Hi All,
I have setup my router to be an OpenVPN client connecting to a VPS in the USA.
I have my internal LAN configured with an additional VLAN, which is intended to be used purely to access the VPN via my WiFi Access Point.
Essentially I want to have a WiFi Network setup, which I have named the SSID 'The LAN of the Free', in order to connect a Roku (Eventually if this ever works) and watch great channels, like C-Span. I'm tagging that Network as VLAN 666.
I have setup Policy Based routes, in order to assign different interface routes to each of my Subnets, I've created DHCP, NAT, and everything I think I might need, but something is going terribly wrong.
My problem is, that when I enable my VPN Interface, it connects and then only Ethernet Clients work. My WiFi Connections can no longer access the internet.
I wonder if perhaps my Switch is not VLAN Aware, it's a tl-sg1024. So currently the Access point is connected to a switch, and that switch is connected to ETH1 on the ER-4 Router.
My two questions are.
- Is anything wrong with my config below?
- How can I modify my config so I can plug my access point into my unused ETH2 Interface?
Thanks in advance
Config:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify PBR {
rule 10 {
action modify
description mainNetwork
modify {
table 1
}
source {
address 192.168.2.0/24
}
}
rule 20 {
action modify
description usaNetwork
modify {
table 2
}
source {
address 192.168.10.0/24
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description ike
destination {
port 500
}
log disable
protocol udp
}
rule 40 {
action accept
description esp
log disable
protocol esp
}
rule 50 {
action accept
description nat-t
destination {
port 4500
}
log disable
protocol udp
}
rule 60 {
action accept
description l2tp
destination {
port 1701
}
ipsec {
match-ipsec
}
log disable
protocol udp
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description "Internet (PPPoE)"
duplex auto
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto
password <-- scrubbed -->
user-id <-- scrubbed -->
}
speed auto
}
ethernet eth1 {
address 192.168.2.1/24
description Local
duplex auto
firewall {
in {
modify PBR
}
}
speed auto
vif 666 {
address 192.168.10.1/24
description DBNZ_VLAN
firewall {
in {
modify PBR
}
}
}
}
ethernet eth2 { <-- Un-used
address 192.168.3.1/24
description "Local 2"
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
config-file <-- scrubbed -->
disable
}
}
protocols {
static {
interface-route 0.0.0.0/0 {
next-hop-interface pppoe0 {
}
}
table 1 {
interface-route 0.0.0.0/0 {
next-hop-interface pppoe0 {
}
}
}
table 2 {
interface-route 0.0.0.0/0 {
next-hop-interface vtun0 {
}
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name DNBZ_DHCP {
authoritative disable
subnet 192.168.10.0/24 {
default-router 192.168.10.1
dns-server 8.8.8.8
lease 86400
start 192.168.10.2 {
stop 192.168.10.99
}
}
}
shared-network-name LAN1 {
authoritative enable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.38 {
stop 192.168.2.99
}
}
}
shared-network-name LAN2 {
authoritative enable
disable
subnet 192.168.3.0/24 {
default-router 192.168.3.1
dns-server 192.168.3.1
lease 86400
start 192.168.3.38 {
stop 192.168.3.243
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
<-- scrubbed -->
}
gui {
<-- scrubbed -->
}
nat {
rule 5000 {
description "DBNZ VPN"
log disable
outbound-interface vtun0
protocol all
source {
address 192.168.10.0/24
group {
}
}
type masquerade
}
rule 5001 {
description "masquerade for WAN"
log disable
outbound-interface pppoe0
protocol all
source {
address 192.168.2.0/24
}
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
}
}
system {
<-- scrubbed -->
}
vpn {
ipsec {
allow-access-to-local-interface disable
auto-firewall-nat-exclude enable
}
l2tp {
<-- I have an inbound l2tp connection if that matters -->
}
}
