Setup one WiFi Network (wlan0) with VPN and other WiFi (wlan0-1) without

Installing and Using OpenWrt Network and Wireless Configuration
1

I want when I connected to WiFi #1 (SSID="OpenWRT") my traffic goes throw PPTP VPN and connectivity to WiFi #2 (SSID="OpenWRT2") without VPN. (WiFi #2 attached to the new static interface named "guest" with different IP range from "LAN" and "WAN" interfaces)

Then when I'm connected to WiFi #1 I have a VPN'ed connection but with WiFi #2 no access to the internet. This is my config

NETWORK

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdad:dea9:e9d7::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '50:64:2b:ab:10:10'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config interface 'Guest'
	option proto 'pptp'
	option username 'XXX'
	option password 'XXX'
	option keepalive '0'
	option server 'XXX'

config interface 'Public'
	option proto 'static'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'

WIRELESS

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'HT20'
	option country '00'
	option legacy_rates '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface
	option encryption 'none'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt2'
	option network 'Public'

FIREWALL

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'VPN_FW'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'Guest'

config forwarding
	option dest 'VPN_FW'
	option src 'lan'

config zone
	option name 'PUB'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'Public'
	option input 'REJECT'

config forwarding
	option dest 'wan'
	option src 'PUB'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest DNS'
	option src 'PUB'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option src 'PUB'

d83f3ba8dff3a6772915301c938bfc342d3277ce
d83f3ba8dff3a6772915301c938bfc342d3277ce.png1366×768 77.2 KB
Annotation%202019-04-29%20014909
Annotation 2019-04-29 014909.png1074×366 14.4 KB

2

Do you have DHCP for that WiFi as well?

What output do you have from the following SSH command
/etc/config/dhcp

You should have something like

  config dhcp 'Public'
    option interface 'Public'
    option start '50'
    option limit '200'
    option leasetime '1h'

By the way, it's good security practice to mask out your MAC and public IP addresses.

1 Like
3

Becuase I'm NOOB bro. and Yes, I enabled DHCP


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Guest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'Guest'

config dhcp 'Public'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'Public'
4

You can replace the photo by the way to mask out the MAC addresses.

To be sure, what router do you have. If you go to Network > Switch in LuCI, do you have one CPU port only (eth0) or two (eth0 and eth1)?

Looks right (although this GUEST interface naming is confusing to be honest). Can you confirm that devices connected to OpenWrt2 get IP as expected? Can you ping a public IP such as 8.8.8.8 or 1.1.1.1 form a device connected to that AP?

5

Xiaomi Mi Router 3G
Just "eth0"
Clients on OpenWRT2 have a correct local IP addresses, but with no internet access. no, don't any reply from 8.8.8.8

6

I don't have other ideas.

You may want to put a password for your WiFi by the way.