Second LAN will not respond

Hi all,

I have successfully got my Openwrt router working with a first LAN running over an OpenVPN interface. I am now looking to set up a second LAN to run alongside the first that will eventually be the OpenVPN network, leaving the original network to access the internet uninterrupted.

I have read all I can find. I have followed other peoples issues and solutions and tried to apply them to my situation and I have spent many happy hours changing settings on the router then the network on my Mac but no matter what I do, I cannot get my second LAN to work. I am clearly doing something wrong but just cannot find out what.

The Openwrt router has a fixed WAN on 192.168.1.10.
The br-LAN (LAN 1) runs a network of 10.0.0.0 with interface set to 10.0.0.1.
The second br-LAN (LAN 2) runs a network of 10.0.5.0 with interface set to 10.0.5.1.
DHCP is enabled on both (although I have also tried with DHCP off on LAN 2).
Firewalls are set up and the switch is set so that LAN 2 is tagged to eth0 and the same port as LAN 1 (see image).

Not sure what else to show you but every time I change my Mac for 10.0.0.50 to 10.0.5.50 I lose access to all networks.

Can anyone help? I will upload whatever information you need to see.

Thanks,

Geoff

But you have connected LAN4 with WAN in VLAN3? Are you sure about that connection?

You need do see the difference between
interface, VLAN and port (LAN/WAN on this device).
You can’t have two interfaces called LAN, the ‘br-‘ isn’t a part of the interface name but a system addon that you have activated the bridge mode in the interface.

I can’t see this on the picture!? There are no connection at all in the switch as you describe. But with LAN 1 and LAN 2 you must mean VLAN1 and VLAN2 because LANx can’t be tagged to eth0?

The config files for network and firewall shows a lot of info for this problem.

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface
This is a good guide to make a parallel interface that works, originally it is for a wireless guest network but you can use it for basic guidelines.

https://openwrt.org/docs/guide-user/network/vlan/switch_configuration
And here are some info on the VLAN setup for the switch.

Yes I noticed that later and have changed it to off. Still no connection.

Sorry this is my error of semantics. The first network defaulted to lan, the second I named differently as lan_fr.

Sorry again. I should have used the correct notation. VLAN 1 = lan. VLAN 2 = WAN. VLAN 3 = lan_fr.

VLAN 3 is tagged to eth0 and port 4 (the same that VLAN 1 is tagged to). WAN is now set to off.

Thanks for all your input flygarn12. I will look at these files and see if I can see anything and will post if I cannot work it out myself.

Also for the links although I have read through all the documentation already. I will review it again as I am slowly beginning to understand how this works but I am finding the concept of tagging and bridging (an routers in general!) a bit confusing.

Geoff

As mentioned before in this forum in many treads.
We can’t usually read minds. If you want help it will be a lot easier if you provide actual true information.
And information that is current throughout the system.

You need to do Policy Based Routing and you have 3 options:

  1. mwan3 package
  2. pbr package
  3. a set of rules/routes for each internet connection.

That is because you want to route packets based on the source address and not on the destination.

When you tag packets on an external port (lan4), the device at the other end of the cable needs to be able to understand tagged packets. So that is typically done only for router to router "trunk cable" interconnections.

What you should do instead is turn lan4 off in vlan 1 and make it untagged in vlan 3. Now eth0.3 can link to an ordinary endpoint device such as a laptop plugged into the lan4 port. The other three lan ports will continue to work as before and connect to the first lan network on eth0.1.

Also undo what you did in wan, you don't have to change anything about the wan.

1 Like

Wow. Did that and lost connection with everything. I think my fiddling with the firewall was the prime candidate!

Despite all my efforts I could not get the system to work again so have reset the router and started again from fresh. I also want to do a diagram to go with my description to help clarify what I am trying to achieve but this will take a little time. I will get back here eventually.

A quick question though to help my rebuild. Is it possible to run two separate network LAN schemes (10.0.0.0 and 10.0.10.0) through a single router port where one is directed to the WAN directly and the other is directed to the WAN via and OpenVPN server? Or is it better to run a single network scheme and manage access to the OpenVPN server by managing the IP addressing in the one LAN (I have not even tried to look at this yet but noticed a solution similar to mine on the forum.

My problem is that I only have one mesh network to distribute the wifi signal around the house. Any more technological items on the kitchen shelf will definitely lead to a divorce!

If both will work, what is the easiest to set up and manage?

Appreciate your continued help.

G

Easy, go to IKEA and buy a book shelf wide enough to fit a 19” rack mount inside and remember to buy a door also for the book shelf. Your wife will never know what you have inside the book shelf.

Billy book shelf works with 10” racks!

1 Like

Ikea LACK FTW, no door though.

2 Likes

trendy, I have installed mwan3 but have not been able to find an example of setting up policy based routes. Is there a link you can share with me to read through?

G

pbr might have been easier to use.
You need to create a rule to use the vpn interface when the source address belongs to the second lan.

OK. I will look at pbr as well. Thank you.

G

UPDATE

Thanks Trendy.

Took some time to realise that pbr was not the software package name! Have now installed luci-app-vpn-policy-routing and vpn-policy-routing. I then installed my VPN (which is private on my own server) but could not get the PBR to work by following the changes to the config files recommended in the README file. So I removed them all and went back to my original setting and rebooted the router and suddenly it was working. With one or two issues.

I left the default gateway as the VPN. Then on my MacBookAir (connected over wifi) set a PBR rule for its IP to go direct to WAN and it worked. I can switch from interface WAN to interface VPN and see the external IP of the machine change from my ISP to my private server and back. However, when I am on the WAN, I can contact to whatsmyip.org but when I swap to VPN I cannot get a response. It just refuses the connection. I assume this is a VPN setting issue? Interestingly if I use whatismyip.com, I get responses from both WAN and VPN which is why I can see the IP changing. Is there a reason for this behaviour with whatsmyip.org that I can change?

I then disabled the gateway forwarding by adding "--pull-filter ignore redirect-gateway" to my VPN client configuration (in the VPN settings of LUCI) and after stopping and starting the VPN, and restarting the PBR service, the gateway changed to the WAN. I was able to set the interface on the MacBookAir to either WAN or VPN and see the external IP address change.

I then added the IP addresses I want to go over the VPN and all was working as I wanted. Then I rebooted and something must have been lost in the reboot because now the PBR appears to be stopping access over the VPN. I have had to comment out the gateway override in the client configuration to get the VPN working again.

I suspect it is something in the config files so back to reviewing them to see if I can find it. It must also be what is preventing me accessing whatsmyip.org. If I cannot work it out, I will post the relevant files here for help.

G

Verify that the nameserver you are using when connected via VPN can resolve the correct IP. Might be the also the case that the IP of your VPS is blacklisted.
Post also the uci export vpn-policy-routing; /etc/init.d/vpn-policy-routing status

Hi Trendy and thanks for the response.

[NB:- In working through your request for information it seems the system has settled down and is now working properly. I have added the data you wanted just in case but I think it is wasting your time to review it now. I have on occasions had ISP issues requiring a reboot of the ISP router (as mentioned below) and this may have been the cause of the problem. Also please note my comment on status v support option for the second part of your command.]

Not blacklisted (regularly checked through MXToolbox service).

Not sure how to verify the Nameserver can resolve the IP. Is this a dig command? Can you give me a format to use?

VPN SETUP

Router rebooted and services checked. In this setting, I can swap the machine from VPN to WAN and back. In WAN whatsmyip.org works. In VPN whatsmyip.org works.

uci export vpn-policy-routing; /etc/init.d/vpn-policy-routing XstatusX support
***(status would not run so I assumed you wanted the support option)***


root@OCD:~# uci export vpn-policy-routing; /etc/init.d/vpn-policy-routing support
package vpn-policy-routing

config vpn-policy-routing 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option src_ipset '0'
	option dest_ipset '0'
	option resolver_ipset 'dnsmasq.ipset'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option procd_reload_delay '1'
	option webui_protocol_column '0'
	option webui_show_ignore_target '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option enabled '1'
	option webui_enable_column '1'
	option webui_chain_column '1'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

config policy
	option name 'JCP'
	option src_addr '10.0.0.50'
	option interface 'KodiVPN'

vpn-policy-routing 0.3.2-20 running on OpenWrt 19.07.7.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-nettlehash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         10.8.0.1        128.0.0.0       UG    0      0        0 tun0
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0.2

IPv4 Table 201: default via 192.168.1.1 dev eth0.2 
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1 
IPv4 Table 201 Rules:
1000:	from all fwmark 0x10000/0xff0000 lookup wan 

IPv4 Table 202: default via 10.8.0.2 dev tun0 
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1 
IPv4 Table 202 Rules:
999:	from all fwmark 0x20000/0xff0000 lookup KodiVPN 

IPv4 Table 203: 
IPv4 Table 203 Rules:

IPv4 Table 204: 
IPv4 Table 204 Rules:

IPv4 Table 205: 
**IPv4 Table 205 Rules:**
**============================================================**
**Mangle IP Table: PREROUTING**
**-N VPR_PREROUTING**
**-A VPR_PREROUTING -s 10.0.0.50/32 -m comment --comment JCP -c 1210 214286 -g VPR_MARK0x020000**
**============================================================**
**Mangle IP Table MARK Chain: VPR_MARK0x010000**
**-N VPR_MARK0x010000**
**-A VPR_MARK0x010000 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000**
**-A VPR_MARK0x010000 -c 0 0 -j RETURN**
**============================================================**
**Mangle IP Table MARK Chain: VPR_MARK0x020000**
**-N VPR_MARK0x020000**
**-A VPR_MARK0x020000 -c 1226 216475 -j MARK --set-xmark 0x20000/0xff0000**
**-A VPR_MARK0x020000 -c 1226 216475 -j RETURN**
**============================================================**
**Current ipsets**
**create mwan3_connected_v4 hash:net family inet hashsize 1024 maxelem 65536**
**add mwan3_connected_v4 10.8.0.0/24**
**add mwan3_connected_v4 128.0.0.0/1**
**add mwan3_connected_v4 224.0.0.0/3**
**add mwan3_connected_v4 10.0.0.0/24**
**add mwan3_connected_v4 192.168.1.0/24**
**add mwan3_connected_v4 127.0.0.0/8**
**add mwan3_connected_v4 0.0.0.0/1**
**create mwan3_connected_v6 hash:net family inet6 hashsize 1024 maxelem 65536**
**add mwan3_connected_v6 fe80::/64**
**add mwan3_connected_v6 fd8b:8839:917f::/64**
**create mwan3_source_v6 hash:net family inet6 hashsize 1024 maxelem 65536**
**add mwan3_source_v6 fd8b:8839:917f::1**
**create mwan3_dynamic_v4 hash:net family inet hashsize 1024 maxelem 65536**
**create mwan3_dynamic_v6 hash:net family inet6 hashsize 1024 maxelem 65536**
**create mwan3_custom_v4 hash:net family inet hashsize 1024 maxelem 65536**
**create mwan3_custom_v6 hash:net family inet6 hashsize 1024 maxelem 65536**
**create mwan3_sticky_v4_https hash:ip,mark family inet markmask 0x00003f00 hashsize 1024 maxelem 65536 timeout 600**
**add mwan3_sticky_v4_https 10.0.0.50,0x00000100 timeout 470**
**add mwan3_sticky_v4_https 10.0.0.40,0x00000100 timeout 470**
**create mwan3_sticky_v6_https hash:ip,mark family inet6 markmask 0x00003f00 hashsize 1024 maxelem 65536 timeout 600**
**create mwan3_connected list:set size 8**
**add mwan3_connected mwan3_connected_v4**
**add mwan3_connected mwan3_connected_v6**
**add mwan3_connected mwan3_dynamic_v4**
**add mwan3_connected mwan3_dynamic_v6**
**add mwan3_connected mwan3_custom_v4**
**add mwan3_connected mwan3_custom_v6**
**create mwan3_sticky_https list:set size 8**
**add mwan3_sticky_https mwan3_sticky_v4_https**
**add mwan3_sticky_https mwan3_sticky_v6_https**
**============================================================**
**Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]**
**root@OCD:~#**

WAN SETUP ("--pull-filter ignore redirect-gateway" uncommented to ignore VPN)

Router rebooted and services checked. In this configuration, the VPN service does not start automatically and I have to manually start it. For some reason today I can swap the machine from VPN to WAN without any problems. In WAN whatsmyip.org works. In VPN whatsmyip.org works. Perhaps it was a temporary issue on the network (I sometimes get ISP issues and have to reboot the ISP router so that is a possibility).

uci export vpn-policy-routing; /etc/init.d/vpn-policy-routing support


root@OCD:~# uci export vpn-policy-routing; /etc/init.d/vpn-policy-routing support

package vpn-policy-routing

config vpn-policy-routing 'config'

option verbosity '2'

option strict_enforcement '1'

option src_ipset '0'

option dest_ipset '0'

option resolver_ipset 'dnsmasq.ipset'

option ipv6_enabled '0'

list ignored_interface 'vpnserver wgserver'

option boot_timeout '30'

option iptables_rule_option 'append'

option procd_reload_delay '1'

option webui_protocol_column '0'

option webui_show_ignore_target '0'

option webui_sorting '1'

list webui_supported_protocol 'tcp'

list webui_supported_protocol 'udp'

list webui_supported_protocol 'tcp udp'

list webui_supported_protocol 'icmp'

list webui_supported_protocol 'all'

option enabled '1'

option webui_enable_column '1'

option webui_chain_column '1'

config include

option path '/etc/vpn-policy-routing.netflix.user'

option enabled '0'

config include

option path '/etc/vpn-policy-routing.aws.user'

option enabled '0'

config policy

option name 'JCP'

option src_addr '10.0.0.50'

option interface 'KodiVPN'

vpn-policy-routing 0.3.2-20 running on OpenWrt 19.07.7.

============================================================

Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley

Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-nettlehash no-DNSSEC no-ID loop-detect inotify dumpfile

============================================================

Routes/IP Rules

default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0.2

IPv4 Table 201: default via 192.168.1.1 dev eth0.2

10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1

IPv4 Table 201 Rules:

992: from all fwmark 0x10000/0xff0000 lookup wan

IPv4 Table 202: default via 10.8.0.2 dev tun0

10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1

IPv4 Table 202 Rules:

991: from all fwmark 0x20000/0xff0000 lookup KodiVPN

IPv4 Table 203:

IPv4 Table 203 Rules:

IPv4 Table 204:

IPv4 Table 204 Rules:

IPv4 Table 205:

IPv4 Table 205 Rules:

============================================================

Mangle IP Table: PREROUTING

-N VPR_PREROUTING

-A VPR_PREROUTING -s 10.0.0.50/32 -m comment --comment JCP -c 490 64970 -g VPR_MARK0x020000

============================================================

Mangle IP Table MARK Chain: VPR_MARK0x010000

-N VPR_MARK0x010000

-A VPR_MARK0x010000 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000

-A VPR_MARK0x010000 -c 0 0 -j RETURN

============================================================

Mangle IP Table MARK Chain: VPR_MARK0x020000

-N VPR_MARK0x020000

-A VPR_MARK0x020000 -c 490 64970 -j MARK --set-xmark 0x20000/0xff0000

-A VPR_MARK0x020000 -c 490 64970 -j RETURN

============================================================

Current ipsets

create mwan3_connected_v4 hash:net family inet hashsize 1024 maxelem 65536

add mwan3_connected_v4 10.8.0.0/24

add mwan3_connected_v4 127.0.0.0/8

add mwan3_connected_v4 192.168.1.0/24

add mwan3_connected_v4 10.0.0.0/24

add mwan3_connected_v4 224.0.0.0/3

create mwan3_connected_v6 hash:net family inet6 hashsize 1024 maxelem 65536

add mwan3_connected_v6 fd8b:8839:917f::/64

add mwan3_connected_v6 fe80::/64

create mwan3_source_v6 hash:net family inet6 hashsize 1024 maxelem 65536

add mwan3_source_v6 fd8b:8839:917f::1

create mwan3_dynamic_v4 hash:net family inet hashsize 1024 maxelem 65536

create mwan3_dynamic_v6 hash:net family inet6 hashsize 1024 maxelem 65536

create mwan3_custom_v4 hash:net family inet hashsize 1024 maxelem 65536

create mwan3_custom_v6 hash:net family inet6 hashsize 1024 maxelem 65536

create mwan3_sticky_v4_https hash:ip,mark family inet markmask 0x00003f00 hashsize 1024 maxelem 65536 timeout 600

add mwan3_sticky_v4_https 10.0.0.14,0x00000100 timeout 352

add mwan3_sticky_v4_https 10.0.0.15,0x00000100 timeout 369

add mwan3_sticky_v4_https 10.0.0.50,0x00000100 timeout 591

add mwan3_sticky_v4_https 10.0.0.45,0x00000100 timeout 558

add mwan3_sticky_v4_https 10.8.0.2,0x00000100 timeout 598

add mwan3_sticky_v4_https 10.0.0.95,0x00000100 timeout 487

add mwan3_sticky_v4_https 10.0.0.40,0x00000100 timeout 599

add mwan3_sticky_v4_https 192.168.1.10,0x00000100 timeout 598

add mwan3_sticky_v4_https 10.0.0.12,0x00000100 timeout 376

create mwan3_sticky_v6_https hash:ip,mark family inet6 markmask 0x00003f00 hashsize 1024 maxelem 65536 timeout 600

create mwan3_connected list:set size 8

add mwan3_connected mwan3_connected_v4

add mwan3_connected mwan3_connected_v6

add mwan3_connected mwan3_dynamic_v4

add mwan3_connected mwan3_dynamic_v6

add mwan3_connected mwan3_custom_v4

add mwan3_connected mwan3_custom_v6

create mwan3_sticky_https list:set size 8

add mwan3_sticky_https mwan3_sticky_v4_https

add mwan3_sticky_https mwan3_sticky_v6_https

============================================================

Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]

root@OCD:~#

It seems all is now working fine and I am sorry if I have wasted your time on this. My thanks again for your help and support.