• SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

2 VPN Client and 2 WiFi SSID: how to route traffic

As described in post #98 ; you can continue to use nat-start or (preferably) use the openvpn-event vpnclient-route-up script to call WiFiVPN.sh

/jffs/scripts/vpnclient-route-up

Code:
/jffs/scripts/WiFiVPN.sh $WIFI_IF $VPN_ID &                    # Bridge X via this VPN
or in the worst case scenario use the openvpn-event vpnclient-up script to run a background VPN Syslog Monitor script to call WiFiVPN.sh when the appropriate 'successful reconnect' message appears

/jffs/scripts/vpnclient-up
Code:
/jffs/scripts/VPN_SyslogMonitor.sh $VPN_ID &

hey thanks for the prompt reply. I was already using the nat-start option but it wasnt working for my scenario. However the vpnclient-route-up scripts seems to be working. I will continue testing this and report back if any errors occur.

thanks a lot !
 
My goal is when I'm using specific lan port, then the I'm routed to the VPN client assigned to the bridge.
Someone has succeffully added local ports to bridges created with wifivpn?
I would like to;
1- add LAN port 3 (id 2 from AC56U) assign on bridge 1
1- add LAN port 4 (id 3 from AC56U) assign on bridge 2

I Have created the vlan 3 an 4 and assigned the LAN ports correclty. And Assigned thoses vlans to the bridges. But no IP address is assign to my lan card interface when's connected. Any idea?
 
Last edited:
I would like to;
1- add LAN port 3 (id 2 from AC56U) assign on bridge 1
1- add LAN port 4 (id 3 from AC56U) assign on bridge 2

I Have created the vlan 3 an 4 and assigned the LAN ports correclty. And Assigned thoses vlans to the bridges. But no IP address is assign to my lan card interface when's connected. Any idea?

see post #68 ?
 
I'm using your script WIFIVPN.sh for accessing VPN client configuration. But I would like to configure specific LAN ports to do the same. I've created correctly the vlan (3 and 4 in my case). Also assigned those to the previously created bridges (br1 or br2 depending of the vlan and the lan port mapped).

See;
Code:
ME@MyRouter_share:/jffs/scripts# brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.305a3aa05088    yes        vlan1
                            eth1
                            eth2
                            wl0.2
                            wl0.3
                            wl1.1
                            wl1.3
br1        8000.305a3aa05089    no        wl0.1
                            vlan3
br2        8000.305a3aa0508e    no        wl1.2
                            vlan4

MyRouter_share:/jffs/scripts# vconfig show
BusyBox v1.25.1 (2018-03-24 13:01:24 EDT) multi-call binary.
Usage: vconfig COMMAND [OPTIONS]
Create and remove virtual ethernet devices
add IFACE VLAN_ID
rem VLAN_NAME
set_flag IFACE 0|1 VLAN_QOS
set_egress_map VLAN_NAME SKB_PRIO VLAN_QOS
set_ingress_map VLAN_NAME SKB_PRIO VLAN_QOS
set_name_type NAME_TYPE

ME@MyRouter_share:/jffs/scripts# robocfg show

Switch: enabled 

Port 0:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00

Port 1:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00

Port 2:   DOWN enabled stp: none vlan: 3 jumbo: off mac: 00:00:00:00:00:00

Port 3: 1000FD enabled stp: none vlan: 4 jumbo: off mac: b8:a3:86:78:b5:0b

Port 4: 1000FD enabled stp: none vlan: 2 jumbo: off mac: b8:ec:a3:35:11:b6

Port 5: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 30:5a:3a:a0:50:88

Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00

Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00

VLANs: BCM5301x enabled mac_check mac_hash

   1: vlan1: 0 1 5t

   2: vlan2: 4 5

   3: vlan3: 2 5t

   4: vlan4: 3 5t

  56: vlan56: 0 3 4 5t 7t 8u

  57: vlan57: 0t 1t 5t 7t 8u

  58: vlan58: 2t

  59: vlan59: 0t 2t 4t 8u

  60: vlan60: 0t 5 7 8t

  61: vlan61: 1t 2 3 4t 5t

  62: vlan62: 2t 4t 5t

But the DHCP don't assign any IP to my lan interface. Any idea?
 
I've created correctly the vlan (3 and 4 in my case).
I would strongly recommend that you refrain from using single digit VLANs (e.g. vlan3 etc.) as they are nominally reserved by Asus.
But the DHCP don't assign any IP to my lan interface. Any idea
I prefer to have the VLANs defined in 'dnsmasq.conf', simply because VLANSWitch.sh is then able to reference the dnsmasq entries consistently when it creates the designated VLAN and subsequently adds it to the appropriate VPN bridge created by WiFiVPN.sh.

Have you tried assigning the VLAN its I/P address and subnet mask manually?
Code:
ifconfig $VLAN $VLAN_IP netmask $VLAN_MASK up
 
I would strongly recommend that you refrain from using single digit VLANs (e.g. vlan3 etc.) as they are nominally reserved by Asus.

I prefer to have the VLANs defined in 'dnsmasq.conf', simply because VLANSWitch.sh is then able to reference the dnsmasq entries consistently when it creates the designated VLAN and subsequently adds it to the appropriate VPN bridge created by WiFiVPN.sh.

Have you tried assigning the VLAN its I/P address and subnet mask manually?
Code:
ifconfig $VLAN $VLAN_IP netmask $VLAN_MASK up

Martineau, Thanks for your advise and your help, again!

Can I use the same ip address range than the associated WIFI ID . Could you tell me how should I configure the dnsmasq.conf. Is it with WiFiVPN script or from CLI with vi?

No! I did not set any IP. vlan1 doesn't have one, why others vlan created should have one?

Here's the script I'll use for auto start all connexions at boot. Any suggestion?
Code:
# force local LAN port 3 to br1 for RT-AC56U
# force local LAN port 4 to br2 for RT-AC56U
robocfg vlan 1 ports "0 1 5t"
robocfg vlan 13 ports "2 5t"
robocfg vlan 14 ports "3 5t"

vconfig add wl0.1 13
vconfig add wl1.2 14

ifconfig vlan13 up
ifconfig vlan14 up

#add vlans to the bridges
brctl addif br1 vlan13
brctl addif br2 vlan14

#Not require
#ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
#ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
#ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP

#Antenna 2.4Ghz, GuestWIFI 1, VPN1
/jffs/scripts/wifivpn.sh wl0.1 1

#Antenna 5Ghz, GuestWIFI 1, VPN1
#/jffs/scripts/wifivpn.sh wl1.1 1

#Antenna 2.4Ghz, GuestWIFI2, VPN2
#/jffs/scripts/wifivpn.sh wl0.2 2

#Antenna 5Ghz, GuestWIFI2, VPN2
/jffs/scripts/wifivpn.sh wl1.2 2

#Antenna 2.4Ghz, GuestWIFI3, VPN3
#/jffs/scripts/wifivpn.sh wl0.3 3

#Antenna 5Ghz, GuestWIFI3, VPN3
#/jffs/scripts/wifivpn.sh wl1.3 3

Also!!! here's the config that let me think that I don't need IP address on my new vlans.
Code:
ME@MyRouter_share:/jffs/scripts# brctl show

bridge name bridge id STP enabled interfaces

br0 8000.305a3aa05088 yes vlan1

eth1

eth2

wl0.2

wl0.3

wl1.1

wl1.3

br1 8000.305a3aa05089 no wl0.1

vlan13

br2 8000.305a3aa0508e no wl1.2

vlan14

ME@MyRouter_share:/jffs/scripts# ifconfig vlan1

vlan1     Link encap:Ethernet  HWaddr 30:5A:3A:A0:50:88

          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1

          RX packets:1 errors:0 dropped:0 overruns:0 frame:0

          TX packets:971 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:332 (332.0 B)  TX bytes:183995 (179.6 KiB)


ME@MyRouter_share:/jffs/scripts# ifconfig br0

br0       Link encap:Ethernet  HWaddr 30:5A:3A:A0:50:88

          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1

          RX packets:9938 errors:0 dropped:0 overruns:0 frame:0

          TX packets:8225 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:1292102 (1.2 MiB)  TX bytes:3465089 (3.3 MiB)


ME@MyRouter_share:/jffs/scripts# ifconfig br1

br1       Link encap:Ethernet  HWaddr 30:5A:3A:A0:50:89

          inet addr:192.168.101.1  Bcast:192.168.101.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:23 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 B)  TX bytes:3235 (3.1 KiB)


ME@MyRouter_share:/jffs/scripts# ifconfig br2

br2       Link encap:Ethernet  HWaddr 30:5A:3A:A0:50:8E

          inet addr:192.168.102.1  Bcast:192.168.102.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:130 errors:0 dropped:0 overruns:0 frame:0

          TX packets:128 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:35597 (34.7 KiB)  TX bytes:40025 (39.0 KiB)
 
Last edited:
No! I did not set any IP. vlan1 doesn't have one, why others vlan created should have one
As per post #68, when using my VLANSwitch.sh script it helps to identify/isolate issues since the WiFI SSID has a separate subnet then so does the VLAN for the bridge.

Here's the script I'll use for auto start all connexions at boot. Any suggestion?
Code:
# force local LAN port 3 to br1 for RT-AC56U
# force local LAN port 4 to br2 for RT-AC56U
robocfg vlan 1 ports "0 1 5t"
robocfg vlan 13 ports "2 5t"
robocfg vlan 14 ports "3 5t"

vconfig add wl0.1 13
vconfig add wl1.2 14

ifconfig vlan13 up
ifconfig vlan14 up

#add vlans to the bridges
brctl addif br1 vlan13
brctl addif br2 vlan14

Did you manually configure the VLANs as per post #69 correctly? - as you appear to 'add' the VLANs to the Guest WiFi interface rather than the WAN interface?o_O
 
Last edited:
As per post #68, when using my VLANSwitch.sh script it helps to identify/isolate issues since the WiFI SSID has a separate subnet then so does the VLAN for the bridge.



Did you manually configure the VLANs as per post #69 correctly? - as you appear to 'add' the VLANs to the Guest WiFi interface rather than the WAN interface?o_O


Could you send me your VLANSwitch.sh script? I do not have that one. Yes I configured the new vlan to use wifi interface. I will retry with eth0, witch is the wan interface. But I want to be sure that will let me use only 2 lan ports for my need. The other ports have to stay with the default configuration and routing (using vlan1 with br0).

I'll let you know my next step to test with eth0. Again, Thank a lot for your help!
Steph
 
No difference. Not working with eth0.

I"ve modified my script and rebooted the router. Still no IP address with lan port where I configured vlan 13 and 14. But get IP on other ports. My understanding is that the IP subnet used should be the one assigned to the bridge. Any idea?
ME@MyRouter_share:/jffs/scripts# vi nat-start

#!/bin/sh
# force local LAN port 3 to br1 for RT-AC56U
# force local LAN port 4 to br2 for RT-AC56U
robocfg vlan 1 ports "0 1 5t"
robocfg vlan 13 ports "2 5t"
robocfg vlan 14 ports "3 5t"

vconfig add eth0 13
vconfig add eth0 14

ifconfig vlan13 up
ifconfig vlan14 up

#add vlans to the bridges
brctl addif br1 vlan13
brctl addif br2 vlan14
[/CODE]

The ultimate goal is to;
-connect through the VPNclient1 connexion when I use interfaces (WIFI_2.4ghz_1, WIFI_5.0ghz_1 and lan_port1)
-connect through the VPNclient2 connexion when I use interfaces (WIFI_2.4ghz_2, WIFI_5.0ghz_2 and lan_port2)
-connect through the VPNclient3 connexion when I use interfaces (WIFI_2.4ghz_3, WIFI_5.0ghz_3 and lan_port3)
 

The VLANSWitch.sh script is currently used to allow the following

1 x Netgear GS108PEv3
1 x Netgear GS108Ev3
1 x Netgear GS108Ev2
3 x TP-link TL-SG2008

VLAN capable switches to isolate IoT devices and VPN access throughout the home.

NOTE: All hanging off Port 4 of the RT-AC68U in a predominately star topology with the GS108PE as the centre 'hub' in the loft (aka attic).

I doubt you personally would find it useful given your already advanced VLAN environment.
AP VLANs and pfSense
 
Last edited:
Could you send me your VLANSwitch.sh script?

See PM ... I guess it can't hurt. ;)

e.g. Create VLAN20 on switch Port 3 and use VPN Client 1
Code:
./VLANSwitch.sh    20   3   vpn1   autodnsmasq   vlanfw
NOTE: Do you have CTF enabled? as this can unfortunately interfere with some setups.
 
Last edited:
Hi @Martineau
I have a RT-AC3200 I'm about to update to f/w asuswrt-merlin 384.5 and as such will be factory resetting.
So now would be a great time for me to use your script if possible to setup my VPN WiFi!
Any chance I could get a link? Thanks!
 
Hi @Martineau
I have a RT-AC3200 I'm about to update to f/w asuswrt-merlin 384.5 and as such will be factory resetting.
So now would be a great time for me to use your script if possible to setup my VPN WiFi!
Any chance I could get a link? Thanks!

It is in the thread..Post #7
 
Many thanks for your prompt response!
I ran the script and it did wonders (although it gave me few errors - like client1.resolv, client2.resolv file doesn’t exist, entry for iptable/ebtables, etc. - not sure why) - BUT it WORKS!!

My requirement actually is quite simple. I can manually assign ip address range in VPN client setup by setting policy rules e.g. VPN1 for 192.168.101.1/24. VPN2 for ...102.. etc.
What I need is a simple script that creates the respective bridge and ip range assignments (and can be run automatically after router restarts):
That is creating appropriate bridge/mapping required to assiciate wl01.1 to 192.168.101.1/24
wl01.2 to 192.168.102.1/24
Which I believe can be achieved by running a small part of your script.
Any help is greatly appreciated!!

Here’s the exact output:
(WiFiVPN.sh): 3360 v1.03b (Public Beta) © 2016-2017 Martineau, Guest WiFi VPN Br idge request.....[WL1 1]


**Warning for multiple ACTIVE concurrent VPN Clients UNIQUE ports are advised - Port 1195:UDP is configured for use by several VPN Clients

awkNR: /etc/openvpn/dns/client1.resolv: No such file or directory

iptables: No chain/target/match by that name.

awkNR: /etc/openvpn/dns/client1.resolv: No such file or directory

awkNR: /etc/openvpn/dns/client1.resolv: No such file or directory

iptables: No chain/target/match by that name.


(WiFiVPN.sh): 3360 WiFi (wl0.1) 2.4GHz Guest 1 WL1 (192.168.101.0/24) ro uted through tunnel VPN Client 1 (XVPN1) using WAN DNS (xxx.xx.xx.x) via b ridge:br1
 
Last edited:
Hi, I'm trying to use the script on an RT-AC86U and when I enter the following command I get the error.

@RT-AC86U-9370:/jffs/scripts# ./wifivpn.sh eth1 1
./wifivpn.sh: line 1002: /usr/sbin/brctl: not found

(wifivpn.sh): 16490 v1.03b (Public Beta) © 2016-2017 Martineau, WiFi VPN Bridge request.....[eth1 1]
./wifivpn.sh: line 1115: /usr/sbin/brctl: not found

(wifivpn.sh): 16490 ***ERROR WiFi (eth1) 2.4GHz Network WiFi 'eth1' not ENABLED. ABORTing.....

Any idea what i'm doing wrong or am I too lost to help? I'm new at this. Thanks in advance for any help.
 
Hi, I'm trying to use the script on an RT-AC86U and when I enter the following command I get the error.

Code:
@RT-AC86U-9370:/jffs/scripts# ./wifivpn.sh eth1 1
./wifivpn.sh: line 1002: /usr/sbin/brctl: not found
Not sure if the absolute path to the brctl utility is different on the RT-AC86U ? you could check by issuing:
Code:
which brctl
but the location is moot as sadly the RT-AC86U isn't compatible with the script see post #31

 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top