Posted: Thu Nov 08, 2018 6:09 Post subject: Dual SSID with VPN
I've looked over several tutorials on here to configure my router. I'm trying to have 1 SSID for normal traffic and 1 SSID for VPN traffic. If someone can lend some assistance with this that would be great.
Hardware: Touchstone CM8200 modem
Netgear Nighthawk R8000
Mediacom 1 Gig Cable connection
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Thu Nov 08, 2018 11:01 Post subject:
I would not trust any forum member messing around with my computer, all scumbags here on the forum ( )
Just kidding
One of our famous guru's always wrote "We are not here to give you fish, but to teach you how to catch fish"
Actually it is quite easy, just a few mouse clicks.
There are some prerequisites however.
If you want to use one of your three radios, any recent build (from this year) is probably good.
If you do not have a recent build, get one.
I suggest the one which can be found at : http://www.desipro.de/ddwrt/K3-AC-Arm/
If you are going to upgrade always reset to defaults. After the upgrade telnet into your router and do:
Code:
erase nvram && reboot
If that is too complicated just hit the reset button.
After upgrading and resetting put your settings in manually, never restore from backup.
Next setup your VPN client, if you are using a commercial VPN provider, follow its instructions (what provider are you using?)
Next unbridge one of your radio's i.e. set it up to use its own subnet. Use my notes to do that, it is very simple just a few mouse clicks (there are various methods, this is the simple GUI method). My notes describe the unbridging for a Virtual Acess Point, but unbridging a real Access Point (i.e. one of your radios) works the same.
Test if it is working.
If this unbridged radio works as intended than the only thing to do is to head over to your VPN client.
In the Policy Based Routing field you enter the subnet of the unbridged radio, lets assume that you have put the unbridged radio at IP address 192.168.2.1 (while the routers IP address is left at 192.168.1.1). You enter in that field:
Code:
192.168.2.1/24
This tells the VPN client to route only that subnet (radio) through the VPN. Everything else is routed through your WAN/ISP
As simple as that
If you have problems post your settings (make screenshots)
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Thu Nov 08, 2018 21:17 Post subject:
I'm sorry that I can't track down the link (I really need to keep better notes), but I feel certain I read somewhere that it is important that the subnet gateway, 192.168.2.1 in your example, NOT be included in the PBR range. Is this incorrect? Or relevant only in some particular circumstance? If it should indeed be left out of PBR, why?
Many thanks, egc, for your indulgence of us networking newbies. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
alright I've configure my VPN (IPVanish) I've made one radio unbridged with 192.168.2.1 and I add 192.168.2.1/24 to the PBR. Everything is running but the radio with the vpn I have no connection. any suggestions
also I disabled the VPN and that radio still has no connection
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Fri Nov 09, 2018 3:43 Post subject:
Well, my experience with egc is that he's way more likely to be right than wrong, but there's nothing quite like trying things out. So if you at some point want to try excluding the 192.168.2.1 subnet gateway (is that what it's called?) from the PBR, just to see if it matters, my easy way to do that (in other words to be lazy and avoid a complicated PBR specification) is to go back to GUI>Setup>Networking, scroll to the bottom, and change the DHCP parameters for that subnet to 192.168.2.START=128, MAX=64. After all, there's really nothing special at all about starting at 100 and allowing 50 IP addresses. My way gets you a few more IPs and starts at a more convenient spot for referencing the range elsewhere, like in PBR and, should it be needed, in iptables commands. In particular, you can then use 192.168.2.128/26 in the vpn PBR field to pickup exactly those DHCP-assigned addresses without also picking up 192.168.2.1 (or 192.168.2.255, which I also wonder about).
Keep an eye on GUI>Status>Sys-Info, at the bottom, to see if various clients on that subnet have been assigned IP addresses in the new range. If not, you may have to coax them in one way or another.
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Fri Nov 09, 2018 11:05 Post subject:
Unbridged radio's and VAP's are not behaving well these days
I agree with @Surpriseditworks, you can certainly try his suggestion.
Things to consider, always reboot after working on a VAP or unbridged radio.
When using Policy Based Routing always disable Shortcut Forwarding Engine on setup page (it is a bug in SFE, there is a solution if you really need SFE)
As you can not connect to the radio, have you setup the DHCP server on the unbridged radio?
In the build threads there is much complaining and this is from the lates build thread:
Quote:
1) VAP not working at boot; workaround startup command:
sleep 10; stopservice nas; stopservice wlconf; startservice wlconf; startservice nas;
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Fri Nov 09, 2018 16:49 Post subject:
Someone with deeper awareness may need to address this, but it seems to me like you cannot have both radio interfaces, corresponding to both SSIDs, bridged if you want to separate their vpn behavior. This is because one bridge gets one DHCP server and one address range, and you need to separate the vpn behavior by address range using policy based routing (PBR) in the vpn configuration. So it looks to me like you'll need to unbridge one of the radio interfaces (advanced settings for that interface, then choose unbridged). An unbridged wifi interface should appear as a menu choice under multiple dhcp servers.
If you want communication between the two subnets, the bridged one and the newly unbridged one, you'll not only need to be careful not to choose network isolation for that unbridged interface, you also may need to deal with a bit of a bug in dd-wrt that kills off all the local routes for the subnet that is routed over the vpn. That problem may be dd-wrt release related. I'm not sure. In any case, speak up if that's the situation, and I'll dig up the forum link. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Fri Nov 09, 2018 17:17 Post subject:
If you have unbridged one of your radio and have given this radio its own IP address (as you can see in my notes) then head over to the Setup/Networking page there you see your unbridged radio under Port Setup, you can identify the name of your radio by looking at the IP address you gave, probably your first radio is eth1, you second is eth2, your third radio is eth3. (This can vary per router model)
As DDWRT usually deals with only 2 radio's it is probably wise to unbridge radio 1 or 2.
Then scroll down on the Setup/Networking page and under Multiple DHCP servers, press the Add button and choose the appropriate radio (eth1, eth2 or eth3)
Posted: Fri Nov 09, 2018 17:28 Post subject: Re: Dual SSID with VPN
logan111 wrote:
I've looked over several tutorials on here to configure my router. I'm trying to have 1 SSID for normal traffic and 1 SSID for VPN traffic. If someone can lend some assistance with this that would be great.
Hardware: Touchstone CM8200 modem
Netgear Nighthawk R8000
Mediacom 1 Gig Cable connection
I have done just that with my R6400v2.
You need to create a new bridge (say br1) and give it a new subnet (say 192.168.2.1) with its own DHCP (all of it in SETUP>>NETWORKING). Then move one of the eth to this bridge and reboot. It's stable with all versions. Use PBR to allocate VPN only to one subnet (on SERVICES>>VPN).
Do not try to create a virtual interface as there will be issues with current build, but above works.
This way, my users can choose 5 GHz to be on VPN and 2.4GHz to be open.
Read this thread - where people helped me build it. Some of the comments are very helpful.
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316655 _________________ PROFESSIONAL STUDENT my.Mistakes ∝ my.Learning ... provided I have the patience & persistence to learn
)
