Working with VLANs and OpenVPN on a router
Posted: Tue Feb 14, 2012 10:17 pm
I have been struggling with this for a while, and am hoping someone might point me in the right direction. I have a WNR3500L router running TomatoUSB and OpenVPN 2.1 I have been working with for a while and am comfortable compiling from source and modifying the system. Newer versions of TomatoUSB support VLANs. I have configured my router with four VLANs and an OpenVPN tunnel over tun/UDP. It all works great! Each VLAN has it's own IP range, and seems to be able to connect to resources at the far end of the VPN.
Better yet (and this took some source code tweaks in Tomato) if I set the appropriate config option, I can route all traffic down the tunnel, from all the VLANs.
But what if I would like all traffic from one VLAN to go down the tunnel, traffic from another not? Doesn't sound too hard, but so far a solution has eluded me.
I have tried NOT setting the "redirect all" option, and manually routing traffic from a particular VLAN to the tunnel, AND I have tried setting hte "route all" option, and routing traffic from a partuclar VLAN direct to the internet. No yok. My attempts result in a VLAN that no longer seems to even be able to get an IP address via DHCP, never mind connect to the tunnel/internet.
This is an example of what I have tried:
Traffic from my VLANs defaults to the tunnel like it should, but traffic from 192.168.30.0/24 is routed directly to the Ethernet Interface (vlan2)
This is the routing table:
More details can be found here: http://tomatousb.org/forum/t-441920/vla ... elp-needed and some help would be most welcome. Am I missing a local route, some sort of broadcast magic?
Steve
Better yet (and this took some source code tweaks in Tomato) if I set the appropriate config option, I can route all traffic down the tunnel, from all the VLANs.
But what if I would like all traffic from one VLAN to go down the tunnel, traffic from another not? Doesn't sound too hard, but so far a solution has eluded me.
I have tried NOT setting the "redirect all" option, and manually routing traffic from a particular VLAN to the tunnel, AND I have tried setting hte "route all" option, and routing traffic from a partuclar VLAN direct to the internet. No yok. My attempts result in a VLAN that no longer seems to even be able to get an IP address via DHCP, never mind connect to the tunnel/internet.
This is an example of what I have tried:
Code: Select all
ip route add 192.168.30.0/24 dev vlan2 table 1
ip route add default via 192.168.254.33 table 1
ip rule add from 192.168.30.0/24 table 1
ip route flush cache
This is the routing table:
Code: Select all
10.255.0.1 * 255.255.255.255 UH 0 0 0 tun11
192.168.254.33 192.168.254.33 255.255.255.255 UGH 0 0 0 vlan2
192.168.254.33 * 255.255.255.255 UH 0 0 0 vlan2
192.168.254.32 * 255.255.255.224 U 0 0 0 vlan2
192.168.30.0 * 255.255.255.0 U 0 0 0 br3
192.168.20.0 * 255.255.255.0 U 0 0 0 br2
192.168.2.0 * 255.255.255.0 U 0 0 0 br0
192.168.8.0 * 255.255.255.0 U 0 0 0 br1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 10.255.0.1 128.0.0.0 UG 0 0 0 tun11
128.0.0.0 10.255.0.1 128.0.0.0 UG 0 0 0 tun11
default 192.168.254.33 0.0.0.0 UG 0 0 0 vlan2
Steve