[400mhz]

dear community,

I ask you for help with an advanced router configuration.

The following circumstances:

Internet broadband cable modem in bridge mode connected to the WAN port of a TP-Link AC 1750 router (Archer7v5). The firmware used is DD-WRT v3.0-r51530 std (01/29/23) - (tplink_archer-c7-v5.bin).

The router obtains an IP4 address from my ISP and also distributes IP4 addresses via DHCP. 4 end devices are connected via LAN and 2 WLANs are configured (2.4g & 5g).

I have the oenVPN client running under Services - VPN. This perfectly connects the router to an openVPN server and all traffic goes through this tunnel.

Challenge:

I would like to configure the router so that only the WAN traffic of a single physical router port and the 5g WLAN is routed through the openVPN tunnel. However, not all other LAN ports and the 2.4g WLAN. All clients in the network should be able to communicate with each other via LAN/WLAN.


I've tried the forum search and have already read a few tutorials here, but I certainly didn't really understand a lot of things and I don't want to 'try around and brake something' because of my stupidety as a beginner.

I guess I have to manage DHCP, subnets, VLANS, routing, IP-tables and don't know what else byside of that. That's why i ask for your help.

So can you please guide me on how to proceed? What do I have to do in which order?

For me, the matter is very complex and unfortunately I don't really have much free time to acquire all the necessary special knowledge. However, I am willing and able to learn and grateful for any help.

Thanks and best regards!

[Alozaros]

Well...first things first...thanks for posting in the correct section and in English

Your requirement is possible...to be done, but you'd need to do some settings and some of them may need a bit of a reading...and understanding as well to post some output...

-first you have to segment your network and create a separate vlan on its own subnet, that you will assign to a bridge and you will add/put those interfaces(port/vlan and the radio) on the bridge

-than you'd need to add an extra DHCPd to serve this bridge and give IP's to the clients that are using it..half of this will require, you to add some start up commands..in order to segment the LAN ports..and create an extra vlan (lets say vlan3, as vlan1 and vlan2 are specific and in use)...than you can create DHCPd and add/assign the interlaces via GUI (web interlace)...

-you will need to use swconfig command to segment the ports layout, but the use of it depends on the router ports map/layout as all routers could be different...so we need the output of this command
swconfig dev switch0 show (use telnet or ssh to obtain it via CLI)
this is the main and messy thread on using swconfig and vlans via start up commands https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=313472 bear in mind different routers different ports layout

-than you can route this bridge interface via OpenVPN and here is the guide of doing the VPN routing...(its called policy based routing) https://forum.dd-wrt.com/phpBB2/download.php?id=48550 and its described in OpenVPN client guide made by egc read all the way trough and you will find how to do this bit..all its done by the GUI (web interface)

-im not sure if the clients on the bridge routed via VPN will be able to see the other clients..
probable you will not use the Net isolation option...

I know all this it is not and easy task and sounds like Japanese...but will get you there..it is a bit of an endeavour...

You may have to to post pic's of your set up, so it will be easy for us to guide you trough..

Just bear in mind, your router is single core CPU based and VPN performance will be very slow...
as VPN requires a faster CPU preferably dual-core CPU router in range of Netgear R7800 and even so R7800 can handle around 100MBit over VPN max...and it depends a lot..on settings, location, servers used encryption and ISP speed..
Where the other VPN option called Wireguard (if your VPN provider supports it) has a better speed as its kernel based operation...

[egc]

It is like @Alozaros already pointed out.

First start with creating a bridge and add your VAP (Virtual Wifi interface) to that bridge then use Policy based routing to simply route the new interface br1 through the tunnel.

How to use Policy Based routing is described in the OpenVPN Client setup guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

BTW consider using WireGuard if your provider supports it, it is three times faster than OpenVPN: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397

Attached my personal notes how to make a bridge and assign your VAP to the bridge maybe it is useful

[400mhz]

[400mhz]

Setup - basic setup:

[img]4.basic.jpg[/img]

this is what I have.

Setup - Switch config:

[img]1.switch.config.jpg[/img]

created vlan3 and added port LAN1

Setup - Networking:

[img]2.network.a.jpg[/img]
[img]2.network.b.jpg[/img]

[400mhz]

created bridge br1 and added IF's

[img]2.network.c.jpg[/img]

created DHCPd and added br1

Are the params for all these settings ok? Most of the possible options are just a foreign language to me.

After an rebbot I runned the given commands. This is the output of 'swconfig list':

Found: switch0 - ag71xx-mdio.0

output of 'swconfig dev switch0 show':

Global attributes:
enable_vlan: 1
enable_mirror_rx: 0
enable_mirror_tx: 0
mirror_monitor_port: 0
mirror_source_port: 0
disable_all_leds: ???
arl_age_time: 300
arl_table: ???
igmp_snooping: 0
igmp_v3: 1
Port 0:
mib: ???
enable_eee: ???
igmp_snooping: 0
vlan_prio: 0
pvid: 0
link: port:0 link:up speed:1000baseT full-duplex txflow rxflow
Port 1:
mib: ???
enable_eee: 0
igmp_snooping: 0
vlan_prio: 0
pvid: 2
link: port:1 link:up speed:100baseT full-duplex auto
Port 2:
mib: ???
enable_eee: 0
igmp_snooping: 0
vlan_prio: 0
pvid: 1
link: port:2 link:up speed:100baseT full-duplex txflow rxflow auto
Port 3:
mib: ???
enable_eee: 0
igmp_snooping: 0
vlan_prio: 0
pvid: 1
link: port:3 link:down
Port 4:
mib: ???
enable_eee: 0
igmp_snooping: 0
vlan_prio: 0
pvid: 1
link: port:4 link:up speed:1000baseT full-duplex txflow rxflow auto
Port 5:
mib: ???
enable_eee: 0
igmp_snooping: 0
vlan_prio: 0
pvid: 3
link: port:5 link:down
Port 6:
mib: ???
enable_eee: ???
igmp_snooping: 0
vlan_prio: 0
pvid: 0
link: port:6 link:down
VLAN 1:
vid: 1
ports: 0t 2 3 4
VLAN 2:
vid: 2
ports: 0t 1
VLAN 3:
vid: 3
ports: 0t 5

::EOF

unfortunately I don't know exactly what you mean with 'use telnet or ssh to obtain it via CLI'

[400mhz]

[400mhz]

I (tried to) read your guide and I'm overwhelmed by the number of settings and not having any idea what they are good for makes me feel stupid as fck, because of the missing background knowledge.

As I can see the br1 is working on router port 4 and for WLAN1. I get an IP4 by connecting devices to the port and my 5g, but of course no internet, probably i'm not able to set the routing, eben by using the guides.

My openVPN client connection is working and I can see the tun1 adapter, but the PBR is even by using the GUI, just chinese language for me.

[egc]

It should be as simple as selecting "Route Selected Sources via VPN"
and in the PBR field enter: iif br1

Alternatively you can specify the IP ranges e.g.: 192.168.5.0/24

[400mhz]

[Alozaros]

well i have to say so far so good...and you are pretty lucky swconfig web interface is working for you..as not always works and yields positive results on all routers...

-looking at your swconfig output and according to the settings you already did..thanks to the
Web interface that was working for you...those are the commands that you have to add to your start up script in the section administration>commands>paste this and hit save start up script

swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "0t 2 3 4 "
swconfig dev switch0 vlan 3 set ports "0t 5"
swconfig dev switch0 set apply
vconfig add eth1 3
ifconfig eth1.3 up
brctl addif br1 eth1.10 192.168.5.1 netmask 255.255.255.0

it will overlay the swconfig WEB interface..and it will work as its set up now...just as a measure
in case of the web interface gets broken commands will be run and set on start up...
in your case you may not even use those...but i would have done it...on my devices as i always do..it will not harm...

Than on networking page where is br1 thick/enable
-Masquarade/NET - this will give NAT to the br1/the subnet of 192.168.5.1 and its needed
-Net Isolation - this will isolate the br1 from the rest of the interfaces so it won communicate in between
click save & apply than reboot...

and it seems all the rest is done...

i would ve put this line too to make sure your new vlan is appropriately NATed
iptables -t nat -I POSTROUTING -s 192.168.5.1/24 -o $(get_wanface) -j MASQUERADE

and this line will make sure there is no communication between the bridges
iptables -I FORWARD -i br+ -o br+ -m state --state NEW -j REJECT

add those 2 lines in adminnistration>commands>put in the main box and click save firewall script
than wait a bit and hit reboot..

as egc explained routing via VPN using Web interface its never been easier...well thanks to his development and eibgrad and the main developer BrainSlayer you just have to put the interface you want to route in the box...in this format and click save than reboot

iif br1

if everything is ok you should be done...

[Alozaros]

also as we dont know the VPN provider you use but in general on the VPN client page make sure you dont use compression..and enable inbound TUN firewall...and kill switch
happy days !!

[400mhz]

@Alozaros I have accepted all the settings you suggested in your last posts. It works very well and I am totally happy about it.

Alozaros & egc
Thank you very much for your support. You guided me really well through the settings to be made. You solved my problem, just great! 👍👍👍

My next step is to learn how to secure my router and protect the network behind. If you have any further advice on doing that it would be also appreciated.

FW Question
Will the firewall configuration be overwritten each time I press the 'save firewall' button, or will a newly entered command be added to the rules already set?

[Alozaros]

[egc]

I think it was already mentioned but for the OpenVPN client make sure you have the "Inbound Firewall on TUN" and the "Killswitch" enabled for security.

The OpenVPN Client Setup guide has an explanation of the settings.