3
I have following topology:
- router (192.168.10.1, 192.168.11.1)
- WAN - eth1 (1.2.3.4)
- VLAN1 (br-lan) - eth0 (PC1, 192.168.10.2, PC2, 192.168.10.3)
- VLAN2 (br-lantv) - eth2 (Smart TV, 192.168.11.2)
and I have running OpenVPN client on the router. I want to route JUST the traffic from Smart TV (VLAN2) through the VPN tunnel, the rest (router, VLAN1) should go directly to WAN, without the TV even noticing (it is pretty dumb, and I'm unable to configure VPN client on it).
The router is running OpenWRT (turris omnia).
I ended up with following:
/etc/config/firewall
config zone
option name 'lan'
list network 'lan'
config zone
option name 'lantv'
list network 'lantv'
config zone
option name 'vpn'
list network 'vpntun0'
config forwarding
option src 'lantv'
option dest 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
/etc/config/network
config interface 'lan'
option ifname 'eth0'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.1'
config interface 'lantv'
option ifname 'eth2'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.11.1'
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
option delegate '0'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
And end up with following routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.7.7.1 128.0.0.0 UG 0 0 0 tun0
default 1.2.3.4 0.0.0.0 UG 0 0 0 eth1
10.7.7.0 * 255.255.255.0 U 0 0 0 tun0
78.45.252.0 * 255.255.255.0 U 0 0 0 eth1
78.45.252.1 * 255.255.255.255 UH 0 0 0 eth1
128.0.0.0 10.7.7.1 128.0.0.0 UG 0 0 0 tun0
173.209.60.43 1.2.3.4 255.255.255.255 UGH 0 0 0 eth1
192.168.10.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.11.0 * 255.255.255.0 U 0 0 0 br-lantv
Traffic from LAN cannot reach internet.
I tried following:
config forwarding
option src 'lan'
option dest 'vpn'
which routes everything even from PC and router through VPN, and that is undesirable.
OR
--route-nopull
to VPN config, which ended up with no routes, and the lantv
was forwarded to vpn
, but it ended there, and internet was unreachable.
What I am probably missing is the way how to define route default gw
for specific VLAN, and configure lantv
that way. Or am I doing it completely wrong? Is separate VLAN even needed? I want to re-route only single device. Thanks!