Posted: Tue Aug 01, 2017 8:23 Post subject: Open VPN Policy Based Routing; no Internet
Good morning;
I have a Netgear R7800 running Kong's latest dd-wrt build (v3.0-r32802M) dated 24th July 2017.
I have two Wireless physical interfaces ath0 (5GHz) and ath1 (2.4GHz). In addition, there are two Virtual Interfaces ath1.1 and ath1.2.
The router is set up as an OpenVPN client and connects fine; all traffic from all interfaces routes through the VPN.
However, I now wish to add some Policy Based Routing rules so that only traffic from ath0 and ath1 go through the VPN. I've added the following to the PBR rules:
this covers addresses in the range: 192.168.1.100 - 192.168.1.149; this is the range of client addresses which are dished-out.
When I reboot the router, traffic from ath1.1 and ath1.2 does [b]not[/b] get routed through the VPN and can access websites etc. with no problem; this is the desired behaviour.
However, when I try to load a website from ath0 or ath1, Chrome tells me that "the response is empty". cURL requests also return "Empty reply from server". Curiously, I can ping both IP addresses and URLs and get a response back. If I run traceroute, I see traffic routing through the VPN. It's just that websites etc never load; it's as if the response gets lost.
Can anybody offer any suggestions as to what I'm doing incorrectly? I've had a dig through the fora and have asked Uncle Google, but haven't yet found a solution.
Many thanks[/list]
Last edited by tectonic on Tue Aug 01, 2017 9:25; edited 1 time in total
That has done the trick. Thanks very much indeed, egc.
Now for the next problem:
I'd like ath1.2 to see other clients on my LAN but for ath1.1 to remain a "true" Guest Network with no access to other clients on the LAN. Currently, other clients on the LAN are visible from either of the virtual interfaces. That is, ath1.1 is behaving as I would like it to, but I'd like clients connected to ath1.2 to be able to see other clients on the LAN
br0 is assigned to ath0 and ath 1
br1 is assigned to ath1.1
br2 is assigned to ath1.2
br1 has Net Isolation enabled
br2 has Net Isolation disabled
I (naively, perhaps) believed that disabling Net Isolation on br2 would achieve what I want; apparently not. Any guidance as to what I'm doing incorrectly would be gratefully received.
I've followed the guides and it looks like I've been doing the correct thing. However, irrespective of the settings, I simply can't get ath1.1 to see other clients on my LAN.
Attached are a couple of screenshots to show how I've got everything configured (under Wireless > Basic Settings).
ath1.1 is the one which I'd like to see other devices on the LAN; so I've disabled AP Isolation and Net Isolation.
ath1.2 is the one which I'd like to have as a true guest network; AP isolation and Net isolation are both enabled in this case (and it's doing what I want).
It's just ath1.1 which I can't configure in the way I'd like. Any suggestions as to what I'm doing incorrectly (or, more likely: that which I might have misunderstood)
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Wed Aug 02, 2017 6:52 Post subject:
Why don't you just bridge ath1.1?
If you do not want that you can try the following:
Code:
iptables -I FORWARD -i ath1.1 -m state --state NEW -j ACCEPT
Thsi supposes that you created VAP's the new way (as per instructions of Kong) without creating a bridge first.
Put this in the administration/commands tab and save firewall
Always reboot otherwise the VAP's do not work
Mind you they are on different subnets so you can only use IP addresses to make contact (or you have to use a WINS server) and you have to diasable/open the windows firewall
Thanks very much for coaching me through this; very much appreciated.
The reason I don't want to bridge ath1.1, is that I'd like devices connected to ath1.1 to be in their own subnet. This means I can use PBR so that ath1.1 devices are not routed through the VPN (but those on ath1 are routed through the VPN).
So, unless it's possible to set up the DHCP so that, say, ath1 gets addresses in the range 192.168.1.100 - 192.168.1.149 and ath1.1 gets 192.168.1.150 - 192.168.1.249 (or whatever), then - based on my limited knowledge - I suspect I'm going to have to end up going down this route: https://www.dd-wrt.com/phpBB2/viewtopic.php?p=1020947#1020947
Joined: 18 Mar 2014 Posts: 12877 Location: Netherlands
Posted: Thu Aug 03, 2017 7:45 Post subject:
You can not have two DHCP servers in one subnet.
As I said the subnets can communicate if you disable AP isolation and Net isolation but there is no windows discovery and things like DLNA and UPnP between subnets do not work.
For that you have to use AVAHI.
As an alterantive you can use a WINS server, that is what I am using.
To complicate matters further you are using PBR and there is no route between the PBR clients and the rest of your network. For that you have to use @Eibgrad's script/solution.
Just an FYI, I handle all this via IPTABLES rules and has been stable using that method for interface or vlan isolation for a few years now. You might want to peak into that as well if you haven't gotten this resolved yet. I just use some DNSMASQ rules to apply individual DHCP scopes to vlans.
My primary WAPs (ath0 and ath1) are routed through a VPN using PBR. These are bridged to eth0 on br0
I have two VAPs. ath1.2 is a "true" guest network: not bridged, with AP- and net- isolation both enabled. Multicast forwarding is disabled. Its subnet is 192.168.3.0/255.255.255.0
ath1.1 is intended to be my "netflix" VAP; not routed through the VPN. This one has multicast enabled. AP- and net- isolation are also both enabled. Its subnet is 192.168.4.0/255.255.255.0
I can access the internet from each of the networks. However, I want devices on ath1.1 to be able to cast to the Chromecasts on ath0 and ath1. Here's what I've done to try and enable casting:
A decent night's sleep and a fresh pair of eyes has done the trick...
avahi-daemon was dying due to a typo in the config file. Once I'd spotted that, I was pretty much away.
The only difference between my set up and the one described here http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1061122 is that on the "netflix" VAP (on subnet 192.168.4.0/255.255.255.0) I had to disable net isolation. I'm going to assume this is because I'm also using PBR on the main network (192.168.1.0/255.255.255.0) along with eibgrad's script).
Anyway, it works; and the third network (guest on 192.168.3.0/255.255.255.0) is truly isolated from the others.
Thanks to egc and suli for their guidance. Hopefully this will help others crack similar problems, too!
Do you have SFE enabled? If so disable it, there is a bug where PBR does not work when SFE is enabled. Indeed ping, FTP etc do work, only http(s) traffic does not get trough
Just wanted to say thanks for this post. I have been pulling out what little hair I have left for way too many hours trying to find why my dd-wrt upgrade foobar'd my PBR VPN.
Do you have SFE enabled? If so disable it, there is a bug where PBR does not work when SFE is enabled. Indeed ping, FTP etc do work, only http(s) traffic does not get trough
Near the end, I got excited because my OpenVPN VAP was working and behind the VPN! However, my regular wifi connections were dead. I tweaked something, the DNS maybe to Google? Router reboot. Then the issue swapped! wifi connections working as expected (via my ISP) but the OpenVPN VAP was dead. Connection status showed OpenVPN was connected. I went back through all my tabs (like 10 threads from this forum, and a few other guides) and saw this about SFE. I disabled it, and BOOM magic!
I am crossing my fingers that I finally go this all set up
