpntun (unmanaged)

I set up these firewall rules:

• lan => vpnfw (input, output, forward)
• wan => reject (input, output) masq
• captivefw => wan (output only)
• vpnfw => reject (output only) masq

openwrt boots up and connects to the vpn. on ssh I can wget and find that my ip address is the vpn's and I can ping servers. but my pc can't connect to the internet and can't ping anything. both from eth and wifi. the router is connected as a client to another wifi.

how do I troubleshoot this issue?

Been trying to visualize this. Correct me please because although your description make perfect sense to you, I'm still fuzzy

This is how I imagine it.

You-wired>>>>wire-openwrt-vpn-routed-transmit-wifi>>>>wifi-other-router-wired-vpn-to>>>>Internet

very sorry for the confusion

I use this openwrt router A to connect to another router B

two AP in router A: AP1 and AP2

AP1: (I call it "captive")

• router has access to the internet
• clients do not have access to anything but router

AP2: (I call it "vpn")

• vpn tunnel, clients must go through it

case 1: router B with captive portal (hotel)

• I want to connect to A on wifi AP1 (or cable)
• my pc must not have access to the internet
• the router should have access to the internet
• my pc: ssh -L 12345:captive.portal:80 root@A
• my pc: log into the captive portal, the router has access now to the internet and the vpn is connecting

^ the steps above are done if I'm in a hotel with a captive portal (router B)

case 2: captive ok or no captive

• when the vpn is connected, AP2 will give access to the internet to my pc

I can dump the rules and settings of my openwrt now
if I did not explain well I will draw a diagram

Understanding this as my pc: log into the captive portal of (router B-Hotel)?

Yes please dump rules // Your explanation is great!

yes

the idea is to have one ap where I can't leak from the vpn
the other ap can only go through the vpn
no leaks are possible (??)

what command to dump the rules you need?

Let's start with these:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd81:dac4:4744::/48'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.44.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 0t'

config interface 'captive'
	option proto 'dhcp'
	option device 'eth1'

config interface 'wwan'
	option proto 'dhcp'

config interface 'vpntun'
	option proto 'none'
	option device 'tun0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option disabled '1'
	option ssid 'wifi'
	option isolate '1'
	option encryption 'sae-mixed'
	option key 'password'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'wifi2'
	option isolate '1'
	option encryption 'sae-mixed'
	option key 'password'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan'
	option ssid 'hotel'
	option encryption 'psk2'
	option key 'password'
	option disabled '1'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan'
	option ssid 'myrouter'
	option encryption 'psk2'
	option key 'password'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	option input 'ACCEPT'
	option output 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Captive'
	option name 'captivefw'

config forwarding
	option dest 'wan'
	option src 'captivefw'

config zone
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option name 'vpnfw'

config forwarding
	option src 'lan'
	option dest 'vpnfw'


root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option noresolv '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'captive'
	option interface 'captive'
	option ignore '1'
	list ra_flags 'none'

with this set up inside the router (root@OpenWrt:~# wget http://myip) it shows the vpn, correctly. but my pc can't connect to the internet. I think too I did not configure the wifi as I want it (AP1, AP2). I'm a bit lost

I'm struggling with this and hampering our community member here not wrapping this up.

We need more experienced eyes on this so our @kultoyemlu can get back to living..

I've been on the bicycle, our friend is the pedestrian, and we both need the Calvary. @trendy that means you!

First of all, let me introduce you to travelmate.
Second, in cases of multiple uplinks it is often necessary to do policy based routing.
Third, interfaces captive and wan are both dhcp on the same interface, which messes up things. Keep one of them and prefer to use peerdns, as the hotspot might not let you query external resolvers.
Fourth, let's verify the routing:
ip -4 addr; ip -4 ro list table all; ip -4 ru

1. I could not have travelmate work with vpn and some captive portals.
2. I never heard of policy based routing, I can not say my idea is good because I am learning openwrt, perhaps I make it too simple
3. how?
4. ok

root@OpenWrt:~# ip -4 addr; ip -4 ro list table all; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.44.1/24 brd 192.168.44.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.24.173/24 brd 192.168.24.255 scope global wlan0
       valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    inet 10.5.0.2/16 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.5.0.1 dev tun0 
default via 192.168.24.1 dev wlan0  src 192.168.24.173 
10.5.0.0/16 dev tun0 scope link  src 10.5.0.2 
128.0.0.0/1 via 10.5.0.1 dev tun0 
216.52.64.164 via 192.168.24.1 dev wlan0 
192.168.44.0/24 dev br-lan scope link  src 192.168.44.1 
192.168.24.0/24 dev wlan0 scope link  src 192.168.24.173 
broadcast 10.5.0.0 dev tun0 table local scope link  src 10.5.0.2 
local 10.5.0.2 dev tun0 table local scope host  src 10.5.0.2 
broadcast 10.5.255.255 dev tun0 table local scope link  src 10.5.0.2 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.44.0 dev br-lan table local scope link  src 192.168.44.1 
local 192.168.44.1 dev br-lan table local scope host  src 192.168.44.1 
broadcast 192.168.44.255 dev br-lan table local scope link  src 192.168.44.1 
broadcast 192.168.24.0 dev wlan0 table local scope link  src 192.168.24.173 
local 192.168.24.173 dev wlan0 table local scope host  src 192.168.24.173 
broadcast 192.168.24.255 dev wlan0 table local scope link  src 192.168.24.173 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 

network

cat network 
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '8.8.4.4'
	list dns '8.8.8.8'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.44.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 0t'

config interface 'captive'
	option type 'bridge'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '192.168.44.1'
	option netmask '255.255.255.0'

config interface 'wwan'
	option proto 'dhcp'

config interface 'vpntun'
	option proto 'none'
	option device 'tun0'
	option type 'bridge'

dhcp

cat dhcp 
config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option noresolv '1'
	list server '8.8.8.8'
	list server '8.8.4.4'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

firewall

cat firewall 
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'captivefw'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	option input 'ACCEPT'
	option output 'ACCEPT'

config rule
	option name 'Captive-to-openwrt'
	option src 'captivefw'
	option target 'ACCEPT'
	list dest_ip '192.168.44.1'
	list proto 'all'

config rule
	option name 'Captive-to-outside-block'
	option src 'captivefw'
	option target 'REJECT'
	list proto 'all'
	option dest '*'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'captivefw'
	list network 'captive'
	list device 'wlan1-1'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'

config zone
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option name 'vpnfw'
	list network 'vpntun'

config forwarding
	option src 'lan'
	option dest 'vpnfw'

wireless

at wireless 
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'US'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'ap'
	option isolate '1'
	option encryption 'sae-mixed'
	option key 'pwpwpwpw'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option country 'US'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'ap'
	option isolate '1'
	option encryption 'sae-mixed'
	option key 'pwpwpwpw'
	option network 'vpntun'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan'
	option ssid 'captive'
	option encryption 'psk2'
	option disabled '1'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'captive'
	option isolate '1'
	option network 'captive'
	option key 'pwpwpwpw'
	option encryption 'psk2'

1. mwan3 package
2. pbr package
3. a set of rules/routes for each internet connection.
   Maybe in your case, a set of rule-route will be enough.

Now captive conflicts with lan. Just make it without ethernet port, only a wifi SSID.

Regarding routing, everything is sent to the tunnel, therefore make a rule that all traffic from the captive interface gets routed to wan.

sorry I must understand this more... you say it because

config interface 'lan'
	option device 'br-lan'
...
config interface 'captive'
	option device 'br-lan'

in luci if I edit captive and set device to "captive" AP, click save & apply, everything is reverted after 90 s

with your example

config rule                  
        option in 'captive'
        option src '192.168.44.1/24' 
        option lookup '100'  
 
config route 
        option interface 'vpntun'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option metric '200'
        option table '100'

this redirects all traffic from captive 192.168.44.x to vpntun, correct?
https://openwrt.org/docs/guide-user/network/routing/examples/routing_in_openvpn I could use too

There is no device for captive other than the AP. This means there is no option device line in captive's definition in /etc/config/network, but there is option network captive in the captive AP definition in /etc/config/wireless.

The only way you're going to connect to captive is via wifi. Once you have captive set up (with the firewall allowing input), connect your PC to captive via wifi and do further changes that way. It should not end up locking out and reverting then.

No,in the rule don't use src, it is wrong anyway.
In the route you want to use interface wwan which will take you to the captive portal.
vpntun is used by default, so there is no need for policy routing.

I make changes with my connect over ethernet, why is captive on wifi necessary?
you are correct also the luci interface errors with "no device"

I possibly need to read somethings up. I don't have enough knowledge to understand what to do, can you send me some page? if I do not understand your comments I can not do a lot

ok like this I can reach the other router but all other addresses and all interfaces can not reach any IP address but the router

config rule
	option in 'captive'
	option lookup '100'

config route
	option interface 'wwan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option metric '200'
	option table '100'

I must read on interfaces and networks too I do not know what is happening

Which one is this?

This change affects only traffic from captive interface. The rest is routed as before.