[solved] traffic in VLAN not routed to default GW unless set as GW in FW rule

  • Hi everybody,

    i set up two VLAN on the LAN interface.

    VLAN1 should be used for the common internet traffic (WAN_PPPoE), VLAN2 for an openvpn-connection.

    WAN_PPPoE is set as the default gateway

    Now i have the problem, that traffic in VLAN1  is not routed to WAN unless WAN_PPPoE is set as the gateway in a firewall rule.

    What can I check to ensure the default route is working correctly ? Actually I don´t want to set up a static route (or is this needed ? )

    Kind Regards,

  • to verify check the route in diagnostics–>routes

    is the openvpn connection from one of the popular vpn providers?
    if yes:
    -check route-nopull in the vpn client configuration page.
    -assign an interface to your openvpn connection (using interfaces->assign, then enable the interface - but leave everything blank)

    --- you should now have a gateway for dsl & vpn. the default one, will apply when none in specified.

  • Thanks for the hint, you are right, the problem is directly related to the openvpn client \ 2nd Gateway.

    When I stop the openvpn service, I got back the old state.

    I will try around and response later  :)

  • I don´t know what´s wrong.

    I followed those guides:


    Immediately when the openvpn client connects this route is added to the routing table:  -> "vpn ip"

    route-nopull is set.

  • could you post some screenshots of the client configuration page (blank out the irrelevant sensitive stuff).

    also, are you running a fairly recent version?

  • thanks for your help, here are screenshots of:

    • global interface configuration
    • interface VLAN1
    • interface VLAN2
    • FW rules VLAN 1
    • FW rules VLAN 2
    • NAT rules
    • OPVPN configuration

    I'm runnig the latest stable 2.2.6 version.

    the fw rule screenshot still has the gateway set, otherwise I couldn´t access the internet.

    Additional openvpn parameters:

    resolv-retry infinite 
    redirect-gateway def1
    cipher AES-256-CBC
    auth MD5
    keepalive 5 60
    explicit-exit-notify 2
    script-security 2
    remote-cert-tls server
    route-delay 5
    tun-mtu 1500 
    fragment 1300
    mssfix 1300
    verb 4

  • Tried removing "redirect-gateway def1" ?

  • It seems like i couldn´t see the wood for the trees  ::).

    Thank you very much for the help.

    I marked the threat as solved

  • :)
    glad you got i sorted

Log in to reply