[Solved] - MultiWAN - Gateway Issue (Update: Bridge passing traffic issue)



  • Hi there

    I have this ignoring problem i don't get clue what to do:

    • All devices from LAN 1 have access to the Internet. But it is not possible to access devices in the local network (for example network printer or other network devices). If i do a tracert to a local ip address it goes directly over the gateway that the WAN gets from the ISP (public IP)

    • If i take out the Gateway in the LAN1 Firewall rules then i have access to the Local devices but no Internet access

    I assume i have a gateway problem but i'm not able to resolve this that i have access to the Local and also have access to the Internet. Can anyone give me a hint what i'm doing wrong?

    FYI: The VPN connection trough the LAN2 port works as expected. No issue there.

    Findings:

    I figured that i'm not able to pass trough WIFI to the LAN Interface (vs versa as well). So if client is in LAN i can ping LAN devices and have access to the internet. Same thing with WIFI. I'm investigating my firewall rules - any hints are welcome :)

    Here my configuration so fare:

    WIFI_LAN -> WAN -> Router -> Internet
    LAN2 -> VPN -> WAN -> Router -> Internet

    WAN Configuration:

    Interface: vr0 > WAN > DHCP (public IP)
    Firewall Rules:  Block Private Network > Yes / Block network yes

    LAN 1 Configuration:

    vr1 > LAN  > Bridge0 > noip
    ath0 > WIFI > Bridge0 > noip
    bridge0 > LAN1 > static (10.10.2.x)

    for LAN1 (bridge0) i activated the DHCP Server with specific range (10.10.2.1 - 20), DNS1: 8.8.8.8 DNS2: 8.8.4.4

    Firewall Rules:
    LAN: IPV4* Source* Port* Destination* Port* Gateway* Queue*
    WIFI: IPV4* Source* Port* Destination* Port* Gateway* Queue*
    LAN1: IPV4* Source* Port* Destination* Port* Gateway "WAN" Queue*

    Bridge Configuration -> System -> Advanced -> System Tunables
    net.link.bridge.pfil_member = 0
    net.link.bridge.pfil_bridge = 1

    WIFI Config:
    Mode: Access Point
    Allow INtra-BSS communication: Yes

    LAN2 Configuration

    I configured the openvpn client (used strongvpn setup) and used the WAN as interface in the configuration

    opnvpn01 > VPN > noip

    Firewall Rules:
    OpenVPN: IPV4* Source* Port* Destination* Port* Gateway "VPN" Queue*
    VPN: IPV4* Source* Port* Destination* Port* Gateway* Queue*

    Gateways:
    VPN > Interface "VPN" Gateway "VPN IP" Monitor IP "None"
    WAN > Interface "WAN" Gateway "PublicIP" Monitor IP "PublicIP"

    NAT Outbound (Manual):

    Interface: WAN Source: 127.0.0.0/8 SourcePort: * Destination: * DestinationPort: 500 NATAdress: WAN address NATPort: * StaticPort: Yes
    Interface: WAN Source: 127.0.0.0/8 SourcePort: * Destination: * DestinationPort: * NATAdress: WAN address NATPort: * StaticPort: No
    Interface: VPN Source: 10.10.3.0/24 SourcePort: * Destination: * DestinationPort: 500 NATAdress: WAN address NATPort: * StaticPort: Yes
    Interface: VPN Source: 10.10.3.0/24 SourcePort: * Destination: * DestinationPort: * NATAdress: WAN address NATPort: * StaticPort: No
    Interface: WAN Source: 10.10.2.0/24 SourcePort: * Destination: * DestinationPort: 500 NATAdress: WAN address NATPort: * StaticPort: Yes
    Interface: WAN Source: 10.10.2.0/24 SourcePort: * Destination: * DestinationPort: * NATAdress: WAN address NATPort: * StaticPort: No



  • Without trying to work out all the detail posted above, I will give you the principle. If you specify a gateway on a rule then that is called policy-routing and it overrides any normal routing that would happen, so if you have LAN1 and LAN2, then on LAN2 put a pass all to WAN gateway rule, then everything is forced out WAN gateway, even traffic destined for LAN1.
    To fix that, on LAN2 rules first put a rule to pass source LAN2net destination LAN1net gateway none.
    The traffic from LAN2 to LAN1 will match that first rule and will be handed to the ordinary routing table to be delivered locally to LAN1.

    Principle: put ordinary pass rules for local traffic before policy-routing rules that force general traffic out a gateway.



  • To fix that, on LAN2 rules first put a rule to pass source LAN2net destination LAN1net gateway none.

    Yes that was the missing piece. I added the 1) rule on the LAN1 (Bridge) and now i can ping from wifi to lan vice versa without issue. :D

    New Complete Firewall Rules:

    LAN (vr01)

    1. IPv4+6 * * * * * * none

    WIFI (ath0)

    1. IPv4+6 * * * * * * none

    LAN1 (Bridge)

    1. IPv4 * LAN1 net * LAN1 net * * none
    2. IPv4 * LAN1 net * * * Gateway "WAN" none

    Thanks for the help.


Log in to reply