[Solved] Two IP Addresses in the same net

Hi,

I want to create two interfaces with different IP addresse in the same net. I want to use both as gateways for my lan. But apply different firewall rules and routings on it. I created a second interface like the text in luci said: Custom Interface eth0.1. It is only visible within the router and not outside. I have put it in the same firewall zone as br-lan.

Yesterday I locked me out, so I had to reset the router. Now I'm testing all configs on a Lede VM first.

Thanks

Peter

Hi, I'm surprised the system let you configure this and bring the interfaces up. It's highly inadvisable to have two interfaces (even when one is a sub-interface, as your eth0.1 is) on a single TCP/IP stack in the same subnet. Which interface should it use to send replies to hosts on 192.168.178.0/24? There are two interfaces on the same subnet! Worse still, both interfaces, with different IPs have the same MAC address, this will break ARP.

(FYI: historically, older workstations like those from Sun Microsystems had a single MAC address for the whole system that interfaces inherited when they started up. This was on the understanding that you would never have two interfaces from the same machine connected to the same broadcast network. This is an ethernet (layer 2) implementation thing, rather than TCP/IP (layer 3)).

Let us know exactly what you're trying to achieve here and we may be able to come up with a better solution...it's probably gonna involve VLANs and/or different subnets.

Hm, in the internet are a lot of hints how to add a second ip to an interface:
ip addr add 192.168... dev eth0
It works, I can reach the router through both ips. I thought I could both ip addresses in different interfaces and forward it differently. But I'm not an expert on the ip protocol.

I want to setup a wlan router with a second wifi for guests. The guest wlan should be routed through a vpn tunnel. And additionally I want to make the vpn tunnel available on the lan. I thought to setup two gateways within the same net, one for normal traffic, one to route through the vpn tunnel. So that on my PC I only have to switch the default gateway.

These accomplish are mutually exclusive of themselves, you cannot do both of these at the same time. Perhaps I'm confused; but I think you could do this differently, especially if your router only has one real WAN connection:

• Since you want all devices to remain on the same LAN. You could simply redo the default firewall rules of LAN to better suit your needs.

Yes and no, you will see that Linux is not well-suited to 2 IPs that possess different gateways. This has to be accomplished using policy-based routing.

• You would create a second OpenWrt interface for the guest network.
• You would add a VLAN so wired clients could use it (e.g. VLAN 3 would be eth0.3)
• You give this network a unique numbering scheme (e.g. 192.168.4.0/24)
• If your wireless chip permits multiple SSIDs, you then create another Guest SSID and add it to the guest network
• You would configure guest network to use a second routing table and create a default route via the VPN tunnel.
• You make IP rules for 192.168.4.0/24 to use the VPN routing table
• **for individual IPs in LAN (e.g. 192.168.1.11/32), you make IP rules to use the the VPN tunnel (be advised that those devices will not be able to talk to other networks on your LAN while this rules is in place
• Firewall as desired

There are many threads on this site that show how to make these routes and rules.

Can we use two IP address in the same net?

Yes but make sure to use the same ifname in the interface with the second IP address. Use the name of the bridge if it's a bridged interface such as br-lan.

Refer to https://wiki.openwrt.org/doc/uci/network#aliasesthe_new_way

(BTW it won't solve the problem of the original poster since it won't be able to distinguish between packets routed via these two IP addresses.)

Hi lleachii,

it was a hard way to setup the VPN channel for guest with a second routing table and source routing, but it worked. Thanks a lot

Peter

@peterfarge

You wrote:

A while ago this Problem was unsolved in another Thread: https://forum.openwrt.org/t/multiple-wifi-interface-while-running-openvpn/4858/11?u=nobeard

It would be very kind of you if you give al details, of how you have done this !

You just linked that thread to this one.

It's the same solution if you want to setup a VPN only for a certain VLAN or certain IPs. There's many threads on this forum describing how to do so (I'm aware of having assisted 2 others myself).

There's also a thread linked on that discussion called: VPN Policy-Based Routing + Web UI -- Discussion

Hope this helps.

Today I tested the backup+factory reset functionality with the mtdbk.sh script. Link

I created the backup and thought I could put it back through Luci, but it does not work.

Additionally the factory reset works neither: 'umount /overlay && firstboot && reboot'
After a reboot, all settings are gone. I could login again, make some changes, but after the next reboot, no changes were left. With the help of a guy from the irc, we found out that the overlayfs was mounted on temp.
So I had to flash my TP-Link 1043nd again.
Benefit: I could write this manuel.

#######################
VPN Guest Wifi with VPN
#######################

1. Test the .ovpn file and create the tunnel interface in Luci
   -- Install 'openvpn-openssl' with Luci
   -- We put the clientconfig.ovpn from the vpn provider in the /etc/openvpn/ folder.
   Look that the file hast the linux lf newline format.
   -- Additional we add the password file. Put in the first line the vpn login and in the second line the vpn password.
   We open the .ovpn file and write the name of this password file behind 'auth-user-pass' eg
   auth-user-pass /etc/openvpn/my_vpn_login.txt

-- We test the file with this command:
openvpn --config nether.ovpn
Now, the last message in the shell should be 'Initialization Sequence Completed'
Now the tunnel should be up.
In another shell you should be able to see the tunnel interface in 'ifconfig'.
You should be able to ping through the tunnel with 'ping -I tun0 www.google.com'.
Proceed only if this works.
Sometimes the certificates are not included in the .opvn file and must be copied seperatly.
Or the vpn server in the 'remote' line in the .ovpn file is down, etc.

While openvpn is running the tun0 interface is up.
-- Create a interface for the vpn tunnel
Add a new Luci->Network->Interface based on tun0 interface, name it 'vpnif'
Protocol of the new interface: Unmanaged
Bring up on boot [x]
After submitting, press edit on the vpnif interface and place the interface in a new firewall zone called 'vpnzone'

-- Now the vpn tunnel can be closed with ctrl+c

2. Create a second wifi
   -- Add a second wifi in Luci->Network->Wireless
   ESSID, Security how you like, but for the network create the 'guestwifi' interface.
   -- Got to the Luci->Network->Interface section
   Put the guestwifi into another net. Static address 192.168.77.1, netmask 255.255.255.0
   Additonal place the guestwifi in a newly created firewall zone 'guestzone'.
   We add DHCP support and write into advanced settings into the DHCP option field '6,8.8.8.8,8.8.4.4'
   This will deliver the google nameservers to the client config, because most internet provider (like mine) dont allow access to their DNS server from outside their net and if the dns traffic is routed through the tunnel, it comes from outside. (If ping on numbers is working, but not on names, this is the problem.)

-- In /etc/config/wireless you can change the mac address of guestwifi if you want, otherwise the relationship between guest and main wifi will be obvious:
Look for the section with your guest wifi SSID and add:
option macaddr '11:22:33:44:55:66'

3. Configure the firewall
   -- Set the default rules for new connections in Luci->Network->Firewall:
   For the vpnzone we take the same settings like from the wan zone: Per default we reject (or drop) Input and Forward but we allow output, plus Masquerading+MSS clamping+allow
   For the guestzone we take similar settings like from the lan zone: Per default we reject (or drop) Input and Forward but we allow output.
   Save+Apply

-- Then we edit the guestzone and allow forwarding from source:guestzone to dest:vpnzone
Save+Apply

-- Add a firewall traffic rule (Open ports on router) for DNS port tcp+udp 53
and set source zone to guestzone and dest zone to Device (input). Otherwise url resolving does not work.
-- In the same way add a rule for DHCP port udp 67-67.
Now new clients to the guest wifi can obtain IP addresses from the DHCP server.

4. Now we must set up the routes
   What we need is advanced routing, because we want to route traffic based on the origin and not only on the destination.
   The routing has to be setup by openvpn, every time the tunnel comes up.
   -- We add a second routing table in /etc/iproute2/rt_tables. For example:
   echo "10 vpn_table" >> /etc/iproute2/rt_tables

We open the .ovpn file and add the following options, semicolon lines are comments:
#####################
; Retrieve routing infos and place them in shell variables, but dont apply them to the client:
route-noexec
; Allow calling a user script:
script-security 2
; Call a user script if the tunnel is up:
up /etc/openvpn/vpn_ready_up.sh
; Call a user script if the tunnel is up:
down /etc/openvpn/vpn_ready_down.sh
######################

Next we create a script that writes the routing infos to the second routing table.
vi /etc/openvpn/vpn_ready_up.sh
######################################
#!/bin/sh

#For testing purpose we could uncomment this line this line. It writes the net and gw to the file vpnvariables.txt
#/bin/echo -e " dev: $dev\n ifconfig_local: $ifconfig_local\n ifconfig_remote: $ifconfig_remote\n route_vpn_gateway:$route_vpn_gateway" > /etc/openvpn/vpnup.txt

#Write a default route into routing table 'vpn_table'
ip route add default via "$route_vpn_gateway" dev "$dev" table vpn_table
#Lets handle all traffic that comes from this net with routing table 'vpn_table'
ip rule add from 192.168.44.0/24 priority 30 table vpn_table

exit 0
#######################################

vi /etc/openvpn/vpn_ready_up.sh
######################################
#!/bin/sh

#For testing purpose we could uncomment this line this line. It writes the net and gw to the file vpnvariables.txt
#/bin/echo -e " dev: $dev\n ifconfig_local: $ifconfig_local\n ifconfig_remote: $ifconfig_remote\n route_vpn_gateway:$route_vpn_gateway" > /etc/openvpn/vpndown.txt

#Delete default gateway and rule.
ip route del default via "$route_vpn_gateway" dev "$dev" table vpn_table
ip rule del from 192.168.44.0/24 priority 30 table vpn_table

exit 0
#######################################

-- Make both scripts executable:
chmod +x /etc/openvpn/vpn_ready_up.sh /etc/openvpn/vpn_ready_up.sh

5. We configure openvpn
   -- Open /etc/config/openvpn and set in section 'config openvpn custom_config'
   option enabled 1
   option config /etc/openvpn/nether.ovpn

This will enable openvpn in client mode and use the configs from the .ovpn file directly, no translation between .ovpn and .conf is needed. The openvpn server mode beneath in the file is not needed and can be deleted.

-- Make sure that Luci starts openvpn automatically
Luci->System->Startup->Openvpn Enabled

6. Checking and others
   -- Take a look in the second routing table:
   ip route show table vpn_table

-- Take a look at the rules:
ip rule show

-- Connect a client and test the ip:
Firefox: www.myip.com

-- Trace the hops
linux: > traceroute 8.8.8.8
windows: > tracert 8.8.8.8

-- Error messages on the router
dmesg
logread

-- At last we could add some firewall rules:
eg. allow only port 80 and 443 in guestwifi

-- Traffic shaping with Wshaper

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.