[Solved] OpenVPN client on LAN2 kills connection on LAN

Solved, solution at the bottom

TP-LINK Archer C7 v5 running 18.06.1

I read all posts I could find and the solution seems to be routing policies. However I'm having trouble understanding them.

What I want:

  • br-lan (192.168.1.0/24) => normal ISP connection
  • br-lan2 (192.168.10.0/24) => OpenVPN client
  • Both LANs can communicate to each other (done with by forwarding LANs to each other) No longer works with the solution I found.

What happens

OpenVPN down:

  • br-lan (192.168.1.0/24) => ISP
  • br-lan2 (192.168.10.0/24) => ISP

OpenVPN up:

  • br-lan => no connection (can't ping 8.8.8.8, so I don't think it's a DNS problem)
  • br-lan2 => connects to VPN

What's been done

From what I understood when the OpenVPN is up everything goes through tun0.

According to the wiki I need to use via <ip_of_the_far_end_of_your_tunnel>, but I don't understand what that means. Is the gateway for the br-lan? Or the default gateway from the ISP?

I tried the following (no change noticed):

ip route add default via 192.168.1.1 dev br-lan table lan
ip route flush cache
ip rule add from 192.168.1.0/24 table lan

I also tried (lost connection to the router and had to reboot it):

ip route add default via 100.64.192.1 dev eth0.2 table lan
ip route flush cache
ip rule add from 192.168.1.0/24 table lan

Question

How I make it so:

  • 192.168.1.0/24 => ISP
  • 192.168.10.0/24 => VPN
  • LANs can ping/communicate with eachother

Configs

etc/config/network
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd32:c7d2:6fa8::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'vpn'
	option proto 'none'
	option ifname 'tun0'

config interface 'lan2'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option dns '10.21.0.1'
	option ip6assign '60'
etc/config/firewall
config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'lan2'
	option forward 'ACCEPT'
	option network 'lan2'

config forwarding
	option dest 'wan'
	option src 'lan2'

config zone
	option name 'vpnclient'
	option network 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan2'
	option dest 'vpn'

config forwarding
	option src 'lan2'
	option dest 'vpnclient'

config forwarding
	option dest 'wan'
	option src 'lan'
VPN Down

ip route (VPN down)

default via xxx.xx.192.1 dev eth0.2 proto static src xxx.xx.196.32 
100.64.192.0/18 dev eth0.2 proto kernel scope link src xxx.xx.196.32 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.10.0/24 dev br-lan2 proto kernel scope link src 192.168.10.1 

route (VPN down)

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         xxx.xx.192.1    0.0.0.0         UG    0      0        0 eth0.2
xxx.xx.192.0    *               255.255.192.0   U     0      0        0 eth0.2
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.10.0    *               255.255.255.0   U     0      0        0 br-lan2
VPN up

ip route (VPN up)

0.0.0.0/1 via xx.xx.0.102 dev tun0 
default via xxx.xx.192.1 dev eth0.2 proto static src xxx.xx.196.32 
xx.xx.0.1 via xx.xx.0.102 dev tun0 
xx.xx.0.102 dev tun0 proto kernel scope link src xx.xx.0.101 
xx.xxx.143.250 via 100.64.192.1 dev eth0.2 
xxx.xx.192.0/18 dev eth0.2 proto kernel scope link src xxx.xx.196.32 
128.0.0.0/1 via 10.21.0.102 dev tun0 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.10.0/24 dev br-lan2 proto kernel scope link src 192.168.10.1

route (VPN up)

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         xx.xx.0.102     128.0.0.0       UG    0      0        0 tun0
default         xxx.xx.192.1    0.0.0.0         UG    0      0        0 eth0.2
xx.xx.0.1       xx.xx.0.102     255.255.255.255 UGH   0      0        0 tun0
xx.xx.0.102     *               255.255.255.255 UH    0      0        0 tun0
xx.xxx.143.250  xxx.xx.192.1    255.255.255.255 UGH   0      0        0 eth0.2
xxx.xx.192.0    *               255.255.192.0   U     0      0        0 eth0.2
128.0.0.0       xx.xx.0.102     128.0.0.0       UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.10.0    *               255.255.255.0   U     0      0        0 br-lan2

Some Related Questions

Links

SOLVED: 2 VLAN's and no internet on 1 VLAN
https://serverfault.com/questions/775865/openvpn-on-openwrt-routing-a-specific-subnet-through-a-vpn-tunnel
https://serverfault.com/questions/894412/lede-two-vlans-when-one-connects-to-openvpn-the-other-has-no-internet-connec
https://superuser.com/questions/1309236/configure-vpn-tunnel-just-for-one-vlan
Use WireGuard interface for specific devices only

Edit: typo/formatting

I'm perplexed by this -- you've got the same subnet on two different interfaces.

Typically, a single subnet has a single interface associated with it on any specific host. Is that a typo?

Going with the assumption that it is, I'll use a 192.168.100.0/24 and 192.168.200.0/24 for clarity, with the router's IP on each of them being the .1 address.

In that case:

  • br-lan-isp

    • 192.168.100.1/24
    • DHCP supplies IP addresses from 192.168.100.0/24 and advertises
      • 192.168.100.1 as the default gateway
      • Some DNS server on 192.168.100.0/24 (or 192.168.200.0/24, as you're routing them)
  • br-lan-vpn

    • 192.168.200.1/24
    • DHCP supplies IP addresses from 192.168.200.0/24 and advertises
      • 192.168.200.1 as the default gateway
      • Some DNS server on 192.168.200.0/24 (or 192.168.100.0/24, as you're routing them)

Firewall needs to allow FORWARD from br-lan-isp to/from br-lan-vpn (as well as the "standard" traffic rules related to access to services and forwarding to remote destinations with appropriate NAT).

Your router then needs to route over the ISP link vs. the VPN link either based on the source IP or the source interface. Personally, I favor the source interface as it reflects connectivity, not configuration of the host. I don't know enough about how Linux handles source-based routing to know if use of the interface is significantly harder than source IP.

When routing is set up properly, it is "very unusual" to have two default routes in the same routing table. There certainly are applications for it, but I suspect that you'll end up with two routing tables; a "general" one and one that is specific to the packets identified as those that should leave via your VPN.

Edit: You can probably have a single default gateway for both subnets as they are routed to each other. For me, that's a complication that doesn't seem to add any advantages, at least at this level of exploration. For me, clarity helps understanding of current topologies, as well as future maintenance. ("What was I thinking two years ago when I set this up??")

Thanks for the quick reply!
Yeah, it was a typo, just fixed it.
Apologies.

Allow forward: lan_isp <=> lan_vpn

So, to do that I should:

uci add firewall forwarding
uci set firewall.@forwarding[-1].src="lan"
uci set firewall.@forwarding[-1].dest="lan2"

uci add firewall forwarding
uci set firewall.@forwarding[-1].src="lan2"
uci set firewall.@forwarding[-1].dest="lan"

uci commit firewall && service firewall restart

Route ISP link vs VPN link

That's what I trying to achieve with the ip route add default comands (I think)
In your example, 192.168.100.0/24 needs to be routed to br-lan-isp?

ip route add default via 192.168.100.1 dev br-lan-isp table lan
ip route flush cache
ip rule add from 192.168.100.0/24 table lan

That's pretty much what I tried. I sure I'm missing something here.

About the two default routes, I think that the "general" one is the VPN, because that's working at the moment. And the specific route would be to bypass/avoid the VPN.
But how do I do that?

I'm going to have to defer on implementation of source-based routing to someone more familiar with its implementation on Linux. I know @lleachii has posted a couple suggestions from time to time, one that came up in search was

Conceptually, it seems like the packets from the hosts attached to the br-lan-vpn network (and possibly those originating on your router) want their default route to be via the VPN gateway, with the remainder having a default route via the ISP's gateway.

ip route add default via 192.168.100.1 [...] doesn't look right to me, as that seems to be an interface on the router itself, rather than a next-hop destination.

Thank you both for you confidence.

@jeff is correct. It seems policy-based routing is necessary here.

Make special configs for VPN connection. In /etc/config/network -

config route
	option interface 'vpn'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '2'

config rule                                           
        option in 'lan2'          
        option dest '0.0.0.0/0'  
        option priority '2'                                            
        option lookup '2'

config rule                                    
	option src '192.168.10.0/24'
	option priority '3'
	option lookup '2'
  • Config 1 makes the route on a separate routing table
  • Config 2 tells all traffic that enters via lan2 to use the route
  • Config 3 tells all traffic with the SRC network 192.168.10.0/24 to use the route (covers IPs you may assign to the router, etc.)
1 Like

Shouldn't that be on /etc/config/firewall?
I tried on both but it still doesn't work.
I noticed no difference in behaviour although the rules were applied.
(route output at the bottom)

To check if I understood this, the forward is for outgoing traffic:

config forwarding
	option src 'lan2'
	option dest 'vpn'

And Config 2 is for incoming traffic?
So if I understand this right, lan2 <=> vpn <=> 0.0.0.0
I believe that's what already happens because when VPN is up, devices on lan2 connect to the web through the VPN.

Every device on lan2 is 192.168.10.0/24, so is Config 3 redundant?


Maybe you meant lan on Config 2?
And then 192.168.1.0/24 on Config 3?
But then what should I use on Config 1?


/etc/config/network (VPN down)

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         xxx.xx.192.1    0.0.0.0         UG    0      0        0 eth0.2
xxx.xx.192.0    *               255.255.192.0   U     0      0        0 eth0.2
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.10.0    *               255.255.255.0   U     0      0        0 br-lan2

/etc/config/network (VPN up)

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         xx.xx.0.102     128.0.0.0       UG    0      0        0 tun0
default         xxx.xx.xxx.1    0.0.0.0         UG    0      0        0 eth0.2
xx.xx.0.1       xx.xx.0.102     255.255.255.255 UGH   0      0        0 tun0
xx.xx.0.102     *               255.255.255.255 UH    0      0        0 tun0
xx.xxx.143.250  xxx.xx.192.1    255.255.255.255 UGH   0      0        0 eth0.2
xxx.xx.192.0    *               255.255.192.0   U     0      0        0 eth0.2
128.0.0.0       xx.xx.0.102     128.0.0.0       UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.10.0    *               255.255.255.0   U     0      0        0 br-lan2

I meant what I said: /etc/config/network

No it isn't. As I said:

I didn't give you any firewall configs. You obviously must permit traffic from lan2 to vpn. You can do that in the web GUI.


The routing table at the bottom of your post is wrong. It seems as if you omitted the option lookup portions of the configs I gave you or aren't showing table 2. The proper command is ip route show table 2 - to ensure the route rules exist: ip rule show

Then I don't understand your problem. As you said:

I have that in /etc/config/firewall, I was just trying to understand the difference between that and the routing you suggested.

It seems as if you omitted the option lookup portions of the configs I gave you or aren't showing table 2 . The proper command is ip route show table 2 - to ensure the route rules exist: ip rule show

Just checked, it has the option lookup. But ip route show table 2 returns nothing.
I even rebooted to make sure /etc/config/network is actually loaded with the changes.
Let me know if there is any other info that may help.

ip route (VPN up)

0.0.0.0/1 via xx.xx.0.102 dev tun0 
default via xxx.xx.192.1 dev eth0.2 proto static src xxx.xx.196.32 
xx.xx.0.1 via xx.xx.0.102 dev tun0 
xx.xx.0.102 dev tun0 proto kernel scope link src xx.xx.0.101 
xx.xxx.143.250 via xxx.xx.192.1 dev eth0.2 
xxx.xx.192.0/18 dev eth0.2 proto kernel scope link src xxx.xx.196.32 
128.0.0.0/1 via 10.21.0.102 dev tun0 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.10.0/24 dev br-lan2 proto kernel scope link src 192.168.10.1 

ip route (VPN down)

default via xxx.xx.192.1 dev eth0.2 proto static src xxx.xx.196.32 
xxx.xx.192.0/18 dev eth0.2 proto kernel scope link src xxx.xx.196.32 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.10.0/24 dev br-lan2 proto kernel scope link src 192.168.10.1 

ip rule

0:	from all lookup local 
2:	from all iif br-lan2 lookup 2 
3:	from 192.168.10.0/24 lookup 2 
32766:	from all lookup main 
32767:	from all lookup default 

Then I don't understand your problem

VPN up

LAN Wanted Before Configs 1/2/3 After Configs 1/2/3
br-lan (192.168.1.0/24) normal ISP No connection No connection
br-lan2 (192.168.10.0/24) VPN client VPN client VPN client

VPN down

LAN Wanted Before Configs 1/2/3 After Configs 1/2/3
br-lan (192.168.1.0/24) normal ISP normal ISP normal ISP
br-lan2 (192.168.10.0/24) don't care normal ISP normal ISP

That's why I thought that maybe the route/rules had to be with lan instead of lan2

OK, let's start from scratch on your part, and do a little more explaining on mine.

Assumptions:

  • That you are able to get normal ISP on your LAN.
  • Let's establish this (normal operation on LAN) first
  • Then all added routing rules only apply to LAN2

A question on my part:

  • Is OpenVPN automatically creating some routes?

You have a lot of routes being created on "VPN up"

Perhaps we need to make LAN2 your ISP network instead?

If so, please respond and we'll proceed.

I do have ISP working on LAN, it only goes down when VPN goes up.
I edited my last reply to make it more clear.

Here's what I did:

  • Installed OpenWrt and got LAN working with ISP
  • Configured VPN on LAN to test/learn.
  • Undid the configurations of the VPN on LAN
  • Created LAN2
  • LAN and LAN2 working with ISP
  • Configured VPN on LAN2
  • Behaviour according to my last reply

You have a lot of routes being created on "VPN up"

I just followed the wiki.
Only extra is the configs you suggested.
In my first post you can see the configs and routing with your suggestions.

Perhaps we need to make LAN2 your ISP network instead?

Doesn't make much of a difference to me.
Only reason I used LAN2 for VPN was because I want cable ports on the ISP and that was already working with LAN, so I only had to create one wifi and set it to LAN2.
It seemed easier than changing the ports to LAN2.

If so, please respond and we'll proceed.

Just let me know what you want me to do.

I understand that. That's the issue. To be honest, I'm not familiar with how OpenVPN creates routes; but since they're created on LAN (using the main routing table), I'm now advising that you setup LAN2 as the network that stays ISP-only (i.e. no VPN), using routing table No. 2.

:+1: OK, cool.

You will now change the /etc/config/network rules above to change LAN2 to regular WAN:

config route
	option interface 'wan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option gateway '100.64.192.1'
	option table '2'

config rule                                           
        option in 'lan2'          
        option dest '0.0.0.0/0'  
        option priority '2'                                            
        option lookup '2'

config rule                                    
	option src '192.168.10.0/24'
	option priority '3'
	option lookup '2'
  • In /etc/config/firewall change rule to:
config forwarding
	option src 'lan2'
	option dest 'wan'

Hope this works.


Add this so LAN2 can reach LAN (as LAN2 now uses routing table No. 2.), you would still need to make a firewall rule to permit it:

config rule                                    
	option src '192.168.10.0/24'
	option dest '192.168.1.0/24'
	option priority '4'
	option lookup 'main'

All done!
It's working (kinda off).
Browsing is really slow, I can't even use speedtest.net, I get a "latency error".
That is happening because connections on LAN2 (ISP) are using LAN (VPN) DNS, I tried manually setting the DNS on LAN2 but DNS leak test (on LAN2) still shows my VPN IP.
Edit: Added what happens to DNS in the table below

I switched the subnets, so:

LAN Subnet Connection DNS
br-lan 192.168.10.0/24 VPN VPN
br-lan2 192.168.1.0/24 ISP VPN (should be ISP)

For some weird reason I can't ping 192.168.1.1 when on br-lan2, I have to access to router using 192.168.10.1
Is it because of these?

config rule                                    
	option src '192.168.1.0/24'
	option dest '192.168.10.0/24'

Since I switched the subnets, I also switched src/dest.


route
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         xx.xx.0.102     128.0.0.0       UG    0      0        0 tun0
default         xxx.xx.192.1    0.0.0.0         UG    0      0        0 eth0.2
xx.xx.0.1       xx.xx.0.102     255.255.255.255 UGH   0      0        0 tun0
xx.xx.0.102     *               255.255.255.255 UH    0      0        0 tun0
xx.xxx.143.250  xxx.xx.192.1    255.255.255.255 UGH   0      0        0 eth0.2
xxx.xx.192.0    *               255.255.192.0   U     0      0        0 eth0.2
128.0.0.0       xx.xx.0.102     128.0.0.0       UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan2
192.168.10.0    *               255.255.255.0   U     0      0        0 br-lan
ip route
0.0.0.0/1 via xx.xx.0.102 dev tun0 
default via xxx.xx.192.1 dev eth0.2 proto static src xxx.xx.196.32 
xx.xx.0.1 via xx.xx.0.102 dev tun0 
xx.xx.0.102 dev tun0 proto kernel scope link src xx.xx.0.101 
xx.xxx.xxx.250 via xxx.xx.192.1 dev eth0.2 
xxx.xx.192.0/18 dev eth0.2 proto kernel scope link src xxx.xx.196.32 
128.0.0.0/1 via 10.21.0.102 dev tun0 
192.168.1.0/24 dev br-lan2 proto kernel scope link src 192.168.1.1 
192.168.10.0/24 dev br-lan proto kernel scope link src 192.168.10.1 
ip rule
0:	from all lookup local 
2:	from all iif br-lan2 lookup 2 
3:	from 192.168.1.0/24 lookup 2 
32766:	from all lookup main 
32767:	from all lookup default 
etc/config/network
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd32:c7d2:6fa8::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option dns '10.21.0.1'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'vpn'
	option proto 'none'
	option ifname 'tun0'

config interface 'lan2'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option dns '201.31.0.19 201.31.0.20'

config route
	option interface 'wan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option gateway '100.64.192.1'
	option table '2'

config rule
	option in 'lan2'
	option dest '0.0.0.0/0'
	option priority '2'
	option lookup '2'

config rule
	option src '192.168.1.0/24'
	option priority '3'
	option lookup '2'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'lan2'
	option forward 'ACCEPT'
	option network 'lan2'

config forwarding
	option dest 'wan'
	option src 'lan2'

config zone
	option name 'vpnclient'
	option network 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'vpnclient'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option src 'lan'
	option dest 'lan2'

config forwarding
	option src 'lan2'
	option dest 'lan'

config rule                                    
	option src '192.168.1.0/24'
	option dest '192.168.10.0/24'
	option priority '4'
	option lookup 'main'

OK, I understand you have 2 issues:

  • That shouldn't cause a speedtest delay, just lookup in the hostname of the server. Try: dslreports.com/speedtest
  • Question: I'm assuming you configure it this way (or the VPN did it)?
  • You can force your DNS by adding this to LAN2 DHCP config:

Screenshot%20from%202018-09-26%2010-48-36

No, that should permit the traffic - ALSO, YOU PASTED AN INCOMPLETE RULE, IT DOESN'T APPEAR ON THE ROUTING RULES!. Also, did you follow my instructions:

(this is if they are not in the same firewall zone, if they are you must allow forwarding in the same zone)

Here is the complete rule again:

config rule                                    
	option src '192.168.10.0/24'
	option dest '192.168.1.0/24'
	option priority '4'
	option lookup 'main'

You're confusing me. You'll have to figure out the correct src/dest yourself, then.

  • src should be the network using table 2
  • dest should be network using table main

EDIT: also show results of ip route show table 2

image
Different error than speedtest.net but still... Anyway, maybe that will be fixed with proper DNS/rules.

I set it under Network > Interfaces > LAN > Common Configuration > General Setup > Use custom DNS servers

image

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option dns '10.21.0.1'
        option ip6assign '60'

And for LAN2 (hoping to avoid using the VPN DNS)
image

config interface 'lan2'          
        option type 'bridge'   
        option ifname 'eth0.1' 
        option proto 'static'  
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option dns '201.31.0.19 201.31.0.20'
        option ip6assign '60'         

Just tried setting under DHCP-Options, ping: google.com: Temporary failure in name resolution
I tried leaving the DNS in both places and just on DHCP-Options, same result ^
Also tried setting only on LAN2, DHCP-Options and/or Custom DNS, same result ^

New info
I noticed that when the VPN is down LAN2 DNS is according to the Custom DNS rule.
When the VPN is up, LAN2 uses de same DNS than the Custom DNS set in LAN (if any). I'm sure of it because the countries are different (VPN/ISP), so it shows easily in the DNS leak test.

Yeah, it was incomplete, I thought it would be enough for you to know what rule I was talking about, sorry.
At the bottom of /etc/config/firewall (pasted in the previous reply) you can see the full rule, just like you told me to add it.

I have forwards betwen LAN and LAN2 in /etc/config/firewall. Is it something else?

config forwarding
	option src 'lan'
	option dest 'lan2'

config forwarding
	option src 'lan2'
	option dest 'lan'
LAN2 is using table 2
config route            
        option interface 'wan'                 
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option gateway '100.64.192.1'
        option table '2'     
                                    
config rule                           
        option in 'lan2'      
        option dest '0.0.0.0/0'
        option priority '2'
        option lookup '2'
                              
config rule                
        option src '192.168.1.0/24'
        option priority '3'
        option lookup '2'     

So, LAN2 > table 2 > 192.168.1.0/24 > src

config rule            
        option src '192.168.1.0/24'
        option dest '192.168.10.0/24'
        option priority '4'
        option lookup 'main'

ip route show table 2

default via 100.64.192.1 dev eth0.2 proto static
ip route show table main
0.0.0.0/1 via xx.xx.0.102 dev tun0 
default via xxx.xx.192.1 dev eth0.2 proto static src xxx.xx.196.32 
xx.xx.0.1 via xx.xx.0.102 dev tun0 
xx.xx.0.102 dev tun0 proto kernel scope link src xx.xx.0.101 
xx.xxx.143.250 via xxx.xx.192.1 dev eth0.2 
xxx.xx.192.0/18 dev eth0.2 proto kernel scope link src xxx.xx.196.32 
128.0.0.0/1 via 10.21.0.102 dev tun0 
192.168.1.0/24 dev br-lan2 proto kernel scope link src 192.168.1.1 
192.168.10.0/24 dev br-lan proto kernel scope link src 192.168.10.1 
/{etc,tmp}/resolv.conf
search lan
nameserver 127.0.0.1
/tmp/resolv.conf.auto
# Interface lan
nameserver 10.21.0.1
# Interface lan2
nameserver 201.31.0.19
nameserver 201.31.0.20
# Interface wan
nameserver 201.21.192.112
nameserver 201.21.192.117

Oh, and happy new years eve! :fireworks:
(If you follow the Gregorian calendar)

Again, I'm not sure why you're showing me the speedtest pages. None mention DNS.

You again didn't do what I showed you. I even gave you a picture. The picture you showed me is not the one I showed you.

It's hard to help someone when they are doing something different. Your config is for the router, not the clients.

Please follow my full instructions.

Does your ISP permit use of other DNS servers???

I never gave you a firewall rule!!! I told you to make it! All "config rule" and "config routes" above are to go in /etc/config/network.

WHY DO YOU KEEP PUTTING ROUTING RULES I GIVE TO YOU IN THE FIREWALL!?!?

I'm assisting you with routing, not firewalling.

  • When you have properly added it, the command ip rule should have a rule no. 4 listed.
  • THEN you make a firewall rule to permit traffic.

How I didn't do what you showed me? I did and the result was no DNS at all.
You even quoted me on this...


Yes, like I already said, when the VPN is down LAN2 (ISP) DNS is whatever I set in Custom DNS


Moved to /etc/config/network

0:	from all lookup local 
2:	from all iif br-lan2 lookup 2 
3:	from 192.168.1.0/24 lookup 2 
4:	from 192.168.10.0/24 to 192.168.1.0/24 lookup main 
32766:	from all lookup main 
32767:	from all lookup default 

OK, can you ping now?

Nope.

From LAN2 (192.168.1.3) I can't ping 192.168.1.1

DNS still the same thing, when VPN is up on LAN, LAN2 uses the same DNS.

However I only have this firewall rule... Maybe I need to add something else?

config forwarding
	option src 'lan'
	option dest 'lan2'

config forwarding
	option src 'lan2'
	option dest 'lan'

Also, in this other thread the guy had the exact same issue (VPN killed other VLAN, which we now have solved) and when he was trying to fix it, he had "DNS issues":

Do you use a hostname to reach your VPN provider, or the IP?