https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface
This is a good guide to make a parallel interface that works, originally it is for a wireless guest network but you can use it for basic guidelines.
https://openwrt.org/docs/guide-user/network/vlan/switch_configuration
And here are some info on the VLAN setup for the switch.
Yes I noticed that later and have changed it to off. Still no connection.
Sorry this is my error of semantics. The first network defaulted to lan, the second I named differently as lan_fr.
Sorry again. I should have used the correct notation. VLAN 1 = lan. VLAN 2 = WAN. VLAN 3 = lan_fr.
VLAN 3 is tagged to eth0 and port 4 (the same that VLAN 1 is tagged to). WAN is now set to off.
Thanks for all your input flygarn12. I will look at these files and see if I can see anything and will post if I cannot work it out myself.
Also for the links although I have read through all the documentation already. I will review it again as I am slowly beginning to understand how this works but I am finding the concept of tagging and bridging (an routers in general!) a bit confusing.
Geoff
As mentioned before in this forum in many treads.
We can’t usually read minds. If you want help it will be a lot easier if you provide actual true information.
And information that is current throughout the system.
You need to do Policy Based Routing and you have 3 options:
That is because you want to route packets based on the source address and not on the destination.
When you tag packets on an external port (lan4), the device at the other end of the cable needs to be able to understand tagged packets. So that is typically done only for router to router "trunk cable" interconnections.
What you should do instead is turn lan4 off in vlan 1 and make it untagged in vlan 3. Now eth0.3 can link to an ordinary endpoint device such as a laptop plugged into the lan4 port. The other three lan ports will continue to work as before and connect to the first lan network on eth0.1.
Also undo what you did in wan, you don't have to change anything about the wan.
Wow. Did that and lost connection with everything. I think my fiddling with the firewall was the prime candidate!
Despite all my efforts I could not get the system to work again so have reset the router and started again from fresh. I also want to do a diagram to go with my description to help clarify what I am trying to achieve but this will take a little time. I will get back here eventually.
A quick question though to help my rebuild. Is it possible to run two separate network LAN schemes (10.0.0.0 and 10.0.10.0) through a single router port where one is directed to the WAN directly and the other is directed to the WAN via and OpenVPN server? Or is it better to run a single network scheme and manage access to the OpenVPN server by managing the IP addressing in the one LAN (I have not even tried to look at this yet but noticed a solution similar to mine on the forum.
My problem is that I only have one mesh network to distribute the wifi signal around the house. Any more technological items on the kitchen shelf will definitely lead to a divorce!
If both will work, what is the easiest to set up and manage?
Appreciate your continued help.
G
Easy, go to IKEA and buy a book shelf wide enough to fit a 19” rack mount inside and remember to buy a door also for the book shelf. Your wife will never know what you have inside the book shelf.
Billy book shelf works with 10” racks!
Ikea LACK FTW, no door though.
trendy, I have installed mwan3 but have not been able to find an example of setting up policy based routes. Is there a link you can share with me to read through?
G
pbr might have been easier to use.
You need to create a rule to use the vpn interface when the source address belongs to the second lan.
OK. I will look at pbr as well. Thank you.
G
UPDATE
Thanks Trendy.
Took some time to realise that pbr was not the software package name! Have now installed luci-app-vpn-policy-routing and vpn-policy-routing. I then installed my VPN (which is private on my own server) but could not get the PBR to work by following the changes to the config files recommended in the README file. So I removed them all and went back to my original setting and rebooted the router and suddenly it was working. With one or two issues.
I left the default gateway as the VPN. Then on my MacBookAir (connected over wifi) set a PBR rule for its IP to go direct to WAN and it worked. I can switch from interface WAN to interface VPN and see the external IP of the machine change from my ISP to my private server and back. However, when I am on the WAN, I can contact to whatsmyip.org but when I swap to VPN I cannot get a response. It just refuses the connection. I assume this is a VPN setting issue? Interestingly if I use whatismyip.com, I get responses from both WAN and VPN which is why I can see the IP changing. Is there a reason for this behaviour with whatsmyip.org that I can change?
I then disabled the gateway forwarding by adding "--pull-filter ignore redirect-gateway" to my VPN client configuration (in the VPN settings of LUCI) and after stopping and starting the VPN, and restarting the PBR service, the gateway changed to the WAN. I was able to set the interface on the MacBookAir to either WAN or VPN and see the external IP address change.
I then added the IP addresses I want to go over the VPN and all was working as I wanted. Then I rebooted and something must have been lost in the reboot because now the PBR appears to be stopping access over the VPN. I have had to comment out the gateway override in the client configuration to get the VPN working again.
I suspect it is something in the config files so back to reviewing them to see if I can find it. It must also be what is preventing me accessing whatsmyip.org. If I cannot work it out, I will post the relevant files here for help.
G
Verify that the nameserver you are using when connected via VPN can resolve the correct IP. Might be the also the case that the IP of your VPS is blacklisted.
Post also the uci export vpn-policy-routing; /etc/init.d/vpn-policy-routing status
Hi Trendy and thanks for the response.
[NB:- In working through your request for information it seems the system has settled down and is now working properly. I have added the data you wanted just in case but I think it is wasting your time to review it now. I have on occasions had ISP issues requiring a reboot of the ISP router (as mentioned below) and this may have been the cause of the problem. Also please note my comment on status v support option for the second part of your command.]
Not blacklisted (regularly checked through MXToolbox service).
Not sure how to verify the Nameserver can resolve the IP. Is this a dig command? Can you give me a format to use?
VPN SETUP
Router rebooted and services checked. In this setting, I can swap the machine from VPN to WAN and back. In WAN whatsmyip.org works. In VPN whatsmyip.org works.
uci export vpn-policy-routing; /etc/init.d/vpn-policy-routing XstatusX support
***(status would not run so I assumed you wanted the support option)***
root@OCD:~# uci export vpn-policy-routing; /etc/init.d/vpn-policy-routing support
package vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_protocol_column '0'
option webui_show_ignore_target '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
option webui_enable_column '1'
option webui_chain_column '1'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option name 'JCP'
option src_addr '10.0.0.50'
option interface 'KodiVPN'
vpn-policy-routing 0.3.2-20 running on OpenWrt 19.07.7.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-nettlehash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0.2
IPv4 Table 201: default via 192.168.1.1 dev eth0.2
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1
IPv4 Table 201 Rules:
1000: from all fwmark 0x10000/0xff0000 lookup wan
IPv4 Table 202: default via 10.8.0.2 dev tun0
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1
IPv4 Table 202 Rules:
999: from all fwmark 0x20000/0xff0000 lookup KodiVPN
IPv4 Table 203:
IPv4 Table 203 Rules:
IPv4 Table 204:
IPv4 Table 204 Rules:
IPv4 Table 205:
**IPv4 Table 205 Rules:**
**============================================================**
**Mangle IP Table: PREROUTING**
**-N VPR_PREROUTING**
**-A VPR_PREROUTING -s 10.0.0.50/32 -m comment --comment JCP -c 1210 214286 -g VPR_MARK0x020000**
**============================================================**
**Mangle IP Table MARK Chain: VPR_MARK0x010000**
**-N VPR_MARK0x010000**
**-A VPR_MARK0x010000 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000**
**-A VPR_MARK0x010000 -c 0 0 -j RETURN**
**============================================================**
**Mangle IP Table MARK Chain: VPR_MARK0x020000**
**-N VPR_MARK0x020000**
**-A VPR_MARK0x020000 -c 1226 216475 -j MARK --set-xmark 0x20000/0xff0000**
**-A VPR_MARK0x020000 -c 1226 216475 -j RETURN**
**============================================================**
**Current ipsets**
**create mwan3_connected_v4 hash:net family inet hashsize 1024 maxelem 65536**
**add mwan3_connected_v4 10.8.0.0/24**
**add mwan3_connected_v4 128.0.0.0/1**
**add mwan3_connected_v4 224.0.0.0/3**
**add mwan3_connected_v4 10.0.0.0/24**
**add mwan3_connected_v4 192.168.1.0/24**
**add mwan3_connected_v4 127.0.0.0/8**
**add mwan3_connected_v4 0.0.0.0/1**
**create mwan3_connected_v6 hash:net family inet6 hashsize 1024 maxelem 65536**
**add mwan3_connected_v6 fe80::/64**
**add mwan3_connected_v6 fd8b:8839:917f::/64**
**create mwan3_source_v6 hash:net family inet6 hashsize 1024 maxelem 65536**
**add mwan3_source_v6 fd8b:8839:917f::1**
**create mwan3_dynamic_v4 hash:net family inet hashsize 1024 maxelem 65536**
**create mwan3_dynamic_v6 hash:net family inet6 hashsize 1024 maxelem 65536**
**create mwan3_custom_v4 hash:net family inet hashsize 1024 maxelem 65536**
**create mwan3_custom_v6 hash:net family inet6 hashsize 1024 maxelem 65536**
**create mwan3_sticky_v4_https hash:ip,mark family inet markmask 0x00003f00 hashsize 1024 maxelem 65536 timeout 600**
**add mwan3_sticky_v4_https 10.0.0.50,0x00000100 timeout 470**
**add mwan3_sticky_v4_https 10.0.0.40,0x00000100 timeout 470**
**create mwan3_sticky_v6_https hash:ip,mark family inet6 markmask 0x00003f00 hashsize 1024 maxelem 65536 timeout 600**
**create mwan3_connected list:set size 8**
**add mwan3_connected mwan3_connected_v4**
**add mwan3_connected mwan3_connected_v6**
**add mwan3_connected mwan3_dynamic_v4**
**add mwan3_connected mwan3_dynamic_v6**
**add mwan3_connected mwan3_custom_v4**
**add mwan3_connected mwan3_custom_v6**
**create mwan3_sticky_https list:set size 8**
**add mwan3_sticky_https mwan3_sticky_v4_https**
**add mwan3_sticky_https mwan3_sticky_v6_https**
**============================================================**
**Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]**
**root@OCD:~#**
WAN SETUP ("--pull-filter ignore redirect-gateway" uncommented to ignore VPN)
Router rebooted and services checked. In this configuration, the VPN service does not start automatically and I have to manually start it. For some reason today I can swap the machine from VPN to WAN without any problems. In WAN whatsmyip.org works. In VPN whatsmyip.org works. Perhaps it was a temporary issue on the network (I sometimes get ISP issues and have to reboot the ISP router so that is a possibility).
uci export vpn-policy-routing; /etc/init.d/vpn-policy-routing support
root@OCD:~# uci export vpn-policy-routing; /etc/init.d/vpn-policy-routing support
package vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_protocol_column '0'
option webui_show_ignore_target '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
option webui_enable_column '1'
option webui_chain_column '1'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option name 'JCP'
option src_addr '10.0.0.50'
option interface 'KodiVPN'
vpn-policy-routing 0.3.2-20 running on OpenWrt 19.07.7.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-nettlehash no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0.2
IPv4 Table 201: default via 192.168.1.1 dev eth0.2
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1
IPv4 Table 201 Rules:
992: from all fwmark 0x10000/0xff0000 lookup wan
IPv4 Table 202: default via 10.8.0.2 dev tun0
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1
IPv4 Table 202 Rules:
991: from all fwmark 0x20000/0xff0000 lookup KodiVPN
IPv4 Table 203:
IPv4 Table 203 Rules:
IPv4 Table 204:
IPv4 Table 204 Rules:
IPv4 Table 205:
IPv4 Table 205 Rules:
============================================================
Mangle IP Table: PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 10.0.0.50/32 -m comment --comment JCP -c 490 64970 -g VPR_MARK0x020000
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x010000
-N VPR_MARK0x010000
-A VPR_MARK0x010000 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
-A VPR_MARK0x010000 -c 0 0 -j RETURN
============================================================
Mangle IP Table MARK Chain: VPR_MARK0x020000
-N VPR_MARK0x020000
-A VPR_MARK0x020000 -c 490 64970 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_MARK0x020000 -c 490 64970 -j RETURN
============================================================
Current ipsets
create mwan3_connected_v4 hash:net family inet hashsize 1024 maxelem 65536
add mwan3_connected_v4 10.8.0.0/24
add mwan3_connected_v4 127.0.0.0/8
add mwan3_connected_v4 192.168.1.0/24
add mwan3_connected_v4 10.0.0.0/24
add mwan3_connected_v4 224.0.0.0/3
create mwan3_connected_v6 hash:net family inet6 hashsize 1024 maxelem 65536
add mwan3_connected_v6 fd8b:8839:917f::/64
add mwan3_connected_v6 fe80::/64
create mwan3_source_v6 hash:net family inet6 hashsize 1024 maxelem 65536
add mwan3_source_v6 fd8b:8839:917f::1
create mwan3_dynamic_v4 hash:net family inet hashsize 1024 maxelem 65536
create mwan3_dynamic_v6 hash:net family inet6 hashsize 1024 maxelem 65536
create mwan3_custom_v4 hash:net family inet hashsize 1024 maxelem 65536
create mwan3_custom_v6 hash:net family inet6 hashsize 1024 maxelem 65536
create mwan3_sticky_v4_https hash:ip,mark family inet markmask 0x00003f00 hashsize 1024 maxelem 65536 timeout 600
add mwan3_sticky_v4_https 10.0.0.14,0x00000100 timeout 352
add mwan3_sticky_v4_https 10.0.0.15,0x00000100 timeout 369
add mwan3_sticky_v4_https 10.0.0.50,0x00000100 timeout 591
add mwan3_sticky_v4_https 10.0.0.45,0x00000100 timeout 558
add mwan3_sticky_v4_https 10.8.0.2,0x00000100 timeout 598
add mwan3_sticky_v4_https 10.0.0.95,0x00000100 timeout 487
add mwan3_sticky_v4_https 10.0.0.40,0x00000100 timeout 599
add mwan3_sticky_v4_https 192.168.1.10,0x00000100 timeout 598
add mwan3_sticky_v4_https 10.0.0.12,0x00000100 timeout 376
create mwan3_sticky_v6_https hash:ip,mark family inet6 markmask 0x00003f00 hashsize 1024 maxelem 65536 timeout 600
create mwan3_connected list:set size 8
add mwan3_connected mwan3_connected_v4
add mwan3_connected mwan3_connected_v6
add mwan3_connected mwan3_dynamic_v4
add mwan3_connected mwan3_dynamic_v6
add mwan3_connected mwan3_custom_v4
add mwan3_connected mwan3_custom_v6
create mwan3_sticky_https list:set size 8
add mwan3_sticky_https mwan3_sticky_v4_https
add mwan3_sticky_https mwan3_sticky_v6_https
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
root@OCD:~#
It seems all is now working fine and I am sorry if I have wasted your time on this. My thanks again for your help and support.
One further question, I assume I can uninstall mwan3 without affecting the PBR?
G
dig, host, nslookup, they'll all resolve.
Pay attention on which link is the default gateway. If there is no policy in vpn-pbr, traffic will default there.
You should not run them together, as they do the same thing and their functions can collide. At least disable one of them if not uninstall it.
Thanks.
I will uninstall it.
I want the default gateway to be the WAN connection and to assign one or two machines to the VPN through PBR so as it is I am happy.
Enjoy the rest of your weekend.
G