Posted: Wed Feb 28, 2018 15:49 Post subject: [RESOLVED] Routing One WLAN Outside OpenVPN
Hardware is Netgear Nighthawk X6 R8000 with Kong stable (DD-WRT v3.0-r33675M kongac (11/03/17)).
I have OpenVPN client set up (Private Internet Access, strong configuration not base).
I have 3x WLAN SSID's (.11ng [base SSID], ac-only [base SSID-5G], and another ac-only [base SSID-TV]).
The 3x radio interfaces (wl0, wl1, and wl2) along with all of the ethernet interfaces all route through OpenVPN.
The [base SSID-TV] radio (wl0 interface) is used solely for Apple TV. What I need to do (because of Hulu) is route wl0 around OpenVPN so that the devices on wl0 aren't routed through the PIA VPN.
Because I just need to route an entire interface, do I still need to set up a VAP/VLAN? Or can I break wl0 out from the default bridge and go from there?
I am fairly savvy with Linux itself, but have NEVER done networking stuff so definitely need it broken down as simply as possible.
Thanks! Hopefully I can contribute in the future, loving DD-WRT so far and figuring out adblocking & DNSmasq stuff (ISP kept overwriting my resolv.conf so I had to figure out to bypass that, eventually going with no-resolv flag and then specifying the DNS servers in the dnsmasq.conf file, then realizing that gets reset every reboot, so I had to put it in the additional config options via the GUI).
This is fun!
Last edited by Max Power on Thu Mar 01, 2018 2:35; edited 1 time in total
What you need is PBR (policy based routing). Using the OpenVPN client GUI and the PBR field, you can specify specific source IPs/networks to be routed over the VPN, while leaving everything else to the WAN/ISP.
What you can't do (not because it isn't possible, but only because the GUI doesn't support it) is specify network interfaces. A network interface can only be *implied* based on the unique local IP network to which it is has been assigned.
For example, if you unbridge the 2.4GHz radio (wl0) from the default bridge (br0), that would force you to assign a new local IP network to the wl0 network interface. Let's assume br0 has been assigned 192.168.1.0/24. Perhaps make wl0 192.168.2.x. You could now add 192.168.1.0/24 to the PBR field (to force them over the VPN), while the 2.4GHz users continue to use the WAN/ISP because they're using 192.168.2.0/24.
Just beware, there's a bug in the GUI where you can't include the local IP of the router on the primary network, either directly (e.g., 192.168.1.1) or implicitly (192.168.1.0/24). If you do, it will hang the router.
When using large blocks of IPs w/ the PBR field, it's more convenient to add them using CIDR notation using an IP range to CIDR calculator.
I'd found some other threads on similar topics but always left scratching my head. Especially when it got to the part about setting up iptable rules and such. Doing it all via the GUI sounds better for me. Couple of follow ups if you don't mind -
How do I go about breaking wl0 out of br0 then setting that part up?
How do I avoid including the local IP of the router on the primary network?
What are the implications of not having it on the primary network?
Seems that wl0, wl1, and wl2 are all in a vlan and I can't figure out how to break that out. Screenshots attached of what it looks like (after a reboot) when I change wl0 to "Unbridged".
Can create br1 but the only options for assignment are eth0-eth3 and vlan1 and vlan2. When you look at the VLAN page, there is just a single wireless interface listed "W".
VLANs have nothing to do w/ wireless. VLANs are only for wired ports. You can assign one or more wired ports to a VLAN. By default, the router assigns ports 1-4 to vlan1, and port 5 (the WAN) to vlan2. Under most circumstances, you don't need to mess w/ the VLANs configuration *unless* it's your intent to add one or more wired ports to your new bridge (br1).
IOW, there's nothing wrong w/ simply creating a new bridge (br1) and assigning the AP (wl0) to the bridge. However, if sometime down the road you decide you'd like to have wired users also use that same bridge (not just wireless), *now* you'd have to visit that VLANs page, create a new VLAN (e.g., vlan3), and reassign one or more ports from vlan2 to your new vlan3. And finally add that vlan3 to your bridge.
Ahh, still never got wl0, wl1, or wl2 to show up in the bridge page.
I caved and created a VAP (wl0.1) and bridged that. Now I'm working through why clients on br1 (wl0.1) can't access the internet (did everything in that Wiki page). Best I can come up with right now is that the client is using the router (10.0.1.0) as the only DNS server.
Got it working, bone headed mistake - set the IP address at 10.0.1.0 instead of 10.0.1.1
Got that corrected and good to go!
Thanks for the help on all of this.
That startup script is one I found in another thread as another method to prevent an ISP from forcing their DNS & domain into resolv.conf. Not sold that it works so I'm still rolling with no-resolv in the DNSmasq options.
Turns out that the eth1, eth2, and eth3 interfaces are actually wl0, wl1, and wl2. Was going through some MAC identifiers, got curious, ran ifconfig and confirmed that the wl0-2 correspond to eth1-3 based on MAC addresses.
Odd that they're renamed to that, totally threw me off, as well.
eth0 is the LAN, FYI
So, I'm going to re-try things using eth1 in br1 and removing the VAP.