Firewall – LEDE | Two VLANs – when one connects to OpenVPN the other has no internet connection

firewallopenvpnvlan

We have two VLANs. First one is supposed to operate with OpenVPN (NordVPN), have two WiFi networks (5G, 2.4G) and occupy two switch ports. Second one is supposed to be normal, have one WiFi (2.4G) and occupy other two switch ports. The problem is, when I start the OpenVPN service, the first VLAN connects to it, but the internet disappears completely on the second. If I turn it off it comes back. It looks like OpenVPN blocks off all traffic, but I don't know why it happens on both VLANs, when only the first one is linked to the OpenVPN firewall. Here are some details:

config interface 'lan'
    option type 'bridge'
    option ifname 'eth1.1'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '208.67.222.222 208.67.220.220'

config interface 'lan2'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.2.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '208.67.222.222 208.67.220.220'
    option ifname 'eth1.2'

config switch_vlan 'eth1_1'
    option device 'switch0'
    option vlan '1'
    option vid '1'
    option ports '3 4 6t'

config switch_vlan 'eth1_2'
    option device 'switch0'
    option vlan '2'
    option ports '1 2 6t'
    option vid '2'

config switch_vlan
    option device 'switch0'
    option vlan '3'
    option ports '0 5'
    option vid '3'

config interface 'nordvpntun'
    option proto 'none'
    option ifname 'tun0'

I set up firewall forwarding like this:

config zone
    option name 'vpnfirewall'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'nordvpntun'

config forwarding
    option src 'lan'
    option dest 'wan'

config forwarding
    option src 'lan'
    option dest 'vpnfirewall'

config forwarding
    option src 'lan2'
    option dest 'wan'

Here are some screenshots from GUI:

Interfaces

Firewall

VLAN Switch

Routes before and after VPN started

Best Answer

As indicated in the image of the routing table, the VPN connection is clobbering the default gateway for your router, forcing all outbound traffic through the VPN regardless which internal subnet it originated from. "lan2" loses connectivity because it is trying to use the VPN, but the firewall rules prevent it from doing so.

The best way to tackle this may be to modify routing policy so that you have a different routing table depending where the traffic originates.

Let's take a stab at this policy routing (source), forcing traffic from 'lan2' to use the default gateway:

# ip rule add from 192.168.2.0/24 table lan2
# ip route add default via 192.168.1.254 dev eth0 table lan2

(Actually, this may explode since 192.168.1.0/24 is your WAN subnet. You can either fix this maybe by adding src br-lan to the first line after the address, or by changing the address range of your LAN in the interface configuration and here).

Confirm output with:

# ip rule list
# ip route show table lan2

Start your VPN client and test both networks.

Note that the commands above will not persist reconfigurations or reboots. You will need to commit them somewhere such that they execute when the interfaces come up.

Edit: @Haruspik's comment indicates that the above works. Here's how to make it persistent:

At the bottom of /etc/iproute2/rt_tables, create a new table:

10 lan2

In /etc/config/network, add the new rules and routes so they persist (source):

config rule
    option src    '192.168.2.0/24'
    option lookup 'lan2'

config route
    option 'interface' 'wan'
    option 'target' '0.0.0.0'
    option 'netmask' '0.0.0.0'
    option 'gateway' '192.168.1.254'
    option 'table' 'lan2'

Finally, apply with service network restart and confirm output with:

# ip rule list
# ip route show table lan2
Related Topic