This same question, I realize, has been asked on this forum with the exact same issue, but I was unable to fix my WiFi by following the suggested solutions.
GOAL: have two separate WiFis on a separate subnets 192.168.2.0/24 and 192.168.3.0/24 while wired LAN resides on 192.168.1.0/24 and be able to connect to either WiFi with the result having internet access via a vpn (on the first WiFi) or wan (on the second WiFi).
This very same thing works on my other OpenWrt TP-LINK router, but does not work on the current Asus RT-AX53u.
WHAT HAS BEEN CONFIGURED:
I've created two wifi devices called phy0-ap0 and phy0-ap1 and set their SSIDs set to am2 and am5 respectively. Both use the same physical radio0 (NOTE: digits at the end of am2 and am5 DO NOT refer to Ghz -- these WiFis use the same 2.4Ghz radio0).
Created corresponding interfaces called am2_lan and am5_lan. They're set to be of type static with "IP Address" field set to 192.168.2.1 and 192.168.3.1 respectively.
Created a firewall rule which forwards all requests to from am2_lan to the the network mlvd (this is the Wireguard interface). Another firewall rule was created to forward am5_lan requests to wan (thus, bypassing the vpn).
RESULT:
WiFi connections from various devices are successful, however they all report "no internet access" upon connecting.
NOTE: firewall also has a rule which forwards lan requests to mlvd -- this one works without an issue and I get a connection through the vpn as expected.
CONFIG FILES:
#~ cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '[REDACTED]'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option hostname '*'
option type 'bridge'
config interface 'mlvd'
option proto 'wireguard'
option private_key '[REDACTED]'
option mtu '1499'
list dns '[REDACTED]'
option dns_metric '1'
list addresses '[REDACTED]'
config wireguard_mlvd
option description '[REDACTED]'
option public_key '[REDACTED]'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host '[REDACTED]'
option endpoint_port '[REDACTED]'
option persistent_keepalive '25'
config device
option name 'mlvd'
option macaddr '[REDACTED]'
config device
option name 'wan'
option macaddr '[REDACTED]'
config device
option name 'phy0-ap0'
option macaddr '[REDACTED]'
config device
option name 'phy0-ap1'
option macaddr '[REDACTED]'
config interface 'am5_lan'
option proto 'static'
option device 'phy0-ap0'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
config interface 'am2_lan'
option proto 'static'
option device 'phy0-ap1'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
~# cat /etc/config/firewall
config defaults
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option synflood_protect '1'
config zone
option name 'lan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list network 'lan'
config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'PC -> Router'
option src 'lan'
list src_ip '192.168.1.2'
option target 'ACCEPT'
option family 'ipv4'
list proto 'all'
config rule
option name 'Router -> PC'
option dest 'lan'
list dest_ip '192.168.1.2'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name '*.lan <-> *.lan'
option src 'lan'
option dest 'lan'
option target 'ACCEPT'
option family 'ipv4'
list src_ip '192.168.1.0/24'
list dest_ip '192.168.1.0/24'
config zone
option name 'wg'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
list network 'mlvd'
config forwarding
option src 'lan'
option dest 'wg'
config zone
option name 'am2'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list device 'phy0-ap0'
list subnet '192.168.2.1/24'
list network 'am2_lan'
config zone
option name 'am5'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list network 'am5_lan'
config forwarding
option src 'am2'
option dest 'wg'
config forwarding
option src 'am5'
option dest 'wan'
To clarify: the issue isn't with having two WiFi as opposed to just one. I was unable to get internet access by at first creating just one WiFi device/network/firewall rule.
Thank you, I can now connect to the internet on am2. It appears what did it was replacing DROP for ACCEPT on "input" for am2 and am5 in the firewall settings.
There remains a problem, however: I'm still getting "no internet access" on am5, which is supposed to go through wan.
But you can not route one interface via the wan and the other via the wg client without some form of Policy Based Routing.
As it is now you have one default route via the WG client
~# cat /etc/config/firewall
config defaults
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option synflood_protect '1'
config zone
option name 'lan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list network 'lan'
config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'PC -> Router'
option src 'lan'
list src_ip '192.168.1.2'
option target 'ACCEPT'
option family 'ipv4'
list proto 'all'
config rule
option name 'Router -> PC'
option dest 'lan'
list dest_ip '192.168.1.2'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name '*.lan <-> *.lan'
option src 'lan'
option dest 'lan'
option target 'ACCEPT'
option family 'ipv4'
list src_ip '192.168.1.0/24'
list dest_ip '192.168.1.0/24'
config zone
option name 'wg'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
list network 'mlvd'
config forwarding
option src 'lan'
option dest 'wg'
config zone
option name 'am2'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
list network 'am2_lan'
config forwarding
option src 'am2'
option dest 'wg'
A few comments:
I did not remove option type 'bridge' from config interface wan because it is nowhere to be found in luci interface -- this makes me think that, perhaps it's a preset for a particular router, no?
Having a global "ACCEPT" for inputs on both am2 and am5 isn't exactly the safest option, is it? Is there a more limited and safer rule I can create in the firewall?
But you can not route one interface via the wan and the other via the wg client without some form of Policy Based Routing.
I thought I couldn't do it, because when I ping the internet from the router itself (connecting via ssh to it) it goes through the vpn too. What would be the config with which I can accomplish my goal? Or is it way too complex?
Yes. Connections between devices on the same subnet are switched, not routed. As a result, the connections never go through the firewall, so this rule is entirely unused and unnecessary.
Thank you, but may I ask another question. Some members of the LAN are VMs which live on my main PC. These VMs are assigned a separate LAN ip address. Does it still hold true then, that I'd be able to connect from other LAN members to that VM member if I remove the Firewall rule on in the router?
wan should not be a part of this zone... it's already on the wan zone.
You also need forwarding:
config forwarding
option src 'am2'
option dest 'wan'
But this forwarding won't work if you have wg active, unless you've setup PBR. So, you might make the destination wg for a quick test, and if that works, you can then change it to wan and work on PBR.
Ok, I've updated the firewall, here's the current version (relevant parts):
config zone
option name 'lan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wan'
config zone
option name 'wg'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
list network 'mlvd'
config zone
option name 'am2'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
list network 'am2_lan'
config zone
option name 'am5'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
list network 'am5_lan'
config forwarding
option src 'lan'
option dest 'wg'
config forwarding
option src 'am2'
option dest 'wg'
config forwarding
option src 'am5'
option dest 'wan'
As before, am2 works through Wireguard and am5 gets "no internet access". Please advise on how to proceed so that am5 is connected via my ISP and not the wireguard interface (I'm not sure I know what PBR stands for).
But this forwarding won't work if you have wg active, unless you've setup PBR. So, you might make the destination wg for a quick test, and if that works, you can then change it to wan and work on PBR.
Ok, I've looked up what PBR means, but I've never created any such policy in OpenWrt. Could you please hint at where to look and which wiki pages to read?