1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Having disconnection problem with guest wlan, when OpenVPN client connects

Discussion in 'Tomato Firmware' started by sunsina, Feb 28, 2014.

  1. sunsina

    sunsina Reformed Router Member

    Hi,
    I am running tomato Shibby 116EN AIO on RT-N16
    I made two following wireless networks to work

    wl0(MainWireless-Bridged(br0) with Routers LAN ports,192.168.2.0/24 SSID:MainWiFi)
    wl0.1(GuestWireless totally(br1) Isolated from the clients on br(0),192.168.3.0/24 SSID:GuestWiFi)


    The Tomato configuration is as follows :
    Basic -> Network ->LAN

    Bridge STP IP Address Netmask DHCP IP Range (first/last) Lease Time (mins)
    br0
    Disabled 192.168.2.1 255.255.255.0 Enabled192.168.2.10 - 51 1440
    br1
    Disabled 192.168.3.1255.255.255.0 Enabled 192.168.3.10 - 51 1440

    Advanced -> Virtual Wireless
    InterfaceEnabledSSIDModeBridge
    eth1 (wl0)YesMainWiFiAccess PointLAN (br0)
    wl0.1YesGuestWiFiAccess PointLAN1 (br1)


    Advanced -> VLAN
    VLANVIDPort 1TaggedPort 2TaggedPort 3TaggedPort 4TaggedWAN PortTagged Default Bridge
    1 2 Yes Yes Yes Yes . LAN(br0)
    2 2 Yes WAN
    3 3 LAN1(br1)

    Advanced -> VLAN : Wireless
    Bridge eth1 to LAN(br0)
    Bridge wl0.1 to LAN1(br1)

    This configuration works fine if I do not start openVPN client on the router to redirect traffic
    from the VPN service provider.
    My router's OpenVpn client configuration is using tun0 and UDP and as soon as it connects to VPN service provider it should redirects internet traffic from VPN provider to just br0, which means the VPN clients connected to MainWiFi and the router's LAN ports must get access to the internet through VPN (which is desired and works), but unfortunately the GuestWiFi disconnects from internet (as soon as the VPN client establish connection) and it can not route any further (while I desire that the GuestWireless network connects directly to the internet and not through the VPN).

    The implemented VPN internet redirection script , that is written in firewall script is as follows

    Administration->Scripts->Firewall

    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    iptables -I INPUT -i tun0 -j REJECT
    iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

    Advanced -> Routing :Current Routing Table
    Destination Gateway / Next Hop Subnet Mask Metric Interface
    192.168.1.1 * 255.255.255.255 0 vlan2 (WAN)
    91.22x.xx.xx 192.168.1.1 255.255.255.255 0 vlan2 (WAN)
    192.168.3.0 * 255.255.255.0 0 br1 (LAN1)
    192.168.2.0 * 255.255.255.0 0 br0 (LAN)
    192.168.1.0 * 255.255.255.0 0 vlan2 (WAN)
    10.200.4.0 * 255.255.252.0 0 tun11
    127.0.0.0 * 255.0.0.0 0 lo
    default 10.200.4.1 128.0.0.0 0 tun11
    128.0.0.0 10.200.4.1 128.0.0.0 0 tun11
    default 192.168.1.1 0.0.0.0 0 vlan2 (WAN)


    To be more clear "How can I have br0 devices (MainWiFi and LAN ports) get the internet traffic from VPN and at the same time the (GuestWirelss wl0.1 - br1) connects directly to my internet? "
    Is there any thing wrong with route table (I can not see vlan3 routes!?), and How can I fix this?

    As an extra feature How can I put of my router's first LAN port out of br0 and have it connected to br1 (same as GuestWiFi)?

    Any help is really appreciated
    Thanks in Advance
     
  2. eibgrad

    eibgrad Addicted to LI Member

    The problem here is that both networks are using the same routing table. And since you changed the default gateway w/ the VPN client, that messes up the guest network. What you need to do is configure a *second* routing table and use policy based routing to force only clients of the private network over the VPN instead of both networks.

    http://www.dd-wrt.com/wiki/index.php/Policy_Based_Routing

    The best way to achieve this w/ your current configuration is to NOT use the redirect-gateway directive. Instead, create an OpenVPN route-up script that’s triggered whenever the VPN client is established. That script should add the VPN’s network interface to the second routing table as its default gateway, and add ip rules that force ips belonging to the primary network to use that same routing table. Similarly, create an OpenVPN down script that essentially reverses the process when the VPN is brought down.

    As far as creating a guest LAN port, the following is one of the best examples of this I've read.

    https://code.google.com/p/tomato-sdhc-vlan/wiki/MultiSSIDHOWTOForE3000
     
    Last edited: Mar 1, 2014
  3. sunsina

    sunsina Reformed Router Member

     

Share This Page