[SOLVED] Routing Between 2 VLANS

What is the output if you ssh into the router and type 'route'

I see this in my config:

root@LEDE:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.0.1.1        0.0.0.0         UG    0      0        0 eth0.1
10.0.1.0        *               255.255.255.0   U     0      0        0 eth0.1
10.0.1.1        *               255.255.255.255 UH    0      0        0 eth0.1
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0.3

i have not configured any static routes, (not sure if the one i mentioned in my previous post counts as one)
here is the output of route from ssh

root@LEDE:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.8.0.1        128.0.0.0       UG    0      0        0 tun0
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1.2
10.8.0.0        *               255.255.0.0     U     0      0        0 tun0
89.34.98.194    192.168.0.1     255.255.255.255 UGH   0      0        0 eth1.2
128.0.0.0       10.8.0.1        128.0.0.0       UG    0      0        0 tun0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1.2
192.168.0.1     *               255.255.255.255 UH    0      0        0 eth1.2
192.168.5.0     *               255.255.255.0   U     0      0        0 br-VLAN5
192.168.10.0    *               255.255.255.0   U     0      0        0 br-VLAN10 
root@LEDE:~#

All of the above is either is default as part of creating the vlans and enabling dhcp or from the openvpn setup.

I'm not sure, but it is possible that the 2 default gateways could be causing the problem. Is one of them your VPN tunnel and the other the uplink (WAN)? And is this all behind another router relative to the internet (internet > router > LEDE router)?

Other thoughts -- if you have the OpenVPN option 'redirect gateway def1' defined (either explicitly in the client config file or specified by the options pushed by the server upon connection), it might be messing up the ability to route outside the tunnel.

So a few options...

  1. if you have the time/flexibility to start over from scratch, that might be a good idea to help ensure that every configuration option you set is known and you can test each step along the way. If you do that, start just by creating 2 VLANs, no VPN. Make sure that each VLAN can connect to the internet via the WAN and that you can 'break' one of them by removing the forwarding from that specific LAN > WAN. Then setup the VPN and allow forwarding from that same LAN > VPN (but don't reinstate that LAN's forwarding to WAN). This should force the LAN traffic through the tunnel. If the other VLAN breaks in the process, it is a routing issue caused by the OpenVPN tunnel (possibly that redirect directive).

  2. Check out this [VPN policy based routing package]([VPN policy based routing package](https://forum.openwrt.org/t/openvpn-wireguard-policy-based-routing-web-ui/1422/50)) -- I haven't tried it, but it might do what you need.

yes you are correct, 1 is for VPN and one is for vlan5 to get internet.
and yes you are again correct another router is behind the lede router. the router behind the lede router connects to the internet.

i have already tried the start again approach, and the results were:
the vpn breaks the other vlans connection to the internet, but pings are possible.
if i add the second default gateway for vlan5, it gives vlan5 internet but breaks inter-vlan connectivity.

I had already checked out the VPN based policy routing, but i couldn't get it to do what i needed so at this point i wiped the router clean and started again.

i think i might reinstall this again and give it another try.

thank you for all your help.

Sounds to me like the VPN becomes the default/mandatory route out of the router... likely related to a redirect gateway def1 directive. If you can override this (remove it from the client or override in your local config), you may be able to get this to work. Check this article for some possible methods of doing just that (I haven't tried this, though).

so now from the article link you provided, i first tried

route-nopull

This got the non vpn vlan working but stopped the vpn vlan working.

so them i tried,

route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

Again with the same results as above, i even changed the 64.0.0.0 to 10.0.0.0 to reflect my VPN ip range and still no luck, though i think this last one could be the one. just need to somehow get it to redirect vlan5 to wan and vlan10 to vpn, the question is how :frowning:
with both above methods i could ping cross vlans.

Well, I guess the good news is that this confirms that the OpenVPN route is what was causing problems with the non-VPN VLAN (the good part being that there is nothing wrong with the basic LEDE VLAN config). Hopefully this is the last hurdle.

I will have to think about this for a bit, but my guess is that you'll want to allow the route to be established (the push/pull), but then modify the routing table once the route new is established such that the routes are properly set for the individual VLANs rather than globally.

Since you are actually behind another router, there are two brute-force methods of handling this process:

  1. Just use the 'outer' router (the one attached to your internet service) as the non-VPN network.
  2. Use a third router (i.e. a second one connected to your main WAN router) to serve the non-VPN network. You could actually set it up as a VLAN and merge them together into a single device or trunk line, if it is needed.

Just for anyone who is interested, i managed to get a fix to my issue of routing between the 2 vlans from another forum,

I simply had to add the following rule for my environment:
ip route add 192.168.10.0/24 dev br-VLAN10 table 10

This fixed the routing between vlans and i can now ping either way from each vlan.

2 Likes

Don't know of you mean another LEDE forum here, or another site.

However, if you post the same question on a different site, you should post a link to the thread here on the other site, and the other site's thread here.

Helps to eliminate confusion, and keeps eveyone informed on what's going on.

Thanks.

1 Like

Hi it was another site, the link to the site is,

Server fault site

I had a lot of help from this forum so I felt I owed it to post the solution I found in this site in case it may help anyone else in the future.

1 Like

Hi, I got a question. How did you make only the .10.1 network go through the VPN?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.