3

I have following topology:

  • router (192.168.10.1, 192.168.11.1)
    • WAN - eth1 (1.2.3.4)
    • VLAN1 (br-lan) - eth0 (PC1, 192.168.10.2, PC2, 192.168.10.3)
    • VLAN2 (br-lantv) - eth2 (Smart TV, 192.168.11.2)

and I have running OpenVPN client on the router. I want to route JUST the traffic from Smart TV (VLAN2) through the VPN tunnel, the rest (router, VLAN1) should go directly to WAN, without the TV even noticing (it is pretty dumb, and I'm unable to configure VPN client on it).

The router is running OpenWRT (turris omnia).

I ended up with following:

/etc/config/firewall

config zone
  option name 'lan'
  list network 'lan'

config zone
  option name 'lantv'
  list network 'lantv'

config zone
  option name 'vpn'
  list network 'vpntun0'

config forwarding
  option src 'lantv'
  option dest 'vpn'

config forwarding
  option src 'lan'
  option dest 'wan'

/etc/config/network

config interface 'lan'
        option ifname 'eth0'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.10.1'

config interface 'lantv'
        option ifname 'eth2'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.11.1'

config interface 'nordvpntun'
        option proto 'none'
        option ifname 'tun0'
        option delegate '0'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

And end up with following routing table:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.7.7.1        128.0.0.0       UG    0      0        0 tun0
default         1.2.3.4         0.0.0.0         UG    0      0        0 eth1
10.7.7.0        *               255.255.255.0   U     0      0        0 tun0
78.45.252.0     *               255.255.255.0   U     0      0        0 eth1
78.45.252.1     *               255.255.255.255 UH    0      0        0 eth1
128.0.0.0       10.7.7.1        128.0.0.0       UG    0      0        0 tun0
173.209.60.43   1.2.3.4         255.255.255.255 UGH   0      0        0 eth1
192.168.10.0    *               255.255.255.0   U     0      0        0 br-lan
192.168.11.0    *               255.255.255.0   U     0      0        0 br-lantv

Traffic from LAN cannot reach internet.

I tried following:

config forwarding
  option src 'lan'
  option dest 'vpn'

which routes everything even from PC and router through VPN, and that is undesirable.

OR

--route-nopull to VPN config, which ended up with no routes, and the lantv was forwarded to vpn, but it ended there, and internet was unreachable.

What I am probably missing is the way how to define route default gw for specific VLAN, and configure lantv that way. Or am I doing it completely wrong? Is separate VLAN even needed? I want to re-route only single device. Thanks!

Improve this question

1 Answer 1

Reset to default
2

The "forwarding" statements in luci configuration relates to firewalling (and it would seem that you need complementary entries for it to work). Take a look here(OpenWRT WiKi).

What you really need to do is implement Policy (source) Based Routing , which can be configured by using rules and different routing tables. You will need iproute2 to do that, and a short HowTo doc is available here(OpenWrt WiKi).

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .