Hi!
I am trying to setup my router (netgear r7800) to isolate trusted devices, guest devices, and IOT devices. trusted devices go through classic internet connection whereas guest devices and iot devices traffic goes through VPN. The problen is that when the VPN connection is UP, I cannot ping a device from one vlan to the other. When VPN connection is down, the problem disappears.
From what I understand, the problem comes from the script that changes the route when the vpn connection goes up, but I cannot wrap my mind on how to change it so that it doesn't impact inter-vlan routing.
Any help would be very appreciated, thanks!
Here is my configuration:
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0d:ade1:08ee::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ifname 'eth1.1 eth1.21'
option delegate '0'
option ipaddr '192.168.21.1'
config interface 'wan'
option proto 'dhcp'
option ifname 'eth0.11'
list dns '1.0.0.1'
list dns '1.1.1.1'
option peerdns '0'
config interface 'wan6'
option proto 'dhcpv6'
option ifname 'eth0.11'
option reqaddress 'try'
option reqprefix 'auto'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '21'
option ports '0t 1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '11'
option ports '0t 5 6t'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option type 'bridge'
option ipaddr '192.168.101.1'
option ifname 'eth1.101'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t 6t'
option vid '101'
config interface 'wan_vpn'
option ifname 'tun0'
option proto 'none'
option delegate '0'
config interface 'iotdevices'
option proto 'static'
option type 'bridge'
option netmask '255.255.255.0'
option ifname 'eth1.121'
option ipaddr '192.168.121.1'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '0t 6t'
option vid '121'
config interface 'wan_vpn_ch'
option ifname 'tun1'
option proto 'none'
option delegate '0'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option output 'ACCEPT'
option input 'ACCEPT'
option log '1'
option log_limit '10/second'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'guest'
option name 'guest'
option output 'ACCEPT'
option input 'ACCEPT'
option log '1'
option log_limit '10/second'
option forward 'REJECT'
config zone
list network 'iotdevices'
option output 'ACCEPT'
option name 'iotdevices'
option input 'ACCEPT'
option log '1'
option log_limit '10/second'
option forward 'REJECT'
config rule
option dest_port '67-68'
option src 'guest'
option target 'ACCEPT'
option family 'ipv4'
option name 'Allow-Guest-DHCPv4-Input'
option src_port '67-68'
list proto 'udp'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option log '1'
option log_limit '10/second'
option input 'REJECT'
option forward 'REJECT'
config zone
option name 'wan_vpn'
option mtu_fix '1'
option masq '1'
option output 'ACCEPT'
option network 'wan_vpn'
option log '1'
option log_limit '10/second'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option dest 'wan_vpn'
option src 'guest'
config rule
option src_port '67-68'
option src 'iotdevices'
option name 'Allow-Iotdevices-DHCPv4-Input'
option target 'ACCEPT'
option family 'ipv4'
list proto 'udp'
config zone
option name 'wan_vpn_ch'
option mtu_fix '1'
option masq '1'
option output 'ACCEPT'
list network 'wan_vpn_ch'
option log '1'
option log_limit '10/second'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option dest 'wan_vpn_ch'
option src 'iotdevices'
config rule
option src_port '80'
option name 'HomeKit-Allow-Trusted-To-IOT-80'
option target 'ACCEPT'
option family 'ipv4'
option dest_port '80'
option dest 'iotdevices'
list proto 'tcp'
config rule
option src_port '443'
option name 'HomeKit-Allow-Trusted-To-IOT-443'
option dest 'iotdevices'
option target 'ACCEPT'
option dest_port '443'
list proto 'tcp'
option family 'ipv4'
config rule
option dest_port '5353'
list proto 'udp'
option name 'HomeKit-Allow-MDNS'
option dest '*'
list dest_ip '224.0.0.251'
option target 'ACCEPT'
option family 'ipv4'
option src '*'
config forwarding
option dest 'iotdevices'
option src 'lan'
I have 2 openvpn configurations. One for FR vpn, another for CH vpn.
fr.ovpn
...
route-up /etc/openvpn/routes-guest.sh
route-pre-down /etc/openvpn/routes-guest.sh
...
ch.ovpn
...
route-up /etc/openvpn/routes-iotdevices.sh
route-pre-down /etc/openvpn/routes-iotdevices.sh
...
/etc/openvpn/routes-guest.sh
#!/usr/bin/env sh
table=guest
if [ "$script_type" == "route-up" ]; then
ip route add default via $route_vpn_gateway dev $dev table $table proto static
elif [ "$script_type" == "route-pre-down" ]; then
ip route del default via $route_vpn_gateway dev $dev table $table proto static
fi
/etc/openvpn/routes-iotdevices.sh
#!/usr/bin/env sh
table=iotdevices
if [ "$script_type" == "route-up" ]; then
ip route add default via $route_vpn_gateway dev $dev table $table proto static
elif [ "$script_type" == "route-pre-down" ]; then
ip route del default via $route_vpn_gateway dev $dev table $table proto static
fi
output of # route when no vpn is up:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 1.46.201.77.rev 0.0.0.0 UG 0 0 0 eth0.11
77.201.46.0 * 255.255.254.0 U 0 0 0 eth0.11
192.168.21.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.101.0 * 255.255.255.0 U 0 0 0 br-guest
192.168.121.0 * 255.255.255.0 U 0 0 0 br-iotdevices
output of # route when vpn are up:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 1.46.201.77.rev 0.0.0.0 UG 0 0 0 eth0.11
10.17.0.0 * 255.255.0.0 U 0 0 0 tun1
10.19.0.0 * 255.255.0.0 U 0 0 0 tun0
77.201.46.0 * 255.255.254.0 U 0 0 0 eth0.11
192.168.21.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.101.0 * 255.255.255.0 U 0 0 0 br-guest
192.168.121.0 * 255.255.255.0 U 0 0 0 br-iotdevices
output of # ip ru when vpn are up:
0: from all lookup local
32764: from all iif br-iotdevices lookup iotdevices
32765: from all iif br-guest lookup guest
32766: from all lookup main
32767: from all lookup default