I have a spread-out setup to deal with: 3 off-site buildings with Tomato Firmware-based routers, connecting to another Tomato-based router as a VPN setup. The Server router is also in our private LAN network (as an edge device).
In our main LAN, we have a DHCP server running on a Linux server, offering 192.168.0.0/19 (yes, subnet mask is 255.255.224.0!), with the 192.168.2.x/24 octet being excluded. At each site, each Tomato VPN Client (the routers from now on) are supposed to offer IPs in a certain range to their clients within the 192.168.2.x subnet. SiteA is 192.168.2.2-29 (router is .1), SiteB is 192.168.2.31-50 (router is .30), and SiteC is 192.168.2.52-80 (.51 is the router). The computers can connect to our server with no issue.
What is happening though, is that all of a sudden (when this worked perfectly fine before), I have the router from SiteA offering leases to clients at other sites. Because they are in the same ultimate network (192.168.0.0/19), they can access servers in our LAN, but not the Internet.
As a temporary fix, I could remote in to the computers at SiteB and SiteC, and assign the default gateway to be the routers at each location. This is not a good fix though, as it prevents other staff from visiting the site with their laptops or tablets, and being able to connect right away.
The routers are not compiled with support for ebtables
as recommended in a few other threads. The ultimate goal is to have the DHCP servers only offer leases on the LAN side of their own routers.
Router B's VPN Client configuration
Router A's VPN Client configuration (The Redirect Internet Traffic was originally disabled; it was enabled above just for testing)