root@OpenWrt:~# ip ro; ip ru
0.0.0.0/1 via 10.5.0.1 dev tun0
default via 192.168.24.1 dev wlan0 src 192.168.24.173
10.5.0.0/16 dev tun0 scope link src 10.5.0.11
128.0.0.0/1 via 10.5.0.1 dev tun0
216.52.64.164 via 192.168.24.1 dev wlan0
192.168.12.0/24 dev br-lan scope link src 192.168.12.1
192.168.24.0/24 dev wlan0 scope link src 192.168.24.173
0: from all lookup local
1: from all iif br-lan lookup 100
32766: from all lookup main
32767: from all lookup default
lan is also broken (not connecting to anything)
the router my router is connected to, 192.168.24.1
I can start from 0 and use policy routing, I can have now messed up things
You didn't ask for clarification though.
Create a new wifi SSID captive, assign it to network captive, then go to captive interface and remove the bridge and the br-lan interface. You'll be connecting to the captive interface only by wifi.
Don't connect to the router from captive interface, or create a captive2 interface without wired port, bind it with the captive ssid, and use it to connect to the router and delete the captive interface.
ok with this change it is close to my idea
my idea is:
in "captive" AP, the client can connect only to my router
my router can connect to the other router (hotel)
in normal AP, all through the vpn
in captive, my device will tunnel through the router to connect to the captive portal and no leaks are possible because my pc can not connect directly to wwan
with your changes
root@OpenWrt:~# ip -4 ro list table all
default dev wlan0 table 100 proto static scope link metric 200
default dev tun0 table 101 proto static scope link metric 200
0.0.0.0/1 via 10.5.0.1 dev tun0
default via 192.168.24.1 dev wlan0 proto static src 192.168.24.173
10.5.0.0/16 dev tun0 proto kernel scope link src 10.5.0.6
10.5.0.0/16 dev tun1 proto kernel scope link src 10.5.0.13
128.0.0.0/1 via 10.5.0.1 dev tun0
185.65.134.135 via 192.168.24.1 dev wlan0
185.65.134.137 via 192.168.24.1 dev wlan0
192.168.12.0/24 dev br-lan proto kernel scope link src 192.168.12.1
192.168.24.0/24 dev wlan0 proto kernel scope link src 192.168.24.173
broadcast 10.5.0.0 dev tun0 table local proto kernel scope link src 10.5.0.6
broadcast 10.5.0.0 dev tun1 table local proto kernel scope link src 10.5.0.13
local 10.5.0.6 dev tun0 table local proto kernel scope host src 10.5.0.6
local 10.5.0.13 dev tun1 table local proto kernel scope host src 10.5.0.13
broadcast 10.5.255.255 dev tun0 table local proto kernel scope link src 10.5.0.6
broadcast 10.5.255.255 dev tun1 table local proto kernel scope link src 10.5.0.13
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.12.0 dev br-lan table local proto kernel scope link src 192.168.12.1
local 192.168.12.1 dev br-lan table local proto kernel scope host src 192.168.12.1
broadcast 192.168.12.255 dev br-lan table local proto kernel scope link src 192.168.12.1
broadcast 192.168.24.0 dev wlan0 table local proto kernel scope link src 192.168.24.173
local 192.168.24.173 dev wlan0 table local proto kernel scope host src 192.168.24.173
broadcast 192.168.24.255 dev wlan0 table local proto kernel scope link src 192.168.24.173
root@OpenWrt:~# cat /etc/config/network
...
config rule
option in 'lan'
option lookup '101'
config route
option interface 'vpntun'
option target '0.0.0.0'
option netmask '0.0.0.0'
option metric '200'
option table '101'
config rule
option in 'captive'
option lookup '100'
config route
option interface 'wwan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option metric '200'
option table '100'
can you help me with the table 100?
I need: "all traffic inside captive can reach only openwrt and openwrt can reach wwan"
The first section directs traffic from the LAN to use a different (non standard) routing table. The choice of 101 is an arbitrary number.
The second part actually builds table 101. There is only one entry needed-- the default route is the VPN.
Meanwhile the 'captive' zone continues to use the standard default table, where the default route is directly to the WAN-- directly to the upstream hotel network, not through the VPN.
this is the part I do not understand. does it mean? "every packet from lan, to through this route with table 101; table 101 does: every packet that match 0.0.0.0/0 go to vpntun"
the second part I do not understand well
Routing is based on the destination IP in the packet. 0.0.0.0 is the default route, which means IP ranges unknown to the router, so by default they are assumed to be places on the Internet. These are forwarded to the Internet provider, which does have routes to the whole world. When you have a VPN service open, there are now two Internet providers, either direct or through the VPN.