[RESOLVED] Routing One WLAN Outside OpenVPN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
Max Power
DD-WRT Novice


Joined: 27 Feb 2018
Posts: 25

PostPosted: Wed Feb 28, 2018 15:49    Post subject: [RESOLVED] Routing One WLAN Outside OpenVPN Reply with quote
Hardware is Netgear Nighthawk X6 R8000 with Kong stable (DD-WRT v3.0-r33675M kongac (11/03/17)).

I have OpenVPN client set up (Private Internet Access, strong configuration not base).

I have 3x WLAN SSID's (.11ng [base SSID], ac-only [base SSID-5G], and another ac-only [base SSID-TV]).

The 3x radio interfaces (wl0, wl1, and wl2) along with all of the ethernet interfaces all route through OpenVPN.

The [base SSID-TV] radio (wl0 interface) is used solely for Apple TV. What I need to do (because of Hulu) is route wl0 around OpenVPN so that the devices on wl0 aren't routed through the PIA VPN.

Because I just need to route an entire interface, do I still need to set up a VAP/VLAN? Or can I break wl0 out from the default bridge and go from there?

I am fairly savvy with Linux itself, but have NEVER done networking stuff so definitely need it broken down as simply as possible.

Thanks! Hopefully I can contribute in the future, loving DD-WRT so far and figuring out adblocking & DNSmasq stuff (ISP kept overwriting my resolv.conf so I had to figure out to bypass that, eventually going with no-resolv flag and then specifying the DNS servers in the dnsmasq.conf file, then realizing that gets reset every reboot, so I had to put it in the additional config options via the GUI).

This is fun!


Last edited by Max Power on Thu Mar 01, 2018 2:35; edited 1 time in total
Sponsor
Max Power
DD-WRT Novice


Joined: 27 Feb 2018
Posts: 25

PostPosted: Wed Feb 28, 2018 16:35    Post subject: Reply with quote
eibgrad wrote:
What you need is PBR (policy based routing). Using the OpenVPN client GUI and the PBR field, you can specify specific source IPs/networks to be routed over the VPN, while leaving everything else to the WAN/ISP.

What you can't do (not because it isn't possible, but only because the GUI doesn't support it) is specify network interfaces. A network interface can only be *implied* based on the unique local IP network to which it is has been assigned.

For example, if you unbridge the 2.4GHz radio (wl0) from the default bridge (br0), that would force you to assign a new local IP network to the wl0 network interface. Let's assume br0 has been assigned 192.168.1.0/24. Perhaps make wl0 192.168.2.x. You could now add 192.168.1.0/24 to the PBR field (to force them over the VPN), while the 2.4GHz users continue to use the WAN/ISP because they're using 192.168.2.0/24.

Just beware, there's a bug in the GUI where you can't include the local IP of the router on the primary network, either directly (e.g., 192.168.1.1) or implicitly (192.168.1.0/24). If you do, it will hang the router.

When using large blocks of IPs w/ the PBR field, it's more convenient to add them using CIDR notation using an IP range to CIDR calculator.

https://www.ipaddressguide.com/cidr


Thanks, that helps a lot!

I'd found some other threads on similar topics but always left scratching my head. Especially when it got to the part about setting up iptable rules and such. Doing it all via the GUI sounds better for me. Couple of follow ups if you don't mind -

    How do I go about breaking wl0 out of br0 then setting that part up?

    How do I avoid including the local IP of the router on the primary network?

    What are the implications of not having it on the primary network?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5790
Location: Netherlands

PostPosted: Wed Feb 28, 2018 17:33    Post subject: Reply with quote
I totally agree with @Eibgrad but if you want to use the GUI (I do Smile) then attached my notes, maybe they come in handy. You need the unbridged VAP.
_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Max Power
DD-WRT Novice


Joined: 27 Feb 2018
Posts: 25

PostPosted: Wed Feb 28, 2018 20:52    Post subject: Reply with quote
Seems that wl0, wl1, and wl2 are all in a vlan and I can't figure out how to break that out. Screenshots attached of what it looks like (after a reboot) when I change wl0 to "Unbridged".

Can create br1 but the only options for assignment are eth0-eth3 and vlan1 and vlan2. When you look at the VLAN page, there is just a single wireless interface listed "W".

Ideas?

Have to admit, this is fun.
Max Power
DD-WRT Novice


Joined: 27 Feb 2018
Posts: 25

PostPosted: Thu Mar 01, 2018 1:16    Post subject: Reply with quote
eibgrad wrote:
VLANs have nothing to do w/ wireless. VLANs are only for wired ports. You can assign one or more wired ports to a VLAN. By default, the router assigns ports 1-4 to vlan1, and port 5 (the WAN) to vlan2. Under most circumstances, you don't need to mess w/ the VLANs configuration *unless* it's your intent to add one or more wired ports to your new bridge (br1).

IOW, there's nothing wrong w/ simply creating a new bridge (br1) and assigning the AP (wl0) to the bridge. However, if sometime down the road you decide you'd like to have wired users also use that same bridge (not just wireless), *now* you'd have to visit that VLANs page, create a new VLAN (e.g., vlan3), and reassign one or more ports from vlan2 to your new vlan3. And finally add that vlan3 to your bridge.


Ahh, still never got wl0, wl1, or wl2 to show up in the bridge page.

I caved and created a VAP (wl0.1) and bridged that. Now I'm working through why clients on br1 (wl0.1) can't access the internet (did everything in that Wiki page). Best I can come up with right now is that the client is using the router (10.0.1.0) as the only DNS server.

Additional DNSmasq Options -
Code:
no-resolv
no-poll
local=/localnet/
server=/localnet/10.0.0.1
server=9.9.9.9
server=176.103.130.130
server=176.103.130.131
server=4.2.2.1
server=4.2.2.2
server=4.2.2.3
listen-address=127.0.0.1
bind-interfaces
domain-needed
conf-file=/jffs/dnsmasq/mpdomains
addn-hosts=/jffs/dnsmasq/mphosts


Firewall Script
Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT


Startup Script
Code:
[ "$( nvram get wan_get_dns )" != "" ] &&
nvram unset wan_get_dns &&
nvram unset wan_get_domain &&
nvram commit &&
stopservice dnsmasq &&
startservice dnsmasq
Max Power
DD-WRT Novice


Joined: 27 Feb 2018
Posts: 25

PostPosted: Thu Mar 01, 2018 2:34    Post subject: Reply with quote
Got it working, bone headed mistake - set the IP address at 10.0.1.0 instead of 10.0.1.1

Got that corrected and good to go!

Thanks for the help on all of this.

That startup script is one I found in another thread as another method to prevent an ISP from forcing their DNS & domain into resolv.conf. Not sold that it works so I'm still rolling with no-resolv in the DNSmasq options.
Max Power
DD-WRT Novice


Joined: 27 Feb 2018
Posts: 25

PostPosted: Sun Mar 04, 2018 15:21    Post subject: Reply with quote
One final closeout on this.

Turns out that the eth1, eth2, and eth3 interfaces are actually wl0, wl1, and wl2. Was going through some MAC identifiers, got curious, ran ifconfig and confirmed that the wl0-2 correspond to eth1-3 based on MAC addresses.

Odd that they're renamed to that, totally threw me off, as well.

eth0 is the LAN, FYI

So, I'm going to re-try things using eth1 in br1 and removing the VAP.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum