[mheloy]

Hi,

I wanted to move my router from pfsense to R7000 because I don't want to run my microserver 24x7 anymore. I believe R7000 can do replace my pfsense with some functionalities that I use with pfsense

I flashed my R7000 with DDWRT Firmware: DD-WRT v3.0-r31575M kongac (03/21/17)

I currently have this

root@RommelRouter:~# nvram show | grep vlan.*ports
size: 37883 bytes (27653 left)
vlan2ports=0 5u
vlan1ports=1 2 3 4 5*
root@RommelRouter:~# nvram show | grep port.*vlans
size: 37883 bytes (27653 left)
port5vlans=1 2 3 16
port3vlans=3 18 19 21
port1vlans=1 18 19 21
port4vlans=1 18 19 21
port2vlans=1 18 19 21
port0vlans=2 18 19 21
root@RommelRouter:~# nvram show | grep vlan.*hwname
size: 37883 bytes (27653 left)
vlan2hwname=et0
vlan1hwname=et0
root@RommelRouter:~#


I currently have 2 vlans now default VLAN (I think VLAN 1) with IP 192.168.30.x and another VLAN 3 for VOIP and IP CAM 192.168.3.x.... everything was working but after I turned on my PIA VPN.... all the IP from the default VLAN can do internet, but not the IP from VLAN 3. I don't have anything firewall rules at the moment but I tried a few i.e

iptables -I INPUT -i vlan3 -j ACCEPT
iptables -I FORWARD -i vlan3 -o br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan3 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan3 -o tun1 -m state --state NEW -j ACCEPT

not sure if its correct, this is the part (iptables) im still confused

Can someone forward me to the right direction?

Thanks

[Per Yngve Berg]

You want VLAN3 on port 3?

nvram set vlan1ports="1 2 4 5*"
nvram set vlan3ports="3 5"
nvram set vlan3hwname=et0
nvram commit
reboot

[Per Yngve Berg]

Note: This is BROADCOOM only. This topic should have been posted in the Broadcom Forum.

[mheloy]

Apologies for the wrong forum.

I think I've tried that + a few firewall rules. It did not work well. I will try that again.

BTW I've used the ui to set the vlan for Port 3, Then unbridge the vlan 3 set the ip address, Then set the hdcp for vlan 3. It was working well. Vlan 3 has internet even without firewall rules.

After I configured VPN that's the time vlan 3 doesn't have internet. Turning VPN off wlll give internet to vlan 3

[Per Yngve Berg]

According to the variables, port 3 belongs to VLAN1, not VLAN3.

[mheloy]

Hi,

I ran the commands... it moved...

root@RommelRouter:~# nvram show | grep vlan.*ports
size: 37911 bytes (27625 left)
vlan2ports=0 5u
vlan3ports=3 5
vlan1ports=1 2 4 5*
root@RommelRouter:~# nvram show | grep port.*vlans
size: 37911 bytes (27625 left)
port5vlans=1 2 3 16
port3vlans=3 18 19 21
port1vlans=1 18 19 21
port4vlans=1 18 19 21
port2vlans=1 18 19 21
port0vlans=2 18 19 21
root@RommelRouter:~# nvram show | grep vlan.*hwname
vlan3hwname=et0
size: 37911 bytes (27625 left)
vlan2hwname=et0
vlan1hwname=et0
root@RommelRouter:~#


but still VLAN 3 does not have internet with VPN on

EDIT : I plugged in my laptop into a VLAN3 port. my laptop has internet... it seems my voip does not like VPN.

Is there a way to route all VLAN3 traffic to without VPN but default vlan (192.168.30.x) to VPN?

Thanks

[Per Yngve Berg]

Is it OpenVPN?

There is a Policy based Routing field in the OpenVPN Client.

For other VPN: http://www.dd-wrt.com/wiki/index.php/Policy_Based_Routing

[mheloy]

yes its for OPEN VPN with PIA

I've tried to add 192.168.30.0/24 in the Policy based routing, it worked. VLAN 3 including my VOIP have access to internet

But the problem now is with the default VLAN (192.168.30.x). the DNS some how is not working. I was able to fix it by changing the DNS of my laptop (connected to the default VLAN) to 8.8.8.8. Then it was able to access the internet. but my android phone connected via wifi cannot access internet. the android is also in the default VLAN

Idea please?

Thanks

[Per Yngve Berg]

Can the router resolve dns names?

Do the clients have the router as dns server?

[mheloy]

Yes the router can resolve the dns
root@RommelRouter:~# nslookup www.telstra.com.au
nslookup: can't resolve '(null)'

Name: www.telstra.com.au
Address 1: 2001:8006:102:7::11
Address 2: 203.36.190.11


Yes the clients DNS is 192.168.30.254 which is the router IP address

[Per Yngve Berg]

Do you have IPv6 enabled?

Yhe address is a IPv6 address.

[mheloy]

Yes IPV6 is disabled.

I've tried to change policy based routing to
192.168.30.0/25

seems to be working... but doesn't make sense why its not working with 192.168.30.0/24

My VPN is working on the 192.168.30.x network
my VLAN 3 192.168.3.x network is bypassing VPN

Though in this setup dnsleak.com fails