Posted: Thu Feb 02, 2023 12:50 Post subject: advanced router setup (Net, Routing, VPN ..) - beginner
dear community,
I ask you for help with an advanced router configuration.
The following circumstances:
Internet broadband cable modem in bridge mode connected to the WAN port of a TP-Link AC 1750 router (Archer7v5). The firmware used is DD-WRT v3.0-r51530 std (01/29/23) - (tplink_archer-c7-v5.bin).
The router obtains an IP4 address from my ISP and also distributes IP4 addresses via DHCP. 4 end devices are connected via LAN and 2 WLANs are configured (2.4g & 5g).
I have the oenVPN client running under Services - VPN. This perfectly connects the router to an openVPN server and all traffic goes through this tunnel.
Challenge:
I would like to configure the router so that only the WAN traffic of a single physical router port and the 5g WLAN is routed through the openVPN tunnel. However, not all other LAN ports and the 2.4g WLAN. All clients in the network should be able to communicate with each other via LAN/WLAN.
I've tried the forum search and have already read a few tutorials here, but I certainly didn't really understand a lot of things and I don't want to 'try around and brake something' because of my stupidety as a beginner.
I guess I have to manage DHCP, subnets, VLANS, routing, IP-tables and don't know what else byside of that. That's why i ask for your help.
So can you please guide me on how to proceed? What do I have to do in which order?
For me, the matter is very complex and unfortunately I don't really have much free time to acquire all the necessary special knowledge. However, I am willing and able to learn and grateful for any help.
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Thu Feb 02, 2023 13:33 Post subject:
Well...first things first...thanks for posting in the correct section and in English
Your requirement is possible...to be done, but you'd need to do some settings and some of them may need a bit of a reading...and understanding as well to post some output...
-first you have to segment your network and create a separate vlan on its own subnet, that you will assign to a bridge and you will add/put those interfaces(port/vlan and the radio) on the bridge
-than you'd need to add an extra DHCPd to serve this bridge and give IP's to the clients that are using it..half of this will require, you to add some start up commands..in order to segment the LAN ports..and create an extra vlan (lets say vlan3, as vlan1 and vlan2 are specific and in use)...than you can create DHCPd and add/assign the interlaces via GUI (web interlace)...
-you will need to use swconfig command to segment the ports layout, but the use of it depends on the router ports map/layout as all routers could be different...so we need the output of this command
swconfig dev switch0 show (use telnet or ssh to obtain it via CLI)
this is the main and messy thread on using swconfig and vlans via start up commands https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=313472 bear in mind different routers different ports layout
-than you can route this bridge interface via OpenVPN and here is the guide of doing the VPN routing...(its called policy based routing) https://forum.dd-wrt.com/phpBB2/download.php?id=48550 and its described in OpenVPN client guide made by egc read all the way trough and you will find how to do this bit..all its done by the GUI (web interface)
-im not sure if the clients on the bridge routed via VPN will be able to see the other clients..
probable you will not use the Net isolation option...
I know all this it is not and easy task and sounds like Japanese...but will get you there..it is a bit of an endeavour...
You may have to to post pic's of your set up, so it will be easy for us to guide you trough..
Just bear in mind, your router is single core CPU based and VPN performance will be very slow...
as VPN requires a faster CPU preferably dual-core CPU router in range of Netgear R7800 and even so R7800 can handle around 100MBit over VPN max...and it depends a lot..on settings, location, servers used encryption and ISP speed..
Where the other VPN option called Wireguard (if your VPN provider supports it) has a better speed as its kernel based operation... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 18 Mar 2014 Posts: 12885 Location: Netherlands
Posted: Thu Feb 02, 2023 14:18 Post subject:
It is like @Alozaros already pointed out.
First start with creating a bridge and add your VAP (Virtual Wifi interface) to that bridge then use Policy based routing to simply route the new interface br1 through the tunnel.
-than you can route this bridge interface via OpenVPN and here is the guide of doing the VPN routing...(its called policy based routing) https://forum.dd-wrt.com/phpBB2/download.php?id=48550 and its described in OpenVPN client guide made by egc read all the way trough and you will find how to do this bit..all its done by the GUI (web interface)
OK, studying that will be my next step.
Alozaros wrote:
-im not sure if the clients on the bridge routed via VPN will be able to see the other clients..
probable you will not use the Net isolation option...
Well, thankfully, that's just an additional goal. I can live without this.
Alozaros wrote:
I know all this it is not and easy task and sounds like Japanese...but will get you there..it is a bit of an endeavour...
True 😄
.. and thanks again.
Alozaros wrote:
You may have to to post pic's of your set up, so it will be easy for us to guide you trough..
please have a look @my next posts
Alozaros wrote:
Just bear in mind, your router is single core CPU based and VPN performance will be very slow...
as VPN requires a faster CPU preferably dual-core CPU router in range of Netgear R7800 and even so R7800 can handle around 100MBit over VPN max...and it depends a lot..on settings, location, servers used encryption and ISP speed..
Of course you're right. Hope, I only need between 2 and 3 MBit, should be enough for a few RDP sessions, isn't it?
Alozaros wrote:
Where the other VPN option called Wireguard (if your VPN provider supports it) has a better speed as its kernel based operation...
Yes, would really like to use Wireguard! Unfortunately, it is currently not supported, but hopefully it will come later this year.
Last edited by 400mhz on Thu Feb 02, 2023 15:39; edited 1 time in total
First start with creating a bridge and add your VAP (Virtual Wifi interface) to that bridge then use Policy based routing to simply route the new interface br1 through the tunnel.
Posted: Thu Feb 02, 2023 16:50 Post subject: depart routings
I (tried to) read your guide and I'm overwhelmed by the number of settings and not having any idea what they are good for makes me feel stupid as fck, because of the missing background knowledge.
As I can see the br1 is working on router port 4 and for WLAN1. I get an IP4 by connecting devices to the port and my 5g, but of course no internet, probably i'm not able to set the routing, eben by using the guides.
My openVPN client connection is working and I can see the tun1 adapter, but the PBR is even by using the GUI, just chinese language for me.
It should be as simple as selecting "Route Selected Sources via VPN"
and in the PBR field enter: iif br1
Alternatively you can specify the IP ranges e.g.: 192.168.5.0/24
Omg, thanks for that. I completely missed the step to enable watchdog and was searching only in the advanced routing section. the routing works as wished now.
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Thu Feb 02, 2023 18:09 Post subject:
well i have to say so far so good...and you are pretty lucky swconfig web interface is working for you..as not always works and yields positive results on all routers...
-looking at your swconfig output and according to the settings you already did..thanks to the
Web interface that was working for you...those are the commands that you have to add to your start up script in the section administration>commands>paste this and hit save start up script
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "0t 2 3 4 "
swconfig dev switch0 vlan 3 set ports "0t 5"
swconfig dev switch0 set apply
vconfig add eth1 3
ifconfig eth1.3 up
brctl addif br1 eth1.10 192.168.5.1 netmask 255.255.255.0
it will overlay the swconfig WEB interface..and it will work as its set up now...just as a measure
in case of the web interface gets broken commands will be run and set on start up...
in your case you may not even use those...but i would have done it...on my devices as i always do..it will not harm...
Than on networking page where is br1 thick/enable
-Masquarade/NET - this will give NAT to the br1/the subnet of 192.168.5.1 and its needed
-Net Isolation - this will isolate the br1 from the rest of the interfaces so it won communicate in between
click save & apply than reboot...
and it seems all the rest is done...
i would ve put this line too to make sure your new vlan is appropriately NATed
iptables -t nat -I POSTROUTING -s 192.168.5.1/24 -o $(get_wanface) -j MASQUERADE
and this line will make sure there is no communication between the bridges
iptables -I FORWARD -i br+ -o br+ -m state --state NEW -j REJECT
add those 2 lines in adminnistration>commands>put in the main box and click save firewall script
than wait a bit and hit reboot..
as egc explained routing via VPN using Web interface its never been easier...well thanks to his development and eibgrad and the main developer BrainSlayer you just have to put the interface you want to route in the box...in this format and click save than reboot
iif br1
if everything is ok you should be done...
_________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Thu Feb 02, 2023 18:11 Post subject:
also as we dont know the VPN provider you use but in general on the VPN client page make sure you dont use compression..and enable inbound TUN firewall...and kill switch
happy days !! _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
@Alozaros I have accepted all the settings you suggested in your last posts. It works very well and I am totally happy about it.
Alozaros & egc
Thank you very much for your support. You guided me really well through the settings to be made. You solved my problem, just great! 👍👍👍
My next step is to learn how to secure my router and protect the network behind. If you have any further advice on doing that it would be also appreciated.
FW Question
Will the firewall configuration be overwritten each time I press the 'save firewall' button, or will a newly entered command be added to the rules already set?
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Fri Feb 03, 2023 14:57 Post subject:
400mhz wrote:
@Alozaros I have accepted all the settings you suggested in your last posts. It works very well and I am totally happy about it.
Alozaros & egc
Thank you very much for your support. You guided me really well through the settings to be made. You solved my problem, just great! 👍👍👍
My next step is to learn how to secure my router and protect the network behind. If you have any further advice on doing that it would be also appreciated.
FW Question
Will the firewall configuration be overwritten each time I press the 'save firewall' button, or will a newly entered command be added to the rules already set?
Im very happy to hear you managed to make it work as you wanted..as i was thinking it would be even more difficult, but it ended up easy peazy 👍👍👍
Back in the days there was nobody to help me learn and i learned vlan's hard way...
DDWRT Firewall is very robust and works as a SPI firewall you can google it (SPI Firewall)
and every time you add rules it will restart and add the new rules..i prefer, after save i wait and than hit reboot...
In general you dont need an extra rules, unless you know what you are doing and want some extra stuff...like routing limiting and ect.
The script i pasted is for 1 vlan, but you can manage to add more vlan's in the same way, just add few extra lines to it...in the same format _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 18 Mar 2014 Posts: 12885 Location: Netherlands
Posted: Fri Feb 03, 2023 15:15 Post subject:
I think it was already mentioned but for the OpenVPN client make sure you have the "Inbound Firewall on TUN" and the "Killswitch" enabled for security.