[RESOLVED] Routing One WLAN Outside OpenVPN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
Max Power
DD-WRT Novice


Joined: 27 Feb 2018
Posts: 25

PostPosted: Wed Feb 28, 2018 15:49    Post subject: [RESOLVED] Routing One WLAN Outside OpenVPN Reply with quote
Hardware is Netgear Nighthawk X6 R8000 with Kong stable (DD-WRT v3.0-r33675M kongac (11/03/17)).

I have OpenVPN client set up (Private Internet Access, strong configuration not base).

I have 3x WLAN SSID's (.11ng [base SSID], ac-only [base SSID-5G], and another ac-only [base SSID-TV]).

The 3x radio interfaces (wl0, wl1, and wl2) along with all of the ethernet interfaces all route through OpenVPN.

The [base SSID-TV] radio (wl0 interface) is used solely for Apple TV. What I need to do (because of Hulu) is route wl0 around OpenVPN so that the devices on wl0 aren't routed through the PIA VPN.

Because I just need to route an entire interface, do I still need to set up a VAP/VLAN? Or can I break wl0 out from the default bridge and go from there?

I am fairly savvy with Linux itself, but have NEVER done networking stuff so definitely need it broken down as simply as possible.

Thanks! Hopefully I can contribute in the future, loving DD-WRT so far and figuring out adblocking & DNSmasq stuff (ISP kept overwriting my resolv.conf so I had to figure out to bypass that, eventually going with no-resolv flag and then specifying the DNS servers in the dnsmasq.conf file, then realizing that gets reset every reboot, so I had to put it in the additional config options via the GUI).

This is fun!


Last edited by Max Power on Thu Mar 01, 2018 2:35; edited 1 time in total
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed Feb 28, 2018 16:21    Post subject: Reply with quote
What you need is PBR (policy based routing). Using the OpenVPN client GUI and the PBR field, you can specify specific source IPs/networks to be routed over the VPN, while leaving everything else to the WAN/ISP.

What you can't do (not because it isn't possible, but only because the GUI doesn't support it) is specify network interfaces. A network interface can only be *implied* based on the unique local IP network to which it is has been assigned.

For example, if you unbridge the 2.4GHz radio (wl0) from the default bridge (br0), that would force you to assign a new local IP network to the wl0 network interface. Let's assume br0 has been assigned 192.168.1.0/24. Perhaps make wl0 192.168.2.x. You could now add 192.168.1.0/24 to the PBR field (to force them over the VPN), while the 2.4GHz users continue to use the WAN/ISP because they're using 192.168.2.0/24.

Just beware, there's a bug in the GUI where you can't include the local IP of the router on the primary network, either directly (e.g., 192.168.1.1) or implicitly (192.168.1.0/24). If you do, it will hang the router.

When using large blocks of IPs w/ the PBR field, it's more convenient to add them using CIDR notation using an IP range to CIDR calculator.

https://www.ipaddressguide.com/cidr
Max Power
DD-WRT Novice


Joined: 27 Feb 2018
Posts: 25

PostPosted: Wed Feb 28, 2018 16:35    Post subject: Reply with quote
eibgrad wrote:
What you need is PBR (policy based routing). Using the OpenVPN client GUI and the PBR field, you can specify specific source IPs/networks to be routed over the VPN, while leaving everything else to the WAN/ISP.

What you can't do (not because it isn't possible, but only because the GUI doesn't support it) is specify network interfaces. A network interface can only be *implied* based on the unique local IP network to which it is has been assigned.

For example, if you unbridge the 2.4GHz radio (wl0) from the default bridge (br0), that would force you to assign a new local IP network to the wl0 network interface. Let's assume br0 has been assigned 192.168.1.0/24. Perhaps make wl0 192.168.2.x. You could now add 192.168.1.0/24 to the PBR field (to force them over the VPN), while the 2.4GHz users continue to use the WAN/ISP because they're using 192.168.2.0/24.

Just beware, there's a bug in the GUI where you can't include the local IP of the router on the primary network, either directly (e.g., 192.168.1.1) or implicitly (192.168.1.0/24). If you do, it will hang the router.

When using large blocks of IPs w/ the PBR field, it's more convenient to add them using CIDR notation using an IP range to CIDR calculator.

https://www.ipaddressguide.com/cidr


Thanks, that helps a lot!

I'd found some other threads on similar topics but always left scratching my head. Especially when it got to the part about setting up iptable rules and such. Doing it all via the GUI sounds better for me. Couple of follow ups if you don't mind -

    How do I go about breaking wl0 out of br0 then setting that part up?

    How do I avoid including the local IP of the router on the primary network?

    What are the implications of not having it on the primary network?
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Wed Feb 28, 2018 17:16    Post subject: Reply with quote
Max Power wrote:
I'd found some other threads on similar topics but always left scratching my head. Especially when it got to the part about setting up iptable rules and such. Doing it all via the GUI sounds better for me. Couple of follow ups if you don't mind -

[list]How do I go about breaking wl0 out of br0 then setting that part up?


Go to the Networking page and create a new bridge (e.g., br1). Assign it its own unique local IP network (e.g., 192.168.2.1, 255.255.255.0). Then create a new assignment, moving wl0 to the new bridge (which will unassign it from its current bridge).

Note, the Networking page is a bit goofy. It's often necessary to reboot the router after *every* change in order to see the effect of those changes and take the next step. Annoying, but it's been that way forever. Sometimes it may even require a *cold* reboot (power off, power on).

Once you have the basic bridge configured, I recommend using the Command Method in the multiple wireless LAN wiki to configure the default gateway, DNS server(s), NAT rule for access over the WAN, etc.

https://www.dd-wrt.com/wiki/index.php/Multiple_WLANs#Command_Method

That's the old school way, and I'm old school. Smile

Others prefer to use the GUI, which I personally find a bit flakey at times, and I'm not always 100% sure what it's doing wrt things like "Net Isolation". I have can venture a guess, but I prefer managing it directly. So take your pick.

Quote:
How do I avoid including the local IP of the router on the primary network?


Don't include it! The default bridge (br0) has an IP assignment by default of 192.168.1.0/24, with the router specifically assigned 192.168.1.1. If that's the current setup, or you've changed it, just don't include the local IP assigned to the router on that bridge. IOW, don't add either of the following to the PBR field.

Code:
192.168.1.1
192.168.1.0/24


For example, to include *every* other IP on the 192.168.1.0/24 network except the router (192.168.1.2 thru 192.168.1.254, 192.168.1.255 is the broadcast IP, we can ignore it), you could use an IP range to CIDR calculator (to minimize the number of entries) and specify the following in the PBR field.

Code:
192.168.1.2/31
192.168.1.4/30
192.168.1.8/29
192.168.1.16/28
192.168.1.32/27
192.168.1.64/26
192.168.1.128/26
192.168.1.192/27
192.168.1.224/28
192.168.1.240/29
192.168.1.248/30
192.168.1.252/31
192.168.1.254/32


This is an extreme example. In practice, many ppl would probably limit this further, perhaps to the DHCP range.

Quote:
What are the implications of not having it on the primary network?


Not much. You can move around network interfaces as you see fit, assigning them to other bridges. As long as you understand what you're doing. By default, the router configures things in such a way as to satisfy the needs of 99.44% of users. But the power of dd-wrt is the ability to reconfigure it in a multitude of ways, according your own needs. As I said, as long you understand what you're doing, you can configure it any way you want.

The only thing that catches most ppl is forgetting to NAT any new IP networks created behind the WAN. By default, the router will *only* NAT the IP network assigned to the default bridge (br0) over the WAN. Anything else YOU create requires YOU to add the necessary NAT rule, which is explained in that other wiki (if you use the GUI, that will be an option). If you don't, then internet access is not possible from those other IP networks.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4239
Location: Netherlands

PostPosted: Wed Feb 28, 2018 17:33    Post subject: Reply with quote
I totally agree with @Eibgrad but if you want to use the GUI (I do Smile) then attached my notes, maybe they come in handy. You need the unbridged VAP.
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Max Power
DD-WRT Novice


Joined: 27 Feb 2018
Posts: 25

PostPosted: Wed Feb 28, 2018 20:52    Post subject: Reply with quote
Seems that wl0, wl1, and wl2 are all in a vlan and I can't figure out how to break that out. Screenshots attached of what it looks like (after a reboot) when I change wl0 to "Unbridged".

Can create br1 but the only options for assignment are eth0-eth3 and vlan1 and vlan2. When you look at the VLAN page, there is just a single wireless interface listed "W".

Ideas?

Have to admit, this is fun.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu Mar 01, 2018 1:07    Post subject: Reply with quote
VLANs have nothing to do w/ wireless. VLANs are only for wired ports. You can assign one or more wired ports to a VLAN. By default, the router assigns ports 1-4 to vlan1, and port 5 (the WAN) to vlan2. Under most circumstances, you don't need to mess w/ the VLANs configuration *unless* it's your intent to add one or more wired ports to your new bridge (br1).

IOW, there's nothing wrong w/ simply creating a new bridge (br1) and assigning the AP (wl0) to the bridge. However, if sometime down the road you decide you'd like to have wired users also use that same bridge (not just wireless), *now* you'd have to visit that VLANs page, create a new VLAN (e.g., vlan3), and reassign one or more ports from vlan2 to your new vlan3. And finally add that vlan3 to your bridge.
Max Power
DD-WRT Novice


Joined: 27 Feb 2018
Posts: 25

PostPosted: Thu Mar 01, 2018 1:16    Post subject: Reply with quote
eibgrad wrote:
VLANs have nothing to do w/ wireless. VLANs are only for wired ports. You can assign one or more wired ports to a VLAN. By default, the router assigns ports 1-4 to vlan1, and port 5 (the WAN) to vlan2. Under most circumstances, you don't need to mess w/ the VLANs configuration *unless* it's your intent to add one or more wired ports to your new bridge (br1).

IOW, there's nothing wrong w/ simply creating a new bridge (br1) and assigning the AP (wl0) to the bridge. However, if sometime down the road you decide you'd like to have wired users also use that same bridge (not just wireless), *now* you'd have to visit that VLANs page, create a new VLAN (e.g., vlan3), and reassign one or more ports from vlan2 to your new vlan3. And finally add that vlan3 to your bridge.


Ahh, still never got wl0, wl1, or wl2 to show up in the bridge page.

I caved and created a VAP (wl0.1) and bridged that. Now I'm working through why clients on br1 (wl0.1) can't access the internet (did everything in that Wiki page). Best I can come up with right now is that the client is using the router (10.0.1.0) as the only DNS server.

Additional DNSmasq Options -
Code:
no-resolv
no-poll
local=/localnet/
server=/localnet/10.0.0.1
server=9.9.9.9
server=176.103.130.130
server=176.103.130.131
server=4.2.2.1
server=4.2.2.2
server=4.2.2.3
listen-address=127.0.0.1
bind-interfaces
domain-needed
conf-file=/jffs/dnsmasq/mpdomains
addn-hosts=/jffs/dnsmasq/mphosts


Firewall Script
Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT


Startup Script
Code:
[ "$( nvram get wan_get_dns )" != "" ] &&
nvram unset wan_get_dns &&
nvram unset wan_get_domain &&
nvram commit &&
stopservice dnsmasq &&
startservice dnsmasq
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu Mar 01, 2018 1:45    Post subject: Reply with quote
When dealing w/ changes to the default config, it's best to keep them to a bare minimum until you get things working. For example, preventing access between br1 and br0 may be a long term objective, but it's only icing on the cake at the moment. The more stuff you add, the more opportunity for making a mistake. And then it becomes a bear to identify the culprit.

All you need to get things established is to define the bridge, assign it an IP network, provide it w/ a DHCP server, default gateway, and DNS servers. Finally, NAT that network over the WAN. That's it! Get that working. Forget about all that stuff in the startup script (I'm not even sure what that's doing, or where you got it). The syntax isn't even correct. You can't logically and (&&) the next line w/o a continuation mark (\).

Code:
[ "$( nvram get wan_get_dns )" != "" ] && \
nvram unset wan_get_dns && \
nvram unset wan_get_domain && \
nvram commit && \
stopservice dnsmasq && \
startservice dnsmasq


But this only makes my point. Get it working barebones first. You can tweak it to your heart's content all you want later. But at least you'll always have a working config to fall back should future changes fail you.
Max Power
DD-WRT Novice


Joined: 27 Feb 2018
Posts: 25

PostPosted: Thu Mar 01, 2018 2:34    Post subject: Reply with quote
Got it working, bone headed mistake - set the IP address at 10.0.1.0 instead of 10.0.1.1

Got that corrected and good to go!

Thanks for the help on all of this.

That startup script is one I found in another thread as another method to prevent an ISP from forcing their DNS & domain into resolv.conf. Not sold that it works so I'm still rolling with no-resolv in the DNSmasq options.
Max Power
DD-WRT Novice


Joined: 27 Feb 2018
Posts: 25

PostPosted: Sun Mar 04, 2018 15:21    Post subject: Reply with quote
One final closeout on this.

Turns out that the eth1, eth2, and eth3 interfaces are actually wl0, wl1, and wl2. Was going through some MAC identifiers, got curious, ran ifconfig and confirmed that the wl0-2 correspond to eth1-3 based on MAC addresses.

Odd that they're renamed to that, totally threw me off, as well.

eth0 is the LAN, FYI

So, I'm going to re-try things using eth1 in br1 and removing the VAP.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum