Static route - VPN and WAN?

martin.forum · October 11, 2023, 3:05pm

Hello,

actually I thought this is a simple issue but...

Problem

I have setup a VPN client, which is working very well for all three VLan's I have. How can I route the full traffic only of my VLan 99 (guest) over the WAN into the internet (the other VLan's should stay on VPN)?

I am sure there are solutions around - I just could not identify the right solution for me. A link with a possible tutorial for this would be great!?

BTW: VPN Policy Routing is not an option due to performance issues...

Details - main router

linksys wrt1900 acs v2 with openwrt 22.x.x, config:

vpn: wireguard client configured for all vlan's
vlan: vlan 11 iot, vlan 33 lan and vlan 99 guest
ports: 1 vlan 33 untagged, 2 vlan 11 untagged, 3 vlan 99 untagged, 4 all vlan's tagged, wan connected with ISP router
wifi: iot for vlan 11, lan for vlan 33, guest for vlan 99
dhcp server: each vlan interface has its own dhcp server
firewall: configured, guest vlan is fully isolated

Config files - dump AP

network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan.33'
	option ipaddr '192.168.33.1'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config device
	option name 'wan'
	option macaddr 'xxxx'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'WGInterface'
	option proto 'wireguard'
	option private_key 'xxxx'
	list addresses 'xxxx/32'
	option force_link '1'

config wireguard_WGInterface
	option public_key 'xxxx'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host 'xxxx'
	option endpoint_port '51820'

config bridge-vlan
	option device 'br-lan'
	option vlan '33'
	list ports 'lan1:u*'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '11'
	list ports 'lan2:u*'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'lan3:u*'
	list ports 'lan4:t'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.99'
	option ipaddr '192.168.99.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'IoT'
	option proto 'static'
	option device 'br-lan.11'
	option ipaddr '192.168.11.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

firewall


config defaults
	option output 'ACCEPT'
	option synflood_protect '1'
	option drop_invalid '1'
	option input 'ACCEPT'
	option forward 'DROP'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wgzone'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'WGInterface'
	option input 'DROP'
	option forward 'DROP'

config forwarding
	option src 'lan'
	option dest 'wgzone'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option mtu_fix '1'
	list network 'Gast'
	option input 'DROP'
	option forward 'DROP'

config zone
	option name 'IoT'
	option output 'ACCEPT'
	list network 'IoT'
	option input 'DROP'
	option forward 'DROP'

config forwarding
	option src 'IoT'
	option dest 'wgzone'

config rule
	option src 'guest'
	option dest_port '67 68'
	option target 'ACCEPT'
	option name 'Guest-DHCP'

config rule
	option src 'IoT'
	option dest_port '67 68'
	option target 'ACCEPT'
	option name 'IoT-DHCP'

config rule
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'
	option name 'Guest-DNS'

config rule
	option src 'IoT'
	option dest_port '53'
	option target 'ACCEPT'
	option name 'IoT-DNS'

config forwarding
	option src 'lan'
	option dest 'IoT'

config forwarding
	option src 'guest'
	option dest 'wgzone'

dhcp


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '10.2.0.1'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv4 'server'
	option start '200'
	option limit '30'
	list dhcp_option '3,192.168.33.1'
	list dhcp_option '6,1.1.1.1,1.0.0.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Gast'
	option interface 'guest'
	option start '200'
	option limit '30'
	option leasetime '6h'
	list dhcp_option '3,192.168.99.1'
	list dhcp_option '6,1.1.1.1,1.0.0.1'

config dhcp 'IoT'
	option interface 'IoT'
	option leasetime '12h'
	option start '200'
	option limit '30'
	list dhcp_option '3,192.168.11.1'
	list dhcp_option '6,1.1.1.1,1.0.0.1'

wireless


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option country 'FR'
	option cell_density '0'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option country 'FR'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'wrt5'
	option encryption 'sae-mixed'
	option key 'xxxx'
	option network 'lan'
	option disabled '1'
	option wpa_disable_eapol_key_retries '1'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'wrt2'
	option encryption 'sae-mixed'
	option key 'xxxx'
	option network 'lan'
	option wpa_disable_eapol_key_retries '1'
	option disabled '1'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'guest'
	option encryption 'psk-mixed'
	option isolate '1'
	option key 'xxxx'
	option network 'guest'
	option wpa_disable_eapol_key_retries '1'
	option disabled '1'

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option ssid 'IoT'
	option encryption 'psk-mixed'
	option key 'xxxx'
	option network 'IoT'
	option wpa_disable_eapol_key_retries '1'
	option disabled '1'

vgaetera · October 12, 2023, 12:44pm

for IPV in 4 6
do
uci set network.lan.ip${IPV}table="1"
uci set network.IoT.ip${IPV}table="2"
uci set network.guest.ip${IPV}table="3"
uci set network.wan${IPV%4}.ip${IPV}table="4"
uci -q delete network.guest_wan${IPV%4}
uci set network.guest_wan${IPV%4}="rule${IPV%4}"
uci set network.guest_wan${IPV%4}.in="guest"
uci set network.guest_wan${IPV%4}.lookup="4"
uci set network.guest_wan${IPV%4}.priority="30000"
done
uci commit network
/etc/init.d/network restart

martin.forum · October 16, 2023, 2:01pm

Hello vgaetera,

super! yes your solution is working (after also changing the firewall setting for guest to wan)!!!

Thank you!

PS How can I set this to [[SOLVED]] now?

system · October 26, 2023, 2:01pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.