Gateway Issue for subnetting VAPs

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
securedparty
DD-WRT Novice


Joined: 07 Dec 2017
Posts: 22
PostPosted: Sat Jan 21, 2023 19:25    Post subject: Gateway Issue for subnetting VAPs Reply with quote
Networking Scheme: 10.10.0.0/22
R8500.1 (Edge Router): 10.10.0.1
R8500.2 (Wireless AP): 10.10.0.2
R8500.3 (Wireless AP, plus runs OpenVPN): 10.10.0.3

R8500.1 serves as an edge router and is the master DHCP (ordinarily).
R8500.2 I have setup wireless virtual APs on it. VAPs are perfectly configured on this router.

Both R8500.2 and R8500.3 have this setup in Commands for Firewall
Code:
# Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`


Firmwares are: DD-WRT v3.0-r35030M kongac.
R8500.2 is setup for 10.10.3.0/27 for bridged VAPs.
R8500.2 has an IP self assignment for the (br1) bridge as 10.10.3.1.

R8500.3 is setup for 10.10.3.32/27 for bridged VAPs.
R8500.3 has an IP self assignment for the (br1) bridge as 10.10.3.33.

Both R8500.2 and R8500.3 are setup as non-gateway Wireless Access Points and are wired to the main network. WAN port assignments on the R8500.2 and R8500.3 are moved to switch function, and 'Advanced Routing' 'Operating Mode' set to "Router" (not gateway).


Again, everything works flawlessly from the R8500.2 router. Also, everything otherwise works flawlessly from the R8500.3, except the use of the VPN to connect out.

The only difference between R8500.3 from R8500.2, is that R8500.3 is running OpenVPN and it automatically tunnels traffic.

The dilemma is on R8500.3. Wireless devices connecting to R8500.3 end up using the VPN gateway instead of passing traffic onto R8500.1. I would not like these wireless devices using the VPN gateway.

I cannot seem to figure out a way to get the wireless devices connecting to R8500.3 VAPs to NOT use the VPN on that router.


R8500.2 does not use OpenVPN, and all internet traffic proceeds normally.
R8500.3 does use OpenVPN, and all internet traffic goes out the VPN (not wanted).


Everything is working as desired EXCEPT for the VPN traffic dilemma. Only devices on the main network that explicitly point to R8500.3 as a Gateway are meant to use that VPN tunnel.


I am stumped and cannot figure a out a fix.
Back to top View user's profile Send private message
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12888
Location: Netherlands
PostPosted: Sun Jan 22, 2023 8:13    Post subject: Reply with quote
First you have a very "unusual" net work setup with 10.10.0.0/22

You have two Wireless Access Points and you describe 10.10.3.0/27 for bridged VAPs this is a subnet so do you mean unbridged VAP's?

Furthermore you make a separate subnet which is with in the main subnet (because of the /22 netmask) which does not make much sense to me.

You are using a very old build and lots of things have changed especially about OpenVPN so cannot say much about that.

In general running an OpenVPN client on a WAP is described in the OpenVPN Client setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
securedparty
DD-WRT Novice


Joined: 07 Dec 2017
Posts: 22
PostPosted: Sun Jan 22, 2023 14:36    Post subject: Reply with quote
Sorry that it has confused you. Also, yes, I am aware of the firmware's age.

And I apologize, that yes, the VAPs are unbridged. When I said "bridged" I meant that the VAPs and connected to a bridge (br1) that the VAPs are assigned to.

If it helps, please consider the VAP setup for R8500.3 as 10.10.4.32/27, and 10.10.4.0/27 for the R8500.2.

The firewall/iptables commands I have inserted haven't made a difference.

I have tried this:
iptables -I FORWARD -s 10.10.4.32/27 -d 10.10.4.33 -j DNAT --to 10.10.0.1


And I have tried this:
iptables -t nat -I PREROUTING -o br0 -j DNAT --to 10.10.0.1

And:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to 10.10.0.1
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12888
Location: Netherlands
PostPosted: Tue Jan 24, 2023 7:07    Post subject: Reply with quote
Still not sure why you are using such unorthodox subnetmasks.
It is not needed and makes it difficult to calculate so that overlap can easily take place.

About OpenVPN, as said it is a very old build and lots of things have changed, but by default everything is routed via OpenVPN if it is active.

On a Wireless Access Point that applies to everything behind the router e.g. which is unbridged as you can read in the documentation I pointed to.

There you can also read about what you can do about it (e.g. Policy Based Routing PBR), although that might not work on older builds.
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum