Posted: Sun Mar 15, 2015 9:01 Post subject: Bypass VPN on guest wifi network
Hello,
i am running a E4200 behind a modem (192.168.178.1, connected with WAN-port).
The E4200 is configured as VPN client so that the whole traffic goes through the VPN tunnel, works great so far.
Now I want to create a guest VAP (wl0.1) that bypasses the VPN tunnel.
I have added a VAP (bridged), created a bridge (br1, 192.168.3.1) and linked it with wl0.1, enabled DHCP in "Additional DNSMasq Options" as described in the "multiple wlan"-wiki. Additionally I have enabled NAT on WAN with
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`.
Problem: I can connect to the VAP, can ping the modem on WAN (192.168.178.1) but have no internet access.
I have tried this from another discussion in the board, but still no internet access:
iptables -I FORWARD -i br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o vlan2 -m state --state NEW -j ACCEPT
Can someone give me a hint to get the VAP to work?
Yes, I'm using OpenVPN.
Ok, I understand that the default gateway is the VPN tunnel.
But I don't understand the way the policy based routing field is working:
I put in 192.168.3.0/24. Now br1 has internet access and the traffic seems NOT to be routed through the VPN tunnel (I get an ip adress from my isp and not from the vpn provider). br0 (192.168.1.0/24) has no connection to the internet nor the vpn
If I add 192.168.1.0/24 to the policy based routing nothing changes. As far as I understand this should give access to the tunnel for br0, but it doesn't work.
Now I am really confused.
Thank you for your very comprehensive explanation. Where is the donation button
I think this might be the solution, I will try that the next few days.
update:
Can't get it to work.
I put in all the ip ranges as desribed above, but all the clients in that subnet get an IP from my ISP, not from the VPN. VAP works as intended.
If I change the iptables to work with the VPN, The VAP works, but no traffic will be routed through the VPN.
I give up, time is too worthy. Probably I will upgrade to a R7000 (wich should have enough power for a 9MBit VPN tunnel, the E4200 hasn't.)
Nevertheless: Thank you for the quick support and hopefully other users can use the hints.
Solution: Changed firmware from kong 22000M++ to BS 25527. Same settings as described above and it works!
With The last build from BS I can't bring up any VAP, but this is another problem, so I changed back to 25527.
Solution: Changed firmware from kong 22000M++ to BS 25527. Same settings as described above and it works!
With The last build from BS I can't bring up any VAP, but this is another problem, so I changed back to 25527.
Thank you.
I delayed in responding because I was trying out BS. My goal is same. But the BS Firmware was a bit disappointing for me. Few things broke after I flashed to the latest BS.
1. Internet speed was down 70%
2. Webif was slow in responding.
3. Unable to access the 2nd partition on my NAS drive.
4. Could not get Guest network to work.
I could get all of these working with kong but I was running with 2 issues.
1. I could not bridge (br1) to wl0.1. When I configure, I am unable to connect to the guest network.
2. Unable to bypass VPN for guest network. (This is my FINAL goal.)
I have picked up the latest BS build. That may be one of the reason.
Finally I had to revert to kong.
I ll keep looking and maybe open another thread and take help from the Gurus to resolve one issue at a time.
Thanks.
Last edited by craigbuyer on Tue Jun 06, 2017 3:33; edited 1 time in total
eibgrad, your first two posts in this thread are the clearest and simplest on this topic I have seen. Could you please put it in the wiki so lots of others can see it?
I also have been trying to do exactly as the OP for a few months -- all traffic through VPN (including all SSIDs), EXCEPT one SSID. Practically every post on the net just wants VPN for one SSID, which seems so much easier.
I have gotten it to work on Kong 31980 on R8000, but the problem I face is that using the policy based routing horribly slows down or delays browsing on the included subnets (yes, I'm not including the router IP or the SSID DHCPd IPs in the CIDR entries). Removing the policy based routing and making VPN default for all works swimmingly.
Is that normal or expected?
craigbuyer, evolvente23, did either of you get this to work? _________________ LinkSys E1000 ...... DD-WRT
LinkSys E2000 ...... DD-WRT
Netgear R8000 ...... Finally DD-WRT
TP-Link WR710N ..... Stock (considering DD-WRT)
I could finally get it all working after spending a good number of days. Thanks to DD-WRT forum and few outside it. It also good learning about iptables and routing. The whole exercise was fun as well as frustrating. It was like a fight between me and the router and finally I won
If time permits, I ll create a KB article for dummies (with screenshot) on this. I ll check the forum if anyone has already done it before.
Thanks eibgrad, rjgow, Per Yngve Berg for your inputs in the forum.
Posted: Sun Sep 24, 2017 19:44 Post subject: struggling
I've been struggling with this endlessly. Very briefly, with no PBR applied everything goes through VPN but with PBR applied everything listed in PBR field has no internet access at all and the rest all goes via ISP. I can't figure out why the IPs in the PBR field lose internet. I've tried single IPs (with & without /32 suffix), lists of IPs, CIDR ranges (complete from .2 to .255 and partial), always careful to never include the gateway. As soon as I apply PBR, the IPs I exclude from the PBR get access via ISP but everything in PBR that should get access via VPN gets no internet at all - they can still access other LAN resources (HTPC, shared drives, printers, etc.). I've tried putting the main subnet IPs in PBR, VAP IPs in PBR, and result is same - IPs in PBR lose internet and the rest get ISP.
I'm quite happy doing a bit of trial and error but I've totally run out of ideas. Does anyone have any suggestions?