1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TWO VLANS 1 VPN

Discussion in 'Tomato Firmware' started by cheops2006, Feb 1, 2014.

  1. cheops2006

    cheops2006 Reformed Router Member

    Hi,

    Happy to join this great forum and looking for some help I'm pretty new to this but learning all the time. Any help much appreciated.

    The problem I'm having is I want to stop machines associated with br0 being able to ping/see machines over the pptp tunnel. It seems to have set routing on both br0 and br1 to ppp0. My routing table looks like this:-

    Code:
    192.168.0.1   *   255.255.255.255      0   vlan2 (WAN)
    172.16.5.1   *   255.255.255.255      0   ppp0
    (WORK IP)   192.168.0.1   255.255.255.255      0   vlan2 (WAN)
    192.168.10.0   *   255.255.255.0      0   br1 (LAN1)
    192.168.2.0   *   255.255.255.0      0   br0 (LAN)
    192.168.0.0   *   255.255.255.0      0   vlan2 (WAN)
    172.16.0.0   *   255.255.0.0      0   ppp0
    127.0.0.0   *   255.0.0.0      0   lo
    default   192.168.0.1   0.0.0.0      0   vlan2 (WAN)
    
    I have successfully created 2 vlans and associated each to 1 of the following:-

    Code:
    br0    Disabled    192.168.2.1    255.255.255.0    Enabled    192.168.2.2 - 254    1440
    br1    Disabled    192.168.10.1    255.255.255.0    Enabled    192.168.10.2 - 254    1440
    
    I have also managed to create a pptp client connection to work with the following settings

    Code:
    Start with WAN   
    Server Address   xxx.xxx.xxx.xxx
    Username:   xxxx
    Password:   xxxx
    Encryption   
    Stateless MPPE connection: ON    
    Accept DNS configuration: ON
    Redirect Internet traffic: OFF
    Remote subnet / netmask     172.16.0.0/16
    Create NAT on tunnel: ON
    
    Thanks for any help.
     
  2. cheops2006

    cheops2006 Reformed Router Member

    Bumping this. If anyone could help that would be good.

    Thanks
     
  3. jheine

    jheine Reformed Router Member

    Hi,

    I had a similar situation as you described. I ended with the following 2 iptables rules:
    Code:
    iptables -t nat -I POSTROUTING 1 -s <AllowedSubnet> -o ppp0 -j MASQUERADE
    iptables -t nat -I POSTROUTING 2 -o ppp0 -j DROP
    Replace <AllowedSubnet> with the subnet you want to grant access to the VPN. In your case I think it should be 192.168.10.0/24( allowing br1 to VPN)

    I see that you enabled "Accept DNS configuration", I had to disable this because the DNS server IP addresses are also used for the other subnets, but of course not reachable anymore. I added the following on the advanced DHCP/DNS page in the Dnsmasq Custom configuration section:
    Code:
    dhcp-option=tag:<Name>,6,<DnsIpList>
    Replace the <Name> with your network name, in your case br1. Replace <DnsIpList> with the IP addresses of the DNS servers provided to you when you enable "Accept DNS configuration", comma separated. if desired, add also a non VPN DNS server IP, for example 192.168.10.1 (if VPN is down, the machines on the BR1 can still resolve Internet DNS names).

    With the above adjustments I could not reach the VPN anymore from machines with IP addresses outside the specified range.
     

Share This Page