Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Wed Jan 17, 2018 10:07 Post subject:
egc wrote:
I just had a quick look but will later on have a more thorough look.
Two things:
Your firewall rule is missing just the letter i it should be
Code:
-i ath0.1
to specify the in-interface
And you must not use the routers own IP address in the PBR field so do not use 192.168.2.0/24 because that includes the router at 192.168.2.1
(Actually I am not sure about this it could work because the router itself also sits on 192.168.1.1 and that is not in the PBR field)
Other then the above I do not see any other apparent misconfiguration. When I mentioned the router sits at 192.168.2.1 I ment the DHCP server of Ath0.1, your router is of course at 192.168.1.1.
That said it is perhaps a good idea that you must not include the 192.168.2.1 address in the PBR range and of course insert the missing -i in the firewall _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Thanks egc, the -i is corrected but has no impact on my VPN testing. My first PBR try included just the IPs from 100-150 in both networks .. so that test case is already covered.
I will probably have to deal with more complex rules to facilitate this segmentation .. haven't come up with a simple idea yet. Ultimately an option would be to use a non vpn wifi access point for devices that shouldn't route through VPN.
OpenVPN conditional routing with two subnets works as of 2018-31-01-r34777 (unless something new breaks it)
Edit: Well .. things work differently now but they don't really work well. Blocking LAN only for VAP worked before and doesn't now (neither WAP nor VAP can access LAN). Conditional routing for two subnets broke the internet for WAP and VAP .. now at least one works.