Technical Network Help needed

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
zal
DD-WRT Novice


Joined: 24 Jan 2022
Posts: 6

PostPosted: Mon Jan 24, 2022 2:53    Post subject: Technical Network Help needed Reply with quote
Hi

I am facing a challenge in my setup and would need advise on how to solve it please

I am using DDWRT over E4200 linksys router to openvpn to my servers, currently I have LAN 1 on the local network switch to access IPMI and the wan on the public network switch for wan to be able to vpn to it

The 2 issues I have and need advise please on how to fix is:

1- How I can block lan 1 from getting the wan ip, now all my local network is using the wan ip which if I to set an access restriction on it I cant access if I open vpn to it

2- The second Issue i have, is I am using the following command for openvpn to pass a specific subnet wan ip over openvpn

iptables -t nat -IPOSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE

If I to remove this rule from firewall, my openvpn would connect but it freeze and my own ISP ip would vanish and I would loose internet

I would just like to solve the wan to lan 1 issue please and to be able to vpn using openvpn without getting the wan ip and still access all network on lan 1 which is wired to the local switch

to add I created vlan to lan1 specific and assigned a whole different subnet to it along with its own dhcp server however this didnt solve the issue and would still go out with wan ip

Your help is highly appreciate

Thanks in advance
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8991

PostPosted: Mon Jan 24, 2022 20:57    Post subject: Reply with quote
In general, you're usually better off to use your own firewall rules to block access to the WAN. You block all access by default, then create exceptions.

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT
iptables -I FORWARD -i br0 -s 192.168.1.100 -o $WAN_IF -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.1.200 -o $WAN_IF -j ACCEPT


Note: I specified br0 as the network interface because I wasn't sure what YOU meant by LAN 1. Change that reference to whatever is relevant. FWIW, it's generally recommended that any new network interface (VLAN or VAP) be assigned to a new bridge (e.g., br1), even if it's the only network interface assigned, then reference the new bridge. But using the new VLAN or VAP by name will work too.

As far as the following NAT rule …

Code:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE


Be careful when using that function get_wanface. I find it NOT to be totally reliable. There are times when it will return NOTHING (iirc, w/ PPPoE connections). That's why I created by *own* function as shown in the above firewall rules. That examines the main routing table to determine w/ 100% accuracy the actual name of the default gateway's network interface.


Code:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE


Also, when using the OpenVPN server and OpenVPN client on the router at the same time, watch out for situations where they might end up trying to use the same IP network on the tunnel! If that happens, your routing will be all screwed up. Each must be using unique, NON overlapping private networks (e.g., 10.8.0.0/24 and 10.9.0.0/24). It's easy to overlook this since few ppl bother to pay much attention to what the OpenVPN client is using in this regard, given it's the server that controls it.

_________________
ddwrt-ovpn-split-basic.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-kill-switch.sh * ddwrt-ovpn-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8991

PostPosted: Mon Jan 24, 2022 21:10    Post subject: Reply with quote
P.S. And one more thing. That NAT rule only enables access over the WAN by your OpenVPN server's clients. It wasn't clear based on your description if the intention is to route those over the WAN or the router's OpenVPN client. If it's the latter, then the NAT rule isn't even necessary.
_________________
ddwrt-ovpn-split-basic.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-kill-switch.sh * ddwrt-ovpn-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
zal
DD-WRT Novice


Joined: 24 Jan 2022
Posts: 6

PostPosted: Tue Jan 25, 2022 2:19    Post subject: Reply with quote
eibgrad wrote:
In general, you're usually better off to use your own firewall rules to block access to the WAN. You block all access by default, then create exceptions.

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT
iptables -I FORWARD -i br0 -s 192.168.1.100 -o $WAN_IF -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.1.200 -o $WAN_IF -j ACCEPT


Note: I specified br0 as the network interface because I wasn't sure what YOU meant by LAN 1. Change that reference to whatever is relevant. FWIW, it's generally recommended that any new network interface (VLAN or VAP) be assigned to a new bridge (e.g., br1), even if it's the only network interface assigned, then reference the new bridge. But using the new VLAN or VAP by name will work too.

As far as the following NAT rule …

Code:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE


Be careful when using that function get_wanface. I find it NOT to be totally reliable. There are times when it will return NOTHING (iirc, w/ PPPoE connections). That's why I created by *own* function as shown in the above firewall rules. That examines the main routing table to determine w/ 100% accuracy the actual name of the default gateway's network interface.


Code:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE


Also, when using the OpenVPN server and OpenVPN client on the router at the same time, watch out for situations where they might end up trying to use the same IP network on the tunnel! If that happens, your routing will be all screwed up. Each must be using unique, NON overlapping private networks (e.g., 10.8.0.0/24 and 10.9.0.0/24). It's easy to overlook this since few ppl bother to pay much attention to what the OpenVPN client is using in this regard, given it's the server that controls it.


eibgrad

Really cant thank you enough, I am about to put this to test tonight and will keep you posted

Regarding your question about lan1 I was referring to Lan port 1 sorry for the confusion, basically br0

My issue is I have all the local network and IPMI connected to this lan 1 port (br0) and dont wish to have the wan ip bridge to it, when i blocked it through access restriction it work but it wont allow me to access that subnet which in my case is 10.x.x.x through the vpn

I have the vpn on different subnet for example my local is 10.0.1.x , my openvpn is on 10.8.0.x so they wont overlap correct

What I am trying to achieve is as if this br0 is isolated on its own vlan and dont shared the wan ip however openvpn can access this vlan)when i vpn to it


My second issue is when I use openvpn client to vpn to this router, I can see the br0 network no issue however I am also coming out with the wan ip, I dont wish to come with the ip just use my own isp ip however still access the br0 when I vpn

I try to make it less confusion to explain and I will for sure put it to the test tonight

Thanks again
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 9574
Location: Netherlands

PostPosted: Tue Jan 25, 2022 16:46    Post subject: Reply with quote
Seeing you use that NAT rule led me to believe you are running an old build.

Current build is 48141.

Furthermore I will transfer this thread to the Advanced Networking forum as that is where this belongs so that it is more easily searched

See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

OpenVPN documentation both regarding server and client see the links in my signature at the bottom of this post.

But you are in the capable hands of @eibgrad who will lead you through Smile

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
zal
DD-WRT Novice


Joined: 24 Jan 2022
Posts: 6

PostPosted: Tue Jan 25, 2022 22:43    Post subject: Reply with quote
egc wrote:
Seeing you use that NAT rule led me to believe you are running an old build.

Current build is 48141.

Furthermore I will transfer this thread to the Advanced Networking forum as that is where this belongs so that it is more easily searched

See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

OpenVPN documentation both regarding server and client see the links in my signature at the bottom of this post.

But you are in the capable hands of @eibgrad who will lead you through Smile


Hi Again

I tried what you suggest but it didnt work Sad I tried also upgrading to the latest firmware 48141 and tested the same recommendation didnt work also, I would even loose access to the local network over lan

I have reverted it back to version 45229 which i am currently running and I am completely out of ideas at this point

Your help is highly appreciated, I am just trying to vpn using openvpn to my local network while maintain my current ip (not the wan ip) but cant get this to work. Knowing that I will be restricting access to br0 over wan so it will be acting as a switch so it wont pass internet to the br0 subnet and at the same time I would still be able to vpn using openvpn to that same br0 network over wan to access it

Thats basically what I am trying to accomplish

Thanks again
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum