Bypass VPN on guest wifi network

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
evolvente23
DD-WRT Novice


Joined: 01 May 2014
Posts: 34

PostPosted: Sun Mar 15, 2015 9:01    Post subject: Bypass VPN on guest wifi network Reply with quote
Hello,
i am running a E4200 behind a modem (192.168.178.1, connected with WAN-port).
The E4200 is configured as VPN client so that the whole traffic goes through the VPN tunnel, works great so far.

Now I want to create a guest VAP (wl0.1) that bypasses the VPN tunnel.
I have added a VAP (bridged), created a bridge (br1, 192.168.3.1) and linked it with wl0.1, enabled DHCP in "Additional DNSMasq Options" as described in the "multiple wlan"-wiki. Additionally I have enabled NAT on WAN with
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`.

Problem: I can connect to the VAP, can ping the modem on WAN (192.168.178.1) but have no internet access.

I have tried this from another discussion in the board, but still no internet access:
iptables -I FORWARD -i br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o vlan2 -m state --state NEW -j ACCEPT


Can someone give me a hint to get the VAP to work?
Sponsor
evolvente23
DD-WRT Novice


Joined: 01 May 2014
Posts: 34

PostPosted: Mon Mar 16, 2015 6:20    Post subject: Reply with quote
Thank you for your quick reply.

Yes, I'm using OpenVPN.
Ok, I understand that the default gateway is the VPN tunnel.

But I don't understand the way the policy based routing field is working:
I put in 192.168.3.0/24. Now br1 has internet access and the traffic seems NOT to be routed through the VPN tunnel (I get an ip adress from my isp and not from the vpn provider). br0 (192.168.1.0/24) has no connection to the internet nor the vpn Question

If I add 192.168.1.0/24 to the policy based routing nothing changes. As far as I understand this should give access to the tunnel for br0, but it doesn't work.
Now I am really confused.
evolvente23
DD-WRT Novice


Joined: 01 May 2014
Posts: 34

PostPosted: Tue Mar 17, 2015 6:28    Post subject: Reply with quote
Thank you for your very comprehensive explanation. Where is the donation button Wink

I think this might be the solution, I will try that the next few days.

update:
Can't get it to work.
I put in all the ip ranges as desribed above, but all the clients in that subnet get an IP from my ISP, not from the VPN. VAP works as intended.
If I change the iptables to work with the VPN, The VAP works, but no traffic will be routed through the VPN.

I give up, time is too worthy. Probably I will upgrade to a R7000 (wich should have enough power for a 9MBit VPN tunnel, the E4200 hasn't.)


Nevertheless: Thank you for the quick support and hopefully other users can use the hints.
evolvente23
DD-WRT Novice


Joined: 01 May 2014
Posts: 34

PostPosted: Sat Mar 21, 2015 18:29    Post subject: Reply with quote
Finally I managed the VAP to bypass my VPN.

Solution: Changed firmware from kong 22000M++ to BS 25527. Same settings as described above and it works!
With The last build from BS I can't bring up any VAP, but this is another problem, so I changed back to 25527.
craigbuyer
DD-WRT Novice


Joined: 17 May 2017
Posts: 7

PostPosted: Wed May 31, 2017 20:08    Post subject: Reply with quote
evolvente23 wrote:
Finally I managed the VAP to bypass my VPN.

Solution: Changed firmware from kong 22000M++ to BS 25527. Same settings as described above and it works!
With The last build from BS I can't bring up any VAP, but this is another problem, so I changed back to 25527.


I am new. I am running R7000 with http://www.desipro.de/ddwrt/K3-AC-Arm/dd-wrt.K3_R7000.chk (2017-04-14)

Can you send me the location of BS 25527?

Thanks
Craig
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6202
Location: Romerike, Norway

PostPosted: Thu Jun 01, 2017 5:16    Post subject: Reply with quote
ftp://ftp.dd-wrt.com/betas/2017/
craigbuyer
DD-WRT Novice


Joined: 17 May 2017
Posts: 7

PostPosted: Mon Jun 05, 2017 3:32    Post subject: Reply with quote
Thank you.
I delayed in responding because I was trying out BS. My goal is same. But the BS Firmware was a bit disappointing for me. Few things broke after I flashed to the latest BS.
1. Internet speed was down 70%
2. Webif was slow in responding.
3. Unable to access the 2nd partition on my NAS drive.
4. Could not get Guest network to work.

I could get all of these working with kong but I was running with 2 issues.

1. I could not bridge (br1) to wl0.1. When I configure, I am unable to connect to the guest network.
2. Unable to bypass VPN for guest network. (This is my FINAL goal.)

I have picked up the latest BS build. That may be one of the reason.

Finally I had to revert to kong.

I ll keep looking and maybe open another thread and take help from the Gurus to resolve one issue at a time.

Thanks.


Last edited by craigbuyer on Tue Jun 06, 2017 3:33; edited 1 time in total
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6202
Location: Romerike, Norway

PostPosted: Mon Jun 05, 2017 5:56    Post subject: Reply with quote
Did you use r32170?
craigbuyer
DD-WRT Novice


Joined: 17 May 2017
Posts: 7

PostPosted: Mon Jun 05, 2017 15:49    Post subject: Reply with quote
Yes. I picked up the latest one.

ftp://ftp.dd-wrt.com/betas/2017/06-01-2017-r32170/netgear-r7000/netgear-r7000-webflash.bin
neerav
DD-WRT Novice


Joined: 08 Jul 2010
Posts: 44

PostPosted: Mon Jun 05, 2017 21:04    Post subject: Reply with quote
eibgrad, your first two posts in this thread are the clearest and simplest on this topic I have seen. Could you please put it in the wiki so lots of others can see it?

I also have been trying to do exactly as the OP for a few months -- all traffic through VPN (including all SSIDs), EXCEPT one SSID. Practically every post on the net just wants VPN for one SSID, which seems so much easier.

I have gotten it to work on Kong 31980 on R8000, but the problem I face is that using the policy based routing horribly slows down or delays browsing on the included subnets (yes, I'm not including the router IP or the SSID DHCPd IPs in the CIDR entries). Removing the policy based routing and making VPN default for all works swimmingly.

Is that normal or expected?

craigbuyer, evolvente23, did either of you get this to work?

_________________
LinkSys E1000 ...... DD-WRT
LinkSys E2000 ...... DD-WRT
Netgear R8000 ...... Finally DD-WRT
TP-Link WR710N ..... Stock (considering DD-WRT)
craigbuyer
DD-WRT Novice


Joined: 17 May 2017
Posts: 7

PostPosted: Mon Jun 05, 2017 22:31    Post subject: Reply with quote
ok. I was able to have some success in bridging br1 with wl0.1 . After "Apply Settings" I have to reboot the router which did the trick.

This is my routing table.Output of 'route -n'. I have 2 wireless Network (5GHz and 2.4 GHz) and 1 guest network (2.4GHz?)

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.xxx.xxx.7 128.0.0.0 UG 0 0 0 tun1
0.0.0.0 70.xx.xxx.1 0.0.0.0 UG 0 0 0 vlan2
10.xxx.xxx.1 10.xxx.xxx.7 255.255.255.255 UGH 0 0 0 tun1
10.xxx.xxx.7 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
70.xxx.xxx.0 0.0.0.0 255.255.254.0 U 0 0 0 vlan2
104.xxx.xxx.81 70.xxx.xxx.1 255.255.255.255 UGH 0 0 0 vlan2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
128.0.0.0 10.xxx.xxx.7 128.0.0.0 UG 0 0 0 tun1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br1

What commands should I execute to bypass the VPN for Guest Network (my FINAL goal)?

I am running R7000 r31870M kongac.

Thanks
Craig
craigbuyer
DD-WRT Novice


Joined: 17 May 2017
Posts: 7

PostPosted: Thu Jun 08, 2017 15:37    Post subject: Reply with quote
SUCCESS!!!

I could finally get it all working after spending a good number of days. Thanks to DD-WRT forum and few outside it. It also good learning about iptables and routing. The whole exercise was fun as well as frustrating. It was like a fight between me and the router and finally I won Very Happy

If time permits, I ll create a KB article for dummies (with screenshot) on this. I ll check the forum if anyone has already done it before.

Thanks eibgrad, rjgow, Per Yngve Berg for your inputs in the forum.

cheers,
Craig
______________________

Netgear R7000 - DD-WRT v3.0-r31870M kongac (04/16/17)
rfry1
DD-WRT Novice


Joined: 07 Oct 2016
Posts: 8

PostPosted: Sun Sep 24, 2017 19:44    Post subject: struggling Reply with quote
I've been struggling with this endlessly. Very briefly, with no PBR applied everything goes through VPN but with PBR applied everything listed in PBR field has no internet access at all and the rest all goes via ISP. I can't figure out why the IPs in the PBR field lose internet. I've tried single IPs (with & without /32 suffix), lists of IPs, CIDR ranges (complete from .2 to .255 and partial), always careful to never include the gateway. As soon as I apply PBR, the IPs I exclude from the PBR get access via ISP but everything in PBR that should get access via VPN gets no internet at all - they can still access other LAN resources (HTPC, shared drives, printers, etc.). I've tried putting the main subnet IPs in PBR, VAP IPs in PBR, and result is same - IPs in PBR lose internet and the rest get ISP.

I'm quite happy doing a bit of trial and error but I've totally run out of ideas. Does anyone have any suggestions?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6202
Location: Romerike, Norway

PostPosted: Sun Sep 24, 2017 21:06    Post subject: Reply with quote
Does the routing table for the PBR have a Default route that points to the correct gateway?

Where does a traceroute end?
rfry1
DD-WRT Novice


Joined: 07 Oct 2016
Posts: 8

PostPosted: Sun Sep 24, 2017 21:36    Post subject: Reply with quote
Not sure if these answer your questions in their entirety?...

[/img]
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum