[dahabes]

I have followed the instructions on the Flashrouters site for setting up a guest network and info on this forum for adding PBR rules (using CIDR) for my non-guest (primary) subnet to route through the VPN. The guest network works like a charm, the primary subnet has no internet access. I'm having difficulty interpreting the possible fixes (I'm not a network guy). What is missing and how do I make this work? My firmware is fairly up to date...

Linksys WRT1900-ACS V2, DD-WRT v3.0-r40048 std (06/16/19)

[bushant]

I can't remember exactly when it got fixed (40443 I think) but with earlier builds PBR would not work with Shortcut Forwarding Engine enabled.

Try disabling that at .../index.asp

SFE is disabled by default on later builds.

[dahabes]

It changed the behavior, the VPN addresses (sort of) get through to the internet, but performance is HORRIBLE. Most websites don't load before they timeout...

[egc]

To what VPN service are you connecting?
What DNS servers are you using?

[dahabes]

VPN Vendor is IP Vanish.

For the guest network the DNS server used was 208.67.220.220. This was what was in the doc and that might be the problem? I blindly entered it. It was their setup of OpenDNS (yet my guest network worked, in fact it was lightning fast without the VPN in use).

For my primary (VPN) network I have been using Googles DNS servers: 8.8.8.8 and 8.8.4.4. There is a third entry: 192.18.0.1. I'm not sure where that came from originally.

[egc]

I assume you did use the following instructions to setup your guest network: https://flashrouters.zendesk.com/hc/en-us/articles/115000967873-How-To-Setup-a-DD-WRT-Guest-Wireless-Network-On-Your-FlashRouter

It is the old fashioned way with the creation of a bridge but should work without a problem.

I assume you followed this instruction by ipvanish to setup the VPN: https://support.ipvanish.com/hc/en-us/articles/115002080733-DD-WRT-v3-Router-Setup

If you followed that you could have the problems you are describing.
The DNS server 192.18.0.1 is not publicly available I think.
Do not use that but use Google or openDNs or quad nine or what you want.

If this does not solve your problem then post screenshots (max width 600 pixels) of setup page, openVPN client setup page, Status/OpenVPn page ( need the whole page of those items) and post output of (via telnet/putty):
ip route show
ip route show table 10
ip rule show

And be sure to disable SFE (on the latest builds it is working again) and always reboot after a change

P.S. regarding PBR do not include the routers own address in the PBR range and be warned the DDWRT PBR implementation has some flaws, one of them is that you will not have communication between clients on PBR and other clients

[dahabes]

Thanks, I'll try this today.

The answers to your two questions are yes and yes. I've been using IPVanish, with everything going through the VPN, for over two years.

You mention the bridge is the "old-fashioned" method. Is there a "new fashioned" method?

[egc]

[CThomas335]

[egc]

Yeah sorry it is a typo.
So to make things clear do not use 198.18.01 as DNS server in your setup it does not seem publicly available so will not work in your setup because the DNS queries are send via the ISP because you are using PBR

[dahabes]

I thought I had posted a response but it's missing, so here is my update.

I changed the bogus DNS entry and now things (mostly) work. I can access both the VPN and guest (non-VPN) networks from both my laptop and my wife's MAC.

My remaining issue is as follows. My desktop can access the VPN network but hangs when I try to access the guest (non-VPN) network. My desktop has wireless capability, but I have it wired (ethernet) to the router. I have assigned static DNS entries to all fixed components in the network (desktop, NAS, printers, IoT components) on the VPN network. I also have a statis address assigned to the wireless interface (for some reason). I am assuming the static DNS address(es) is/are causing the issue. I would rarely need to use the guest network on the desktop but it is a possibility (some website block you if you use a VPN, such as old big box retail stores like Nordstrom, which is why I needed to do this for my wife!). To get this to work on the desktop do I need to drop the wireless static address or both? Also, would I need to disconnect the cable, flush DNS and then connect via the guest network?

[egc]

Glad you got it working.

If I understand it correctly you have a desktop and normally you are using wired to use the VPN.

If you do not want the VPN you can use a utility called NetSEtMan to set an other IP address on your desktop (one outside the PBR range) so that you do not use the VPN.

Another possibility is to disable the ethernet or pull the cable and use your wifi on the desktop to connect to the guest network.

DNS should not have anything to do with it that I can imagine in your case.

Another more sophisticated solution is to addd static routes for sites you do not want to use the VPN for, this is feasible if you do not have many.

[dahabes]

I finally noodled it through. I had to eliminate the static IP address for the wireless adapter on the desktop, it was holding the IP when I was trying to go to the guest network which is a different IP range. Pull the plug on the ethernet cable and it all works. Thanks for all of your help.