Discussion in 'Tomato Firmware' started by cheops2006, Feb 1, 2014.

  1. cheops2006

    cheops2006 Reformed Router Member


    Happy to join this great forum and looking for some help I'm pretty new to this but learning all the time. Any help much appreciated.

    The problem I'm having is I want to stop machines associated with br0 being able to ping/see machines over the pptp tunnel. It seems to have set routing on both br0 and br1 to ppp0. My routing table looks like this:-

    Code:   *      0   vlan2 (WAN)   *      0   ppp0
    (WORK IP)      0   vlan2 (WAN)   *      0   br1 (LAN1)   *      0   br0 (LAN)   *      0   vlan2 (WAN)   *      0   ppp0   *      0   lo
    default      0   vlan2 (WAN)
    I have successfully created 2 vlans and associated each to 1 of the following:-

    br0    Disabled    Enabled - 254    1440
    br1    Disabled    Enabled - 254    1440
    I have also managed to create a pptp client connection to work with the following settings

    Start with WAN   
    Server Address
    Username:   xxxx
    Password:   xxxx
    Stateless MPPE connection: ON    
    Accept DNS configuration: ON
    Redirect Internet traffic: OFF
    Remote subnet / netmask
    Create NAT on tunnel: ON
    Thanks for any help.
  2. cheops2006

    cheops2006 Reformed Router Member

    Bumping this. If anyone could help that would be good.

  3. jheine

    jheine Reformed Router Member


    I had a similar situation as you described. I ended with the following 2 iptables rules:
    iptables -t nat -I POSTROUTING 1 -s <AllowedSubnet> -o ppp0 -j MASQUERADE
    iptables -t nat -I POSTROUTING 2 -o ppp0 -j DROP
    Replace <AllowedSubnet> with the subnet you want to grant access to the VPN. In your case I think it should be allowing br1 to VPN)

    I see that you enabled "Accept DNS configuration", I had to disable this because the DNS server IP addresses are also used for the other subnets, but of course not reachable anymore. I added the following on the advanced DHCP/DNS page in the Dnsmasq Custom configuration section:
    Replace the <Name> with your network name, in your case br1. Replace <DnsIpList> with the IP addresses of the DNS servers provided to you when you enable "Accept DNS configuration", comma separated. if desired, add also a non VPN DNS server IP, for example (if VPN is down, the machines on the BR1 can still resolve Internet DNS names).

    With the above adjustments I could not reach the VPN anymore from machines with IP addresses outside the specified range.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice