1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Guest VLAN loses Internet connectivity when VPN client is active

Discussion in 'Tomato Firmware' started by mcbsys, Apr 11, 2013.

  1. mcbsys

    mcbsys Networkin' Nut Member

    Hi,

    After the help received in this thread, I've been running the following setup with no issues for about 18 months:

    E2000 Server LAN: 192.168.100.x Guest LAN: 10.1.100.x
    (running Tomato Firmware v1.28.4407 MIPSR2-Toastman-VLAN-RT K26 VPN)

    E3000 Client LAN: 192.168.200.x Guest LAN: 10.1.200.x
    (running Tomato Firmware v1.28.4407 MIPSR2-Toastman-VLAN-RT K26 USB VPN)

    In addition to VPN, each router runs a VLAN for guest access. The thread mentioned, and my subsequent blog post, describe the iptables commands I use to get VPN connectivity between the networks:

    OpenVPN server: iptables -A FORWARD -i br0 -o tun21 -j ACCEPT
    OpenVPN client: iptables -A FORWARD -i br0 -o tun11 -j ACCEPT

    New Problem

    This month, the site running the E3000 installed external access points and disabled the internal radios. So far so good.

    Then I thought, hmm, I wonder if I can set up a second VPN from my E2000 site to the guest VLAN of the E3000 (hoping to remotely manage the new APs). I tried configuring Client 2 on the E3000 but it didn't work. So I reversed the changes, at least I thought I did. VPN Client 2 is not started. But now I have the following behavior on the guest VLAN on the E3000:

    - client computer DOES receive an IP address and gateway in the correct range
    - client computer can NOT ping the router
    - client has no Internet connection

    On the primary VLAN, Internet connectivity and the VPN to the other site work fine.

    If I turn off VPN client 1 on the E3000, the guest VLAN once again can ping the router and get onto the Internet.

    What have I done? My only guess is that somehow this off and on has changed the order in which some routing is defined. How could I find and fix that?

    Thanks for your help,

    Mark

    P.S. Since I was asked for this output in the earlier thread, maybe it will be helpful here:

    Code:
    iptables -t mange -nvL
    iptables -t nat -nvL
    iptables -t filter -nvL
    Code:
    iptables v1.3.8: can't initialize iptables table `mange': Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    Chain PREROUTING (policy ACCEPT 6113 packets, 980K bytes)
    pkts bytes target    prot opt in    out    source              destination         
      200 34889 WANPREROUTING  all  --  *      *      0.0.0.0/0            66.159.100.150     
        0    0 DROP      all  --  vlan2  *      0.0.0.0/0            192.168.200.0/24     
        0    0 DROP      all  --  vlan2  *      0.0.0.0/0            10.1.200.0/24         
     
    Chain POSTROUTING (policy ACCEPT 40 packets, 6776 bytes)
    pkts bytes target    prot opt in    out    source              destination         
        0    0 SNAT      tcp  --  *      *      192.168.200.0/24      192.168.200.2        tcp dpt:25 to:66.159.100.150 
        0    0 SNAT      tcp  --  *      *      192.168.200.0/24      192.168.200.2        tcp dpt:80 to:66.159.100.150 
        0    0 SNAT      tcp  --  *      *      192.168.200.0/24      192.168.200.2        tcp dpt:443 to:66.159.100.150 
        0    0 SNAT      tcp  --  *      *      192.168.200.0/24      192.168.200.50        tcp dpts:5000:5003 to:66.159.100.150 
        0    0 SNAT      tcp  --  *      *      192.168.200.0/24      192.168.200.2        tcp dpt:22519 to:66.159.100.150 
        0    0 SNAT      tcp  --  *      *      192.168.200.0/24      192.168.200.3        tcp dpt:29434 to:66.159.100.150 
        0    0 SNAT      tcp  --  *      *      192.168.200.0/24      192.168.200.4        tcp dpt:28211 to:66.159.100.150 
        0    0 SNAT      tcp  --  *      *      192.168.200.0/24      192.168.200.10        tcp dpt:22518 to:66.159.100.150 
        0    0 SNAT      tcp  --  *      *      192.168.200.0/24      192.168.200.5        tcp dpt:24773 to:66.159.100.150 
      996 63283 MASQUERADE  all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0           
     
    Chain OUTPUT (policy ACCEPT 25 packets, 4668 bytes)
    pkts bytes target    prot opt in    out    source              destination         
     
    Chain WANPREROUTING (1 references)
    pkts bytes target    prot opt in    out    source              destination         
        1    52 DNAT      icmp --  *      *      0.0.0.0/0            0.0.0.0/0          to:192.168.200.1 
      14  840 DNAT      tcp  --  *      *      66.18.18.0/24        0.0.0.0/0          tcp dpt:25 to:192.168.200.2 
        1    60 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:80 to:192.168.200.2 
        0    0 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:443 to:192.168.200.2 
        0    0 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpts:5000:5003 to:192.168.200.50 
        0    0 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22519 to:192.168.200.2 
        0    0 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:29434 to:192.168.200.3 
        0    0 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:28211 to:192.168.200.4 
        0    0 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22518 to:192.168.200.10 
        0    0 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:24773 to:192.168.200.5 
    Chain INPUT (policy DROP 181 packets, 33776 bytes)
    pkts bytes target    prot opt in    out    source              destination         
      644  196K ACCEPT    all  --  tun11  *      0.0.0.0/0            0.0.0.0/0           
        0    0 DROP      all  --  br0    *      0.0.0.0/0            66.159.100.150     
        0    0 DROP      all  --  br1    *      0.0.0.0/0            66.159.100.150     
      18  724 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID 
    2154  352K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
        0    0 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0           
      962 92739 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0           
      142 13032 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0           
     
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination         
        0    0 ACCEPT    all  --  tun11  *      0.0.0.0/0            0.0.0.0/0           
      70  6791            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 10.1.200.0/255.255.255.0 name: lan1 
    46937  18M            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.200.0/255.255.255.0 name: lan 
        0    0 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0           
        0    0 ACCEPT    all  --  br1    br1    0.0.0.0/0            0.0.0.0/0           
        3  120 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID 
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID 
      733 38104 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
    45835  18M ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
      15  900 wanin      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0           
    1118 69403 wanout    all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0           
    1091 67417 ACCEPT    all  --  br0    vlan2  0.0.0.0/0            0.0.0.0/0           
      27  1986 ACCEPT    all  --  br1    vlan2  0.0.0.0/0            0.0.0.0/0           
        5  1492 ACCEPT    all  --  br0    tun11  0.0.0.0/0            0.0.0.0/0           
     
    Chain OUTPUT (policy ACCEPT 2426 packets, 926K bytes)
    pkts bytes target    prot opt in    out    source              destination         
     
    Chain wanin (1 references)
    pkts bytes target    prot opt in    out    source              destination         
      14  840 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.200.2        tcp dpt:25 
        1    60 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.200.2        tcp dpt:80 
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.200.2        tcp dpt:443 
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.200.50        tcp dpts:5000:5003 
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.200.2        tcp dpt:22519 
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.200.3        tcp dpt:29434 
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.200.4        tcp dpt:28211 
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.200.10        tcp dpt:22518 
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.200.5        tcp dpt:24773 
     
    Chain wanout (1 references)
    pkts bytes target    prot opt in    out    source              destination         
     
    
     
  2. bmupton

    bmupton Serious Server Member

    In order to get my VLANs to work through the VPN tunnel, I needed to add:

    Code:
    iptables -t nat -I POSTROUTING -s 192.168.3.0/255.255.255.0 -o tun11 -j MASQUERADE
    for each subnet I was routing.

    (this is on the client router)
     
  3. mcbsys

    mcbsys Networkin' Nut Member

    Thanks, I may try that.Does 192.168.3.0 represent the VLAN's subnet?

    At the moment, my main issue is that the VPN client is killing all local connectivity to the router and Internet on the guest VLAN. I could live without VPN access to the VLAN subnet, but I can't live with the VPN completely disabling the VLAN subnet.

    Is there some way to figure out what I've done wrong? I'm about ready to wipe and rebuild the config but I'd rather know how to avoid this in the future...
     
  4. bmupton

    bmupton Serious Server Member

    Honestly I have no idea...My setup knowledge is not the greatest and was cobbled together from days of searching for why my guest WiFi couldn't browse the Internet when my VPN was connected, and it's because Tomato doesn't add the required rules for anything other than br0. So, if you have more than that, you need to do it yourself.

    Yes, 192.168.3.0 is the subnet my second VLAN is on.
     
  5. mcbsys

    mcbsys Networkin' Nut Member

    Okay thanks. I didn't realize you also had the local guest WiFi issue.

    IIRC, when I first set this up, guest WiFi was working, but I couldn't use VPN between the two main VLANs. To solve that, as documented here, I have this under Administration > Scripts > Firewall:

    Code:
    iptables -A FORWARD -i br0 -o tun11 -j ACCEPT
    As another poster said, "iptables pretty much melts my brain," so I'm stumbling around here...
     
  6. mcbsys

    mcbsys Networkin' Nut Member

    I think I finally cracked this.

    I already mentioned that turning off the VPN client allowed guest network computers to connect to the Internet.

    I discovered through trial and error that if I changed the IP range of the guest network, even with the VPN turned on, guest network computers could to connect to the Internet. In other words, changing from 10.1.200.x to 10.1.210.x solved the problem. It was like something was grabbing the 10.1.200.1 address so there was a conflict. I didn't understand this, but I set things up with the new subnet and left the client location.

    When I got back to my office, I had another look at the Advanced Routing table for the client's E3000 router. I was surprised to see that it still contained an entry for the 10.0.200.0 subnet, now no longer in use:

    Code:
    Destination    Gateway / Next Hop  Subnet Mask      Metric  Interface
    172.25.0.5    *                  255.255.255.255  0      tun11
    68.117.14.1    *                  255.255.255.255  0      vlan2 (WAN)
    192.168.100.0  172.25.0.5          255.255.255.0    0      tun11
    68.117.14.0    *                  255.255.255.0    0      vlan2 (WAN)
    10.0.200.0    172.25.0.5          255.255.255.0    0      tun11        <<- WHAT'S THIS?
    10.0.210.0    *                  255.255.255.0    0      br1 (LAN1)
    172.25.0.0    172.25.0.5          255.255.255.0    0      tun11
    192.168.200.0  *                  255.255.255.0    0      br0 (LAN)
    127.0.0.0      *                  255.0.0.0        0      lo
    default        68.117.14.1        0.0.0.0          0      vlan2 (WAN)
    I decided to look at the server side of the VPN configuration, on the E2000 in my office. Aha! Under VPN > Server 1 > Advanced > Allow Only These Clients, I still had the "Client_GuestNetwork" defined with the 10.0.200.0 subnet. Once I deleted that from the server configuration, the 10.0.200.0 entry disappeared from the routing table on the client side. I suspect I could now change the main guest network back to 10.0.200.x and that it would be able to get online again.

    Now I know that something defined on the server side of a VPN may block Internet access on the client side of the VPN.
     

Share This Page