[Solved] - MultiWAN - Gateway Issue (Update: Bridge passing traffic issue)

calibanorg

Hi there

I have this ignoring problem i don't get clue what to do:

• All devices from LAN 1 have access to the Internet. But it is not possible to access devices in the local network (for example network printer or other network devices). If i do a tracert to a local ip address it goes directly over the gateway that the WAN gets from the ISP (public IP)

• If i take out the Gateway in the LAN1 Firewall rules then i have access to the Local devices but no Internet access

I assume i have a gateway problem but i'm not able to resolve this that i have access to the Local and also have access to the Internet. Can anyone give me a hint what i'm doing wrong?

FYI: The VPN connection trough the LAN2 port works as expected. No issue there.

Findings:

I figured that i'm not able to pass trough WIFI to the LAN Interface (vs versa as well). So if client is in LAN i can ping LAN devices and have access to the internet. Same thing with WIFI. I'm investigating my firewall rules - any hints are welcome :)

Here my configuration so fare:

WIFI_LAN -> WAN -> Router -> Internet
LAN2 -> VPN -> WAN -> Router -> Internet

WAN Configuration:

Interface: vr0 > WAN > DHCP (public IP)
Firewall Rules:  Block Private Network > Yes / Block network yes

LAN 1 Configuration:

vr1 > LAN  > Bridge0 > noip
ath0 > WIFI > Bridge0 > noip
bridge0 > LAN1 > static (10.10.2.x)

for LAN1 (bridge0) i activated the DHCP Server with specific range (10.10.2.1 - 20), DNS1: 8.8.8.8 DNS2: 8.8.4.4

Firewall Rules:
LAN: IPV4* Source* Port* Destination* Port* Gateway* Queue*
WIFI: IPV4* Source* Port* Destination* Port* Gateway* Queue*
LAN1: IPV4* Source* Port* Destination* Port* Gateway "WAN" Queue*

Bridge Configuration -> System -> Advanced -> System Tunables
net.link.bridge.pfil_member = 0
net.link.bridge.pfil_bridge = 1

WIFI Config:
Mode: Access Point
Allow INtra-BSS communication: Yes

LAN2 Configuration

I configured the openvpn client (used strongvpn setup) and used the WAN as interface in the configuration

opnvpn01 > VPN > noip

Firewall Rules:
OpenVPN: IPV4* Source* Port* Destination* Port* Gateway "VPN" Queue*
VPN: IPV4* Source* Port* Destination* Port* Gateway* Queue*

Gateways:
VPN > Interface "VPN" Gateway "VPN IP" Monitor IP "None"
WAN > Interface "WAN" Gateway "PublicIP" Monitor IP "PublicIP"

NAT Outbound (Manual):

Interface: WAN Source: 127.0.0.0/8 SourcePort: * Destination: * DestinationPort: 500 NATAdress: WAN address NATPort: * StaticPort: Yes
Interface: WAN Source: 127.0.0.0/8 SourcePort: * Destination: * DestinationPort: * NATAdress: WAN address NATPort: * StaticPort: No
Interface: VPN Source: 10.10.3.0/24 SourcePort: * Destination: * DestinationPort: 500 NATAdress: WAN address NATPort: * StaticPort: Yes
Interface: VPN Source: 10.10.3.0/24 SourcePort: * Destination: * DestinationPort: * NATAdress: WAN address NATPort: * StaticPort: No
Interface: WAN Source: 10.10.2.0/24 SourcePort: * Destination: * DestinationPort: 500 NATAdress: WAN address NATPort: * StaticPort: Yes
Interface: WAN Source: 10.10.2.0/24 SourcePort: * Destination: * DestinationPort: * NATAdress: WAN address NATPort: * StaticPort: No

phil.davis

Without trying to work out all the detail posted above, I will give you the principle. If you specify a gateway on a rule then that is called policy-routing and it overrides any normal routing that would happen, so if you have LAN1 and LAN2, then on LAN2 put a pass all to WAN gateway rule, then everything is forced out WAN gateway, even traffic destined for LAN1.
To fix that, on LAN2 rules first put a rule to pass source LAN2net destination LAN1net gateway none.
The traffic from LAN2 to LAN1 will match that first rule and will be handed to the ordinary routing table to be delivered locally to LAN1.

Principle: put ordinary pass rules for local traffic before policy-routing rules that force general traffic out a gateway.

calibanorg

To fix that, on LAN2 rules first put a rule to pass source LAN2net destination LAN1net gateway none.

Yes that was the missing piece. I added the 1) rule on the LAN1 (Bridge) and now i can ping from wifi to lan vice versa without issue. :D

New Complete Firewall Rules:

LAN (vr01)

1. IPv4+6 * * * * * * none

WIFI (ath0)

1. IPv4+6 * * * * * * none

LAN1 (Bridge)

1. IPv4 * LAN1 net * LAN1 net * * none
2. IPv4 * LAN1 net * * * Gateway "WAN" none

Thanks for the help.