Help with routing / routing table

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
edwardko
DD-WRT Novice


Joined: 13 Sep 2020
Posts: 8

PostPosted: Sun Sep 13, 2020 3:02    Post subject: Help with routing / routing table Reply with quote
Hi experts, I have setup my dd-wrt to provide 2 wireless network types - direct to ISP and via OpenVPN and my family can switch between SSIDs to suit.

DD-WRT also provides NAS functionality for my home network and users connected to any SSIDs (PC1/PC2/PC3) can access the NAS.

I have 2 problems with my setup: 1) users connected to the VPN AP (ie PC2) cannot access the printer. 2) PC1 and PC3 to access the shared folder on PC2.

I have tried but do not have the technical know how to configure the routing table which is setup via this Firewall command:

iptables -I FORWARD -i br1 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br1 -j ACCEPT
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
ip route add default via 192.168.1.1 table 200

Can anyone help me? Thanking all in advance.
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8455

PostPosted: Sun Sep 13, 2020 4:14    Post subject: Reply with quote
What I think I'm seeing here is an attempt to avoid a double-NAT situation, since the easiest solution would be to daisy-chain the Linksys to the modem (WAN to LAN, respectively), while keeping all clients behind that WAN on their own respective networks (e.g., br0=192.168.2.0/24 and br1=192.168.3.0/24). Then configure the OpenVPN client as normal and use PBR (policy based routing) to route the 192.168.3.0/24 network over the VPN. And if you want to eliminate the double NAT, just place the modem in bridge mode so your Linksys is the only one w/ an active WAN, and receives the public IP.

All I can assume is the above is not possible in your present situation for some reason.

If you insist on a bridged Linksys, then I'm puzzled as to your current configuration. You specifically mention the Linksys WAN is connected to the LAN of the modem, yet NOT assigned to the LAN. As such, the Linksys is still in a routed configuration, yet it has its DHCP server disabled, its br0 clients are part of the modem's network, etc., all indicating the desire is to have the Linksys bridged to the modem. If you want the Linksys bridged, the WAN port needs to be disabled and assigned to a LAN port (at least if you want to use the WAN port as a LAN to LAN connection to the modem).

My gut tells me your current configuration is an attempt to make the WAN part of the br0 bridge, and if that's the case, I don't recommend it. Use a standard WAP configuration, then deal w/ the changes necessary to have the br1 network assigned to the VPN.

But again, *ideally* a routed configuration, and one that has the modem in bridge mode, makes the whole thing a lot easier to configure.
edwardko
DD-WRT Novice


Joined: 13 Sep 2020
Posts: 8

PostPosted: Sun Sep 13, 2020 4:33    Post subject: Reply with quote
Thank you for your prompt reply. By daisy chaining the Linksys, Is the attached diagram what you mean? ie all devices are attached to the Linksys, instead of some devices to the Linksys and some to the ISP modem.

The reason why PC3 is currently connected directly to the ISP modem is that for some reason, I cannot achieve 80 mbps download speeds via the Linksys
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8455

PostPosted: Sun Sep 13, 2020 5:25    Post subject: Reply with quote
By daisy-chaining, I mean you link one router to another, WAN to LAN, in a *routed* configuration.

[linksys](wan)<-->(lan)[modem+router]

In such a configuration, each router maintains its own unique IP network, its own DHCP server, its own firewall, etc. And the fact that you specifically mention the LinksysWAN has *NOT* been assigned to the LAN, and is the port connected to the LAN of the modem+router, further sugegsts this is a *routed* configuration.

But then it gets confusing. You then proceed to describe the br0 network of the Linksys and the modem+router sharing the *same* IP network. And the Linksys having no DHCP server. Both strongly suggesting this is a *bridged* configuration, NOT routed.

IOW, the diagram is contradictory. The relationship between the Linksys and the modem+router either has to be routed or bridged, NOT a little of each.
edwardko
DD-WRT Novice


Joined: 13 Sep 2020
Posts: 8

PostPosted: Sun Sep 13, 2020 6:13    Post subject: Reply with quote
I think I have a bridged configuration on the Linksys. I suspect the reason why the connection via the WAN port works is because br0 is bridged to eth0 (ssuming that eth0 is the WAN port??) despite the "Assign WAN port to switch" box not being checked.

I also tried checking the "Assign WAN port to switch" box and the current setup continues to work.

Sorry - not sure if that further confuses the way I have setup my Linksys. I only half know what I am doing.
edwardko
DD-WRT Novice


Joined: 13 Sep 2020
Posts: 8

PostPosted: Sun Sep 13, 2020 6:15    Post subject: Reply with quote
This is the basic setup page
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6994
Location: Netherlands

PostPosted: Sun Sep 13, 2020 6:23    Post subject: Reply with quote
As @eibgrad said daisy chaining is the easiest solution.

The other solution is to setup as a WAP:
https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point

If you do not enable Net isolation on the unbridged interface you can communicate between the subnets, you do not need any firewall rules there is communication by default unless you enable Net isolation

However there is no network discovery between subnets so you can only communicate by IP address

You can run a VPN on a WAP and unbridged interfaces will use the VPN by default.

You mention table 200 so you must be using some sort of PBR which is not necessary in this case unless you do not want all clients connected to the unbridged interface to use the VPN.

DDWRT has build-in VPN no need to do it yourself, but now comes maybe part of your problem, when using PBR you have to use a recent build earlier builds did not copy local routes to the PBR alternate routing table.
Latest build as of today 44340

See the forum guidelines, link in my signature, where to get builds and how to research.

But as @eibgrad said just daisy chaining is far easier (but you still need a recent build if you want to use PBR), although I am running a VPN (WireGuard) on a WAP in the configuration you are attempting so possible it is Smile


P.S. resize your screenshots to a max width of 800 pixels according to the forum guidelines or they will be removed

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8455

PostPosted: Sun Sep 13, 2020 6:36    Post subject: Reply with quote
edwardko wrote:
I think I have a bridged configuration on the Linksys. I suspect the reason why the connection via the WAN port works is because br0 is bridged to eth0 (ssuming that eth0 is the WAN port??) despite the "Assign WAN port to switch" box not being checked.


That's why I guessed that perhaps that's what you did; assign the WAN's network interface to br0. It's hard to be sure from this side of the forum because every router is different, and just based on the names of the network interfaces (eth0, eth1, etc.), we can't be 100% sure which network interface applies to which physical ports.

As I said, I don't recommend this approach. It makes for a confusing solution. Instead, you start w/ a standard routed configuration (i.e., factory defaults), then disable the WAN, assign it to the LAN, disable the DHCP server, assign a static IP, netmask, default gateway, and DNS server(s), and finally connect the Linksys to the modem+router, LAN to LAN. IOW, it's just a plain ol' standard WAP configuration.

Now create your additional network (br1) on the Linksys and assign it its own IP network, DHCP server, etc. In order for clients of the br0 and br1 networks to communicate, you need to add a static route to the primary router that points to the Linksys router's LAN ip as the gateway to the br1 network.

Finally, configure the OpenVPN client on the Linksys and place the br1's IP network in the PBR (policy based routing) field. As long as the OpenVPN client is active, those clients will be routed over the VPN.

None of the above should require any additional firewall rules.
edwardko
DD-WRT Novice


Joined: 13 Sep 2020
Posts: 8

PostPosted: Sun Sep 13, 2020 7:13    Post subject: Reply with quote
Thanks all. I'll download and install the latest build and re-configure the Linksys from scratch.
edwardko
DD-WRT Novice


Joined: 13 Sep 2020
Posts: 8

PostPosted: Mon Sep 14, 2020 7:16    Post subject: Reply with quote
Hi eibgrad

I have setup Linksys as a WAP and created br1 + assigned ath1, the 2.4GHz WLAN to br1. But I am unsure how to give br1 access to the internet. Can you give me some pointers here?

Quote:
In order for clients of the br0 and br1 networks to communicate, you need to add a static route to the primary router that points to the Linksys router's LAN ip as the gateway to the br1 network.


My primary router supplied by the ISP has no option to allow me to add a static route, so I am not sure where this leaves me?

Thanks again.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6994
Location: Netherlands

PostPosted: Mon Sep 14, 2020 10:59    Post subject: Reply with quote
If you do not mind I will answer this (@eibgrad is doing testing with ipset for DDWRT Smile )

I would assume that is in the wiki but I saw it is not.

Add the following rule in Commands/Save as Firewall:

Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
edwardko
DD-WRT Novice


Joined: 13 Sep 2020
Posts: 8

PostPosted: Mon Sep 14, 2020 11:03    Post subject: Reply with quote
Thanks Egc. I'll give that a go.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5386
Location: Texas

PostPosted: Mon Sep 14, 2020 11:03    Post subject: Reply with quote
egc wrote:
Add the following rule in Commands/Save as Firewall:

Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)


For a WAP that should have been in the wiki years ago Rolling Eyes
'bout time --- thanks egc Smile
edwardko
DD-WRT Novice


Joined: 13 Sep 2020
Posts: 8

PostPosted: Tue Sep 15, 2020 5:07    Post subject: Reply with quote
Thanks gurus - mostly sorted out with the command:

iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr).

The OpenVpn client wasn't working as expected. When it was enabled (without PBR) and the VPN connected, it stopped internet access on br1. And adding PBR in (in my case 192.168.2.128/25) didn't solve the problem.

In the end, I added my previous iptables command into the firewall and that worked.

Many thanks once again for your support.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum