Router connected, pc can't access the internet

root@OpenWrt:~# ip ro; ip ru
0.0.0.0/1 via 10.5.0.1 dev tun0 
default via 192.168.24.1 dev wlan0  src 192.168.24.173 
10.5.0.0/16 dev tun0 scope link  src 10.5.0.11 
128.0.0.0/1 via 10.5.0.1 dev tun0 
216.52.64.164 via 192.168.24.1 dev wlan0 
192.168.12.0/24 dev br-lan scope link  src 192.168.12.1 
192.168.24.0/24 dev wlan0 scope link  src 192.168.24.173 
0:	from all lookup local 
1:	from all iif br-lan lookup 100 
32766:	from all lookup main 
32767:	from all lookup default 

lan is also broken (not connecting to anything)

the router my router is connected to, 192.168.24.1

I can start from 0 and use policy routing, I can have now messed up things

That is because you still didn't fix it when I told you to use it as wifi only

As long as you have a clear plan to follow.

sorry I do not know what it means in the other comment :sob:

You didn't ask for clarification though.
Create a new wifi SSID captive, assign it to network captive, then go to captive interface and remove the bridge and the br-lan interface. You'll be connecting to the captive interface only by wifi.

if captive is changed from:

  • br-lan device to unspecified
    or
  • br-lan device to unspecified and static address to unmanaged
    it always reverts
    do I misunderstand?
    on captive wifi and on lan it always reverts

Don't connect to the router from captive interface, or create a captive2 interface without wired port, bind it with the captive ssid, and use it to connect to the router and delete the captive interface.

ok with this change it is close to my idea
my idea is:

  • in "captive" AP, the client can connect only to my router
  • my router can connect to the other router (hotel)
  • in normal AP, all through the vpn
    in captive, my device will tunnel through the router to connect to the captive portal and no leaks are possible because my pc can not connect directly to wwan

with your changes

root@OpenWrt:~# ip -4 ro list table all
default dev wlan0 table 100 proto static scope link metric 200 
default dev tun0 table 101 proto static scope link metric 200 
0.0.0.0/1 via 10.5.0.1 dev tun0 
default via 192.168.24.1 dev wlan0 proto static src 192.168.24.173 
10.5.0.0/16 dev tun0 proto kernel scope link src 10.5.0.6 
10.5.0.0/16 dev tun1 proto kernel scope link src 10.5.0.13 
128.0.0.0/1 via 10.5.0.1 dev tun0 
185.65.134.135 via 192.168.24.1 dev wlan0 
185.65.134.137 via 192.168.24.1 dev wlan0 
192.168.12.0/24 dev br-lan proto kernel scope link src 192.168.12.1 
192.168.24.0/24 dev wlan0 proto kernel scope link src 192.168.24.173 
broadcast 10.5.0.0 dev tun0 table local proto kernel scope link src 10.5.0.6 
broadcast 10.5.0.0 dev tun1 table local proto kernel scope link src 10.5.0.13 
local 10.5.0.6 dev tun0 table local proto kernel scope host src 10.5.0.6 
local 10.5.0.13 dev tun1 table local proto kernel scope host src 10.5.0.13 
broadcast 10.5.255.255 dev tun0 table local proto kernel scope link src 10.5.0.6 
broadcast 10.5.255.255 dev tun1 table local proto kernel scope link src 10.5.0.13 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.12.0 dev br-lan table local proto kernel scope link src 192.168.12.1 
local 192.168.12.1 dev br-lan table local proto kernel scope host src 192.168.12.1 
broadcast 192.168.12.255 dev br-lan table local proto kernel scope link src 192.168.12.1 
broadcast 192.168.24.0 dev wlan0 table local proto kernel scope link src 192.168.24.173 
local 192.168.24.173 dev wlan0 table local proto kernel scope host src 192.168.24.173 
broadcast 192.168.24.255 dev wlan0 table local proto kernel scope link src 192.168.24.173 
root@OpenWrt:~# cat /etc/config/network
...
config rule
	option in 'lan'
	option lookup '101'

config route
	option interface 'vpntun'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option metric '200'
	option table '101'

config rule
	option in 'captive'
	option lookup '100'

config route
	option interface 'wwan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option metric '200'
	option table '100'

can you help me with the table 100?
I need: "all traffic inside captive can reach only openwrt and openwrt can reach wwan"

ok it works now!
I do not understand what this does still

config rule
	option in 'lan'
	option lookup '101'

config route
	option interface 'vpntun'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option metric '200'
	option table '101'

please can you help me understand exactly what this does, I can not understand from the wiki page
it works but I want to understand

The first section directs traffic from the LAN to use a different (non standard) routing table. The choice of 101 is an arbitrary number.

The second part actually builds table 101. There is only one entry needed-- the default route is the VPN.

Meanwhile the 'captive' zone continues to use the standard default table, where the default route is directly to the WAN-- directly to the upstream hotel network, not through the VPN.

3 Likes

this is the part I do not understand. does it mean? "every packet from lan, to through this route with table 101; table 101 does: every packet that match 0.0.0.0/0 go to vpntun"
the second part I do not understand well

Routing is based on the destination IP in the packet. 0.0.0.0 is the default route, which means IP ranges unknown to the router, so by default they are assumed to be places on the Internet. These are forwarded to the Internet provider, which does have routes to the whole world. When you have a VPN service open, there are now two Internet providers, either direct or through the VPN.

1 Like