Posted: Mon Jan 24, 2022 2:53 Post subject: Technical Network Help needed
Hi
I am facing a challenge in my setup and would need advise on how to solve it please
I am using DDWRT over E4200 linksys router to openvpn to my servers, currently I have LAN 1 on the local network switch to access IPMI and the wan on the public network switch for wan to be able to vpn to it
The 2 issues I have and need advise please on how to fix is:
1- How I can block lan 1 from getting the wan ip, now all my local network is using the wan ip which if I to set an access restriction on it I cant access if I open vpn to it
2- The second Issue i have, is I am using the following command for openvpn to pass a specific subnet wan ip over openvpn
If I to remove this rule from firewall, my openvpn would connect but it freeze and my own ISP ip would vanish and I would loose internet
I would just like to solve the wan to lan 1 issue please and to be able to vpn using openvpn without getting the wan ip and still access all network on lan 1 which is wired to the local switch
to add I created vlan to lan1 specific and assigned a whole different subnet to it along with its own dhcp server however this didnt solve the issue and would still go out with wan ip
In general, you're usually better off to use your own firewall rules to block access to the WAN. You block all access by default, then create exceptions.
Note: I specified br0 as the network interface because I wasn't sure what YOU meant by LAN 1. Change that reference to whatever is relevant. FWIW, it's generally recommended that any new network interface (VLAN or VAP) be assigned to a new bridge (e.g., br1), even if it's the only network interface assigned, then reference the new bridge. But using the new VLAN or VAP by name will work too.
Be careful when using that function get_wanface. I find it NOT to be totally reliable. There are times when it will return NOTHING (iirc, w/ PPPoE connections). That's why I created by *own* function as shown in the above firewall rules. That examines the main routing table to determine w/ 100% accuracy the actual name of the default gateway's network interface.
In general, you're usually better off to use your own firewall rules to block access to the WAN. You block all access by default, then create exceptions.
Note: I specified br0 as the network interface because I wasn't sure what YOU meant by LAN 1. Change that reference to whatever is relevant. FWIW, it's generally recommended that any new network interface (VLAN or VAP) be assigned to a new bridge (e.g., br1), even if it's the only network interface assigned, then reference the new bridge. But using the new VLAN or VAP by name will work too.
Be careful when using that function get_wanface. I find it NOT to be totally reliable. There are times when it will return NOTHING (iirc, w/ PPPoE connections). That's why I created by *own* function as shown in the above firewall rules. That examines the main routing table to determine w/ 100% accuracy the actual name of the default gateway's network interface.
Also, when using the OpenVPN server and OpenVPN client on the router at the same time, watch out for situations where they might end up trying to use the same IP network on the tunnel! If that happens, your routing will be all screwed up. Each must be using unique, NON overlapping private networks (e.g., 10.8.0.0/24 and 10.9.0.0/24). It's easy to overlook this since few ppl bother to pay much attention to what the OpenVPN client is using in this regard, given it's the server that controls it.
eibgrad
Really cant thank you enough, I am about to put this to test tonight and will keep you posted
Regarding your question about lan1 I was referring to Lan port 1 sorry for the confusion, basically br0
My issue is I have all the local network and IPMI connected to this lan 1 port (br0) and dont wish to have the wan ip bridge to it, when i blocked it through access restriction it work but it wont allow me to access that subnet which in my case is 10.x.x.x through the vpn
I have the vpn on different subnet for example my local is 10.0.1.x , my openvpn is on 10.8.0.x so they wont overlap correct
What I am trying to achieve is as if this br0 is isolated on its own vlan and dont shared the wan ip however openvpn can access this vlan)when i vpn to it
My second issue is when I use openvpn client to vpn to this router, I can see the br0 network no issue however I am also coming out with the wan ip, I dont wish to come with the ip just use my own isp ip however still access the br0 when I vpn
I try to make it less confusion to explain and I will for sure put it to the test tonight
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Tue Jan 25, 2022 16:46 Post subject:
Seeing you use that NAT rule led me to believe you are running an old build.
Current build is 48141.
Furthermore I will transfer this thread to the Advanced Networking forum as that is where this belongs so that it is more easily searched
See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
OpenVPN documentation both regarding server and client see the links in my signature at the bottom of this post.
Seeing you use that NAT rule led me to believe you are running an old build.
Current build is 48141.
Furthermore I will transfer this thread to the Advanced Networking forum as that is where this belongs so that it is more easily searched
See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
OpenVPN documentation both regarding server and client see the links in my signature at the bottom of this post.
But you are in the capable hands of @eibgrad who will lead you through
Hi Again
I tried what you suggest but it didnt work I tried also upgrading to the latest firmware 48141 and tested the same recommendation didnt work also, I would even loose access to the local network over lan
I have reverted it back to version 45229 which i am currently running and I am completely out of ideas at this point
Your help is highly appreciated, I am just trying to vpn using openvpn to my local network while maintain my current ip (not the wan ip) but cant get this to work. Knowing that I will be restricting access to br0 over wan so it will be acting as a switch so it wont pass internet to the br0 subnet and at the same time I would still be able to vpn using openvpn to that same br0 network over wan to access it