SOLVED: 2 VLAN's and no internet on 1 VLAN

Hi All

I have a linksys wrt1900 acs v2 router with LEDE firmware.

My setup is: VLAN1 + VLAN2 - on 2 separate subnets, but both can talk to each other
VLAN2 goes through VPN and this is all setup and running.
but when this is running i can connct to the internet through VLAN1?

Any help at all will be appreciated.
if you need more info please let me know, but be gentle i am new to all this,

Many thanks

maybe you should post the config files /etc/config/network and /etc/config/firewall

Hi RJ-45, please see below as requested, hope you can help

FIREWALL:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'VLAN5'
	option network 'VLAN5'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option dest 'wan'
	option src 'VLAN5'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'VLAN5'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'VLAN5'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'VLAN10'
	option network 'VLAN10'
	option forward 'REJECT'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'VPN'
	option forward 'ACCEPT'
	option masq '1'
	option network 'NordVPN'

config forwarding
	option dest 'VLAN10'
	option src 'VPN'

config forwarding
	option dest 'VPN'
	option src 'VLAN10'

NETWORK:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd5f:e104:4205::/48'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '0 1 5t'

config interface 'VLAN5'
	option proto 'static'
	option ifname 'eth0.1'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'
	option gateway '192.168.5.1'
	option type 'bridge'

config interface 'VLAN10'
	option proto 'static'
	option ifname 'eth0.3'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option gateway '192.168.10.1'
	option delegate '0'
	option type 'bridge'

config interface 'NordVPN'
	option proto 'none'
	option ifname 'tun0'

Many thanks

VLAN 10 isn't working, right?
You should add these lines in /etc/config/firewall

config forwarding
option dest 'wan’
option src ‘VLAN10’

hi
thank you for your quick response,
VLAN10 is the VLAN that has internet access via VPN and is working correct.

i cant get to the internet on VLAN5.

this stuff really confuses me and i really appreciate your help.

thanks so much

There is not a lot of information about the VPN. Using VPN as default gateway for one VLAN and WAN as default gateway for another VLAN means some kind of policy routing is needed.

What's the output of "ip rule" and each routing table referenced in "ip rule"?

Hi mikma
I am very new to this and appreciate your willingness to help.

Please if you could let me know how i can get the output for 'ip rules' and each routing table references in it, i will post the info.

below is the contents of the 'rt_tables' in etc/iproute2 if it helps.

#
# reserved values
#
128	prelocal
255	local
254	main
253	default
0	unspec
#
# local
#
#1	inr.ruhep

Thank you so much for helping

root@LEDE:~# ip route list
0.0.0.0/1 via 10.8.0.1 dev tun0
default via 192.168.0.1 dev eth1.2 src 192.168.0.5
10.8.0.0/16 dev tun0 scope link src 10.8.10.140
10.8.0.0/16 dev tun1 scope link src 10.8.10.140
89.34.98.194 via 192.168.0.1 dev eth1.2
128.0.0.0/1 via 10.8.0.1 dev tun0
192.168.0.0/24 dev eth1.2 scope link src 192.168.0.5
192.168.0.1 dev eth1.2 scope link src 192.168.0.5
192.168.5.0/24 dev br-VLAN5 scope link src 192.168.5.1
192.168.10.0/24 dev br-VLAN10 scope link src 192.168.10.1
root@LEDE:~#

Finally FIXED!!!

I have a LinkSys WRT190ACS router. My goal was to create 2 vlans (ports 1+2-VLAN5-192.168.5.1 and ports 3+4VLAN10192.168.10.1 – with wifi ssids for each VLAN) and have normal internet running VLAN5 and VPN (nordvpn) internet running through VLAN10.

I managed to create the 2 vlans and assign DHCP’s and create ssid’s easy enough and all worked well. Unitl I tried to setup the VPN which I had a right game with, but in the end I managed to get it working by, downloading the .ovpn file from the vpn providers site, change the extention to .conf copied into etc/openvpn folder with the secret file containing the username and password. Restarted and the VPN was working great.

With the firewall rules set for VLAN10 traffic to go via VPN it was up and running, VLAN10 was VPN’d, but then I noticed DNS being leaked, this was fixed by adding the VPN providers DNS server addresses in VLAN10’s interface advanced DHCP settings.

With that all sorted, when I would have the VPN up on VLAN10 I would get no internet on VLAN5. After days and days of searching the interwebs, I found I need to set a default ip route by adding the following commands under the startup section, for my setup,
ip route add default via 192.168.0.1 table 10
ip rule add from 192.168.5.2 table 10
initially I tried, ip rule add from 192.168.5.0/24 table 10 but this would cause DNS issues and I would have to put in google dns servers for the internet to work, another issue I had with 192.168.5.0/24 was I could no longer ping 192.168.5.1 subnet. I am sure the is a perfectly reasonable explanation and may an easier way to do it, but what I did was simply add a rule for each ip address from 2-50 (my DHCP range) and by doing this and leaving out the address 192.168.5.1 I did not any longer need to use the google dns and could also ping both vlans (this is what I wanted).

I also edited the vpn .conf file and removed a command "pull" - whether this did anything or not i am unsure, but it didnt affect the vpn or dns leak results.

So now I have enabled adblocker and it works great on the non VPN VLAN, but not on the VPN VLAN – but I think I will open a new thread for that issue.

Just thought, for other newbies like me who come across this type of setup/issues the above maybe of help. I must say I don’t know much about this all as I am new, and there probably is a easier way to achieve what I needed, but this is all know and have only got it to work through persistence and luck. Just putting the above out there to help others, as others helped me and pointed me in the right direction.

Thanks all.

update: i manage to block ads on the vpn side simply by getting DNS servers from my VPN provider that block ads and prevent DNS leaks - i believe i got lucky on this one.

I am ever so please to say that from not having messed with this stuff before I have managed to achieve what i set out to do.

1 router running lede, split into 2 vlans with ssids for each vlan, 1 vlan for vpn and other for non vpn - ads blocked on both vlans. ruckus AP other side of the house, again replicating the 4 ssids, so when i am at the far side of the house any device just hops on to the AP seamlessly. coverage all over the house, no ads on any device, perfect! (the AP is connected via a netgear smart switch where the uplink and the AP ports are trunks for access to both vlans, and the other ports just access the non vpn vlan).

just want to thank all on this forum who helped me get there. I very much appreciate it. and if ever I can help anyone I will most certainly oblige. just remember I still am no expert at this, but have learnt a lot.

I had the same problem as you!

Also spent some good time researching about it... your solution worked!

I added a rule for all vlan, that is rule to a /24, instead of one rule for each ip.

Thank you for the help!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.