Hi,

I flashed my Netgear DGND3700v1 with chaos calmer successfully.

Currently the netgear router is connected to my main AP/router via ethernet on subnet 192.168.1.0/24 so I can access luci on 192.168.1.1, main router's ip is 192.168.1.2 and it is serving dhcp for my home LAN (dhcp is disabled on the netgear's LAN bridge).

What I want to do is to use the netgear as a Guest AP and forwarding its traffic to expressvpn. It seems I have configured correctly openvpn correctly for this since traceroute in the diagnostic's section of luci show traffic hitting the tun ip first and the vpn endpoint second (no errors in system log either when rebooting the router). What is not working for me is that when connecting clients to the Guest WLAN (10.0.0.0/24) i don't get any routing information in the clients so let alone forwarding traffic to the tun if.

Any ideas on what I'm missing? Here's some of the config:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fdd8:c688:766d::/48'

config interface 'lan'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option gateway '192.168.1.254'
    option dns '8.8.8.8 192.168.1.254 46.227.144.52'
    option _orig_ifname 'eth0.1 wlan0 radio1.network1'
    option _orig_bridge 'true'
    option ifname 'eth0.1'
    option ipaddr '192.168.1.1'

config interface 'wan'
    option ifname 'eth0.2'
    option proto 'dhcp'
    option peerdns '0'
    list dns '208.67.222.222'
    list dns '208.67.220.220'

config interface 'wan6'
    option ifname 'eth0.2'
    option proto 'dhcpv6'

config switch
    option name 'eth0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'eth0'
    option vlan '1'
    option ports '1 2 3 4 8t'

config switch_vlan
    option device 'eth0'
    option vlan '2'
    option ports '0 8t'

config interface 'xvpntun'
    option proto 'none'
    option ifname 'tun0'
    option auto '1'
    option delegate '0'

config interface 'guest'
    option proto 'static'
    option ipaddr '10.0.0.1'
    option netmask '255.255.255.0'
    option dns '8.8.8.8 192.168.1.254 46.227.144.52'
    option gateway '10.167.3.161'

root@OpenWrt:~#
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option filterwin2k '0'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option nonegcache '0'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'
    option localservice '1'

config dhcp 'lan'
    option interface 'lan'
    option ignore '1'

config dhcp 'guest'
    option interface 'guest'
    option start '50'
    option limit '200'
    option leasetime '1h'
    option force '1'

config dhcp 'wan'
    option interface 'wan'
    option ignore '1'

config odhcpd 'odhcpd'
    option maindhcp '0'
    option leasefile '/tmp/hosts/odhcpd'
    option leasetrigger '/usr/sbin/odhcpd-update'

root@OpenWrt:~#
root@OpenWrt:~# cat /etc/config/firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option mtu_fix '1'
    option network 'wan wan6'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config zone
    option name 'vpnfirewall'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    list network 'xvpntun'

config forwarding
    option src 'lan'
    option dest 'vpnfirewall'

config zone
    option name 'guest'
    option network 'guest'
    option output 'ACCEPT'
    option input 'ACCEPT'
    option forward 'ACCEPT'

config rule
    option name 'Allow DNS Queries'
    option src 'guest'
    option dest_port '53'
    option proto 'tcp udp'
    option target 'ACCEPT'

config rule
    option name 'Allow DHCP request'
    option src 'guest'
    option src_port '67-68'
    option dest_port '67-68'
    option proto 'udp'
    option target 'ACCEPT'

config forwarding
    option dest 'vpnfirewall'
    option src 'guest'

root@OpenWrt:~#
root@OpenWrt:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.170.0.145    128.0.0.0       UG        0 0          0 tun0
0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0 br-lan
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 wlan0
10.170.0.1      10.170.0.145    255.255.255.255 UGH       0 0          0 tun0
10.170.0.145    0.0.0.0         255.255.255.255 UH        0 0          0 tun0
82.102.26.194   192.168.1.254   255.255.255.255 UGH       0 0          0 br-lan
128.0.0.0       10.170.0.145    128.0.0.0       UG        0 0          0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 br-lan
root@OpenWrt:~#

Thanks in advance!