Having disconnection problem with guest wlan, when OpenVPN client connects

Discussion in 'Tomato Firmware' started by sunsina, Feb 28, 2014.

  1. sunsina

    sunsina Networkin' Nut Member

    I am running tomato Shibby 116EN AIO on RT-N16
    I made two following wireless networks to work

    wl0(MainWireless-Bridged(br0) with Routers LAN ports, SSID:MainWiFi)
    wl0.1(GuestWireless totally(br1) Isolated from the clients on br(0), SSID:GuestWiFi)

    The Tomato configuration is as follows :
    Basic -> Network ->LAN

    Bridge STP IP Address Netmask DHCP IP Range (first/last) Lease Time (mins)
    Disabled Enabled192.168.2.10 - 51 1440
    Disabled Enabled - 51 1440

    Advanced -> Virtual Wireless
    eth1 (wl0)YesMainWiFiAccess PointLAN (br0)
    wl0.1YesGuestWiFiAccess PointLAN1 (br1)

    Advanced -> VLAN
    VLANVIDPort 1TaggedPort 2TaggedPort 3TaggedPort 4TaggedWAN PortTagged Default Bridge
    1 2 Yes Yes Yes Yes . LAN(br0)
    2 2 Yes WAN
    3 3 LAN1(br1)

    Advanced -> VLAN : Wireless
    Bridge eth1 to LAN(br0)
    Bridge wl0.1 to LAN1(br1)

    This configuration works fine if I do not start openVPN client on the router to redirect traffic
    from the VPN service provider.
    My router's OpenVpn client configuration is using tun0 and UDP and as soon as it connects to VPN service provider it should redirects internet traffic from VPN provider to just br0, which means the VPN clients connected to MainWiFi and the router's LAN ports must get access to the internet through VPN (which is desired and works), but unfortunately the GuestWiFi disconnects from internet (as soon as the VPN client establish connection) and it can not route any further (while I desire that the GuestWireless network connects directly to the internet and not through the VPN).

    The implemented VPN internet redirection script , that is written in firewall script is as follows


    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    iptables -I INPUT -i tun0 -j REJECT
    iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

    Advanced -> Routing :Current Routing Table
    Destination Gateway / Next Hop Subnet Mask Metric Interface * 0 vlan2 (WAN)
    91.22x.xx.xx 0 vlan2 (WAN) * 0 br1 (LAN1) * 0 br0 (LAN) * 0 vlan2 (WAN) * 0 tun11 * 0 lo
    default 0 tun11 0 tun11
    default 0 vlan2 (WAN)

    To be more clear "How can I have br0 devices (MainWiFi and LAN ports) get the internet traffic from VPN and at the same time the (GuestWirelss wl0.1 - br1) connects directly to my internet? "
    Is there any thing wrong with route table (I can not see vlan3 routes!?), and How can I fix this?

    As an extra feature How can I put of my router's first LAN port out of br0 and have it connected to br1 (same as GuestWiFi)?

    Any help is really appreciated
    Thanks in Advance
  2. eibgrad

    eibgrad Network Guru Member

    The problem here is that both networks are using the same routing table. And since you changed the default gateway w/ the VPN client, that messes up the guest network. What you need to do is configure a *second* routing table and use policy based routing to force only clients of the private network over the VPN instead of both networks.


    The best way to achieve this w/ your current configuration is to NOT use the redirect-gateway directive. Instead, create an OpenVPN route-up script that’s triggered whenever the VPN client is established. That script should add the VPN’s network interface to the second routing table as its default gateway, and add ip rules that force ips belonging to the primary network to use that same routing table. Similarly, create an OpenVPN down script that essentially reverses the process when the VPN is brought down.

    As far as creating a guest LAN port, the following is one of the best examples of this I've read.

    Last edited: Mar 1, 2014
  3. sunsina

    sunsina Networkin' Nut Member

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice