root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd81:dac4:4744::/48'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.44.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 0t'
config interface 'captive'
option proto 'dhcp'
option device 'eth1'
config interface 'wwan'
option proto 'dhcp'
config interface 'vpntun'
option proto 'none'
option device 'tun0'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option disabled '1'
option ssid 'wifi'
option isolate '1'
option encryption 'sae-mixed'
option key 'password'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
option disabled '1'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'wifi2'
option isolate '1'
option encryption 'sae-mixed'
option key 'password'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'sta'
option network 'wwan'
option ssid 'hotel'
option encryption 'psk2'
option key 'password'
option disabled '1'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'sta'
option network 'wwan'
option ssid 'myrouter'
option encryption 'psk2'
option key 'password'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
option input 'ACCEPT'
option output 'ACCEPT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'Captive'
option name 'captivefw'
config forwarding
option dest 'wan'
option src 'captivefw'
config zone
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option name 'vpnfw'
config forwarding
option src 'lan'
option dest 'vpnfw'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option noresolv '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'captive'
option interface 'captive'
option ignore '1'
list ra_flags 'none'
with this set up inside the router (root@OpenWrt:~# wget http://myip
) it shows the vpn, correctly. but my pc can't connect to the internet. I think too I did not configure the wifi as I want it (AP1, AP2). I'm a bit lost
I'm struggling with this and hampering our community member here not wrapping this up.
We need more experienced eyes on this so our @kultoyemlu can get back to living..
I've been on the bicycle, our friend is the pedestrian, and we both need the Calvary. @trendy that means you!
First of all, let me introduce you to travelmate.
Second, in cases of multiple uplinks it is often necessary to do policy based routing.
Third, interfaces captive
and wan
are both dhcp on the same interface, which messes up things. Keep one of them and prefer to use peerdns, as the hotspot might not let you query external resolvers.
Fourth, let's verify the routing:
ip -4 addr; ip -4 ro list table all; ip -4 ru
- I could not have travelmate work with vpn and some captive portals.
- I never heard of policy based routing, I can not say my idea is good because I am learning openwrt, perhaps I make it too simple
- how?
- ok
root@OpenWrt:~# ip -4 addr; ip -4 ro list table all; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.44.1/24 brd 192.168.44.255 scope global br-lan
valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.24.173/24 brd 192.168.24.255 scope global wlan0
valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
inet 10.5.0.2/16 scope global tun0
valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.5.0.1 dev tun0
default via 192.168.24.1 dev wlan0 src 192.168.24.173
10.5.0.0/16 dev tun0 scope link src 10.5.0.2
128.0.0.0/1 via 10.5.0.1 dev tun0
216.52.64.164 via 192.168.24.1 dev wlan0
192.168.44.0/24 dev br-lan scope link src 192.168.44.1
192.168.24.0/24 dev wlan0 scope link src 192.168.24.173
broadcast 10.5.0.0 dev tun0 table local scope link src 10.5.0.2
local 10.5.0.2 dev tun0 table local scope host src 10.5.0.2
broadcast 10.5.255.255 dev tun0 table local scope link src 10.5.0.2
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.44.0 dev br-lan table local scope link src 192.168.44.1
local 192.168.44.1 dev br-lan table local scope host src 192.168.44.1
broadcast 192.168.44.255 dev br-lan table local scope link src 192.168.44.1
broadcast 192.168.24.0 dev wlan0 table local scope link src 192.168.24.173
local 192.168.24.173 dev wlan0 table local scope host src 192.168.24.173
broadcast 192.168.24.255 dev wlan0 table local scope link src 192.168.24.173
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
network
cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option peerdns '0'
list dns '8.8.4.4'
list dns '8.8.8.8'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.44.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 0t'
config interface 'captive'
option type 'bridge'
option proto 'static'
option device 'br-lan'
option ipaddr '192.168.44.1'
option netmask '255.255.255.0'
config interface 'wwan'
option proto 'dhcp'
config interface 'vpntun'
option proto 'none'
option device 'tun0'
option type 'bridge'
dhcp
cat dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option noresolv '1'
list server '8.8.8.8'
list server '8.8.4.4'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
firewall
cat firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'captivefw'
list network 'wan'
list network 'wan6'
list network 'wwan'
option input 'ACCEPT'
option output 'ACCEPT'
config rule
option name 'Captive-to-openwrt'
option src 'captivefw'
option target 'ACCEPT'
list dest_ip '192.168.44.1'
list proto 'all'
config rule
option name 'Captive-to-outside-block'
option src 'captivefw'
option target 'REJECT'
list proto 'all'
option dest '*'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'captivefw'
list network 'captive'
list device 'wlan1-1'
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
config zone
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option name 'vpnfw'
list network 'vpntun'
config forwarding
option src 'lan'
option dest 'vpnfw'
wireless
at wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option country 'US'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'ap'
option isolate '1'
option encryption 'sae-mixed'
option key 'pwpwpwpw'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option country 'US'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'ap'
option isolate '1'
option encryption 'sae-mixed'
option key 'pwpwpwpw'
option network 'vpntun'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'sta'
option network 'wwan'
option ssid 'captive'
option encryption 'psk2'
option disabled '1'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'captive'
option isolate '1'
option network 'captive'
option key 'pwpwpwpw'
option encryption 'psk2'
- mwan3 package
- pbr package
- a set of rules/routes for each internet connection.
Maybe in your case, a set of rule-route will be enough.
Now captive conflicts with lan. Just make it without ethernet port, only a wifi SSID.
Regarding routing, everything is sent to the tunnel, therefore make a rule that all traffic from the captive interface gets routed to wan.
sorry I must understand this more... you say it because
config interface 'lan'
option device 'br-lan'
...
config interface 'captive'
option device 'br-lan'
in luci if I edit captive and set device to "captive" AP, click save & apply, everything is reverted after 90 s
with your example
config rule
option in 'captive'
option src '192.168.44.1/24'
option lookup '100'
config route
option interface 'vpntun'
option target '0.0.0.0'
option netmask '0.0.0.0'
option metric '200'
option table '100'
this redirects all traffic from captive 192.168.44.x to vpntun, correct?
https://openwrt.org/docs/guide-user/network/routing/examples/routing_in_openvpn I could use too
There is no device for captive other than the AP. This means there is no option device
line in captive's definition in /etc/config/network, but there is option network captive
in the captive AP definition in /etc/config/wireless.
The only way you're going to connect to captive is via wifi. Once you have captive set up (with the firewall allowing input), connect your PC to captive via wifi and do further changes that way. It should not end up locking out and reverting then.
No,in the rule don't use src
, it is wrong anyway.
In the route you want to use interface wwan
which will take you to the captive portal.
vpntun is used by default, so there is no need for policy routing.
I make changes with my connect over ethernet, why is captive on wifi necessary?
you are correct also the luci interface errors with "no device"
I possibly need to read somethings up. I don't have enough knowledge to understand what to do, can you send me some page? if I do not understand your comments I can not do a lot
ok like this I can reach the other router but all other addresses and all interfaces can not reach any IP address but the router
config rule
option in 'captive'
option lookup '100'
config route
option interface 'wwan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option metric '200'
option table '100'
I must read on interfaces and networks too I do not know what is happening
Which one is this?
This change affects only traffic from captive interface. The rest is routed as before.
root@OpenWrt:~# ip ro; ip ru
0.0.0.0/1 via 10.5.0.1 dev tun0
default via 192.168.24.1 dev wlan0 src 192.168.24.173
10.5.0.0/16 dev tun0 scope link src 10.5.0.11
128.0.0.0/1 via 10.5.0.1 dev tun0
216.52.64.164 via 192.168.24.1 dev wlan0
192.168.12.0/24 dev br-lan scope link src 192.168.12.1
192.168.24.0/24 dev wlan0 scope link src 192.168.24.173
0: from all lookup local
1: from all iif br-lan lookup 100
32766: from all lookup main
32767: from all lookup default
lan is also broken (not connecting to anything)
the router my router is connected to, 192.168.24.1
I can start from 0 and use policy routing, I can have now messed up things
That is because you still didn't fix it when I told you to use it as wifi only
As long as you have a clear plan to follow.
sorry I do not know what it means in the other comment
You didn't ask for clarification though.
Create a new wifi SSID captive
, assign it to network captive
, then go to captive interface and remove the bridge and the br-lan interface. You'll be connecting to the captive interface only by wifi.
if captive is changed from:
- br-lan device to unspecified
or - br-lan device to unspecified and static address to unmanaged
it always reverts
do I misunderstand?
on captive wifi and on lan it always reverts
Don't connect to the router from captive interface, or create a captive2 interface without wired port, bind it with the captive ssid, and use it to connect to the router and delete the captive interface.