AC68U with three VLANs

[RHF]

Hello everyone,

I'm looking to replace an older Linksys E1200v2 router with Freshtomato installed on it with a better router that provides higher throughput on OpenVPN client connections and better WiFi reach. Therefore, I bought an RT-AC68U (ver. E1) and installed the latest version of Merlin on it (384.13).

One important bit of information. My ISP (cable) doesn't offer the option of cable modem (i.e. configuring the public IP address on the AC68U). Therefore, the public IP address needs to be on the cable router they provide.

As Merlin is based on Tomato, I'm assuming everything I have configured on my old router will be doable on the new one. However, I'm finding that most of what I need can't be configured through the GUI (at least I can't figure out how).

Therefore, I'm hoping you might help me with a few questions:

1. Am I going about this the right way or is there an easier way to do it? (i.e. which parts of the configuration could I do through the web interface?)
2. Should I assign router IP addresses to the bridge (i.e. br1) or the VLAN (i.e. vlan1)?
3. On my Tomato-based router, I'm using policy based routing with iproute2. Is that the recommended approach on Merlin? (I seem to recall seeing somewhere that this could be implemented with iptables instead)
4. If the answer to question 3 is yes, what's the right way to add some lines to /etc/iproute2/rt_tables?
5. Any links / HOWTO's to configure DHCP relay?
6. How can I configure DHCP servers on br1 and br2?

I'm attaching a diagram of what the network should look like and the commands I've used so far (I'll worry about making the settings persistent after I've managed to get this to work as it should).

Also attached is a helpful diagram of the default bridges and VLANs I found here (originally for DD-WRT, but still helpful).

Thanks in advance!

Configuration:

## Configure bridges and VLANs

brctl delif br0 vlan1
brctl addif br0 vlan2
## Will changing the configuration of br0 mess up the default firewall configuration?
robocfg vlan 3 ports "3 4 5t"
robocfg vlan 1 ports "1 2 5t"
vconfig add eth0 3
ifconfig vlan3 up
brctl addbr br1
brctl addbr br2
brctl addif br1 vlan1
brctl addif br2 vlan3
ifconfig br1 up
ifconfig br2 up

## br0 - WAN, Wireless 2.4GHz, Wireless 5GHz
## br1 - LAN 1 and 2 (tun11)
## br2 - LAN 3 and 4 (tun12)

## Create IP addresses <-- can this be done through the web interface??
ip addr add 192.168.10.5/24 brd 192.168.10.255 dev br0
ip addr add 192.168.20.5/24 brd 192.168.10.255 dev br1
ip addr add 192.168.30.5/24 brd 192.168.10.255 dev br2
ip addr del 192.168.1.1/24 brd 192.168.1.255 dev br0


## Policy based routing (this is how it's configured on my Tomato router, but it doesn't work on the AC68U)
echo 500 BR1 >> /etc/iproute2/rt_tables
echo 600 BR2 >> /etc/iproute2/rt_tables

## Error message: "can't create /etc/iproute2/rt_tables: Read-only file system"

ip rule add iif br1 table BR1
ip rule add iif br2 table BR2
ip route add default dev tun11 table BR1
ip route add 192.168.10.0/24 dev vlan2 table BR1
ip route add default dev tun12 table BR2
ip route add 192.168.10.0/24 dev vlan2 table BR2


## Firewall
Haven't gotten around to this yet

 

[Makaveli]

"higher throughput on OpenVPN client connections"

If that was the goal you should have picked up an AC86U which has encryption logic built in ,and its only a few bucks more than the 68U these days.

The 68U doesn't have anything to accelerate OpenVPN.

 

[RHF]

Too late now... I bought it a couple of months ago. It will definitely be faster than my E1200. Back then I had looked into the 86U and there was some limitation that made me decide against it (can't remember anymore). Possibly VLAN support???

 

[Val D.]

However, I'm finding that most of what I need can't be configured through the GUI

Why so complicated?
Is this what you want to achieve?

Laptop 1 -> WAN
Laptop 2 -> VPN Client 1
Laptop 3 -> VPN Client 2

RT-AC86U would give you 200Mbps+ OpenVPN performance, RT-AC68U only about 30Mbps.

 

[Martineau]

Hello everyone,

I'm looking to replace an older Linksys E1200v2 router with Freshtomato installed on it with a better router that provides higher throughput on OpenVPN client connections and better WiFi reach. Therefore, I bought an RT-AC68U (ver. E1) and installed the latest version of Merlin on it (384.13).

One important bit of information. My ISP (cable) doesn't offer the option of cable modem (i.e. configuring the public IP address on the AC68U). Therefore, the public IP address needs to be on the cable router they provide.

As Merlin is based on Tomato, I'm assuming everything I have configured on my old router will be doable on the new one. However, I'm finding that most of what I need can't be configured through the GUI (at least I can't figure out how).

Therefore, I'm hoping you might help me with a few questions:

1. Am I going about this the right way or is there an easier way to do it? (i.e. which parts of the configuration could I do through the web interface?)
2. Should I assign router IP addresses to the bridge (i.e. br1) or the VLAN (i.e. vlan1)?
3. On my Tomato-based router, I'm using policy based routing with iproute2. Is that the recommended approach on Merlin? (I seem to recall seeing somewhere that this could be implemented with iptables instead)
4. If the answer to question 3 is yes, what's the right way to add some lines to /etc/iproute2/rt_tables?
5. Any links / HOWTO's to configure DHCP relay?
6. How can I configure DHCP servers on br1 and br2?

I'm attaching a diagram of what the network should look like and the commands I've used so far (I'll worry about making the settings persistent after I've managed to get this to work as it should).

View attachment 19337

Also attached is a helpful diagram of the default bridges and VLANs I found here (originally for DD-WRT, but still helpful).
View attachment 19338

Thanks in advance!

Configuration:

## Configure bridges and VLANs

brctl delif br0 vlan1
brctl addif br0 vlan2
## Will changing the configuration of br0 mess up the default firewall configuration?
robocfg vlan 3 ports "3 4 5t"
robocfg vlan 1 ports "1 2 5t"
vconfig add eth0 3
ifconfig vlan3 up
brctl addbr br1
brctl addbr br2
brctl addif br1 vlan1
brctl addif br2 vlan3
ifconfig br1 up
ifconfig br2 up

## br0 - WAN, Wireless 2.4GHz, Wireless 5GHz
## br1 - LAN 1 and 2 (tun11)
## br2 - LAN 3 and 4 (tun12)

## Create IP addresses <-- can this be done through the web interface??
ip addr add 192.168.10.5/24 brd 192.168.10.255 dev br0
ip addr add 192.168.20.5/24 brd 192.168.10.255 dev br1
ip addr add 192.168.30.5/24 brd 192.168.10.255 dev br2
ip addr del 192.168.1.1/24 brd 192.168.1.255 dev br0


## Policy based routing (this is how it's configured on my Tomato router, but it doesn't work on the AC68U)
echo 500 BR1 >> /etc/iproute2/rt_tables
echo 600 BR2 >> /etc/iproute2/rt_tables

## Error message: "can't create /etc/iproute2/rt_tables: Read-only file system"

ip rule add iif br1 table BR1
ip rule add iif br2 table BR2
ip route add default dev tun11 table BR1
ip route add 192.168.10.0/24 dev vlan2 table BR1
ip route add default dev tun12 table BR2
ip route add 192.168.10.0/24 dev vlan2 table BR2


## Firewall
Haven't gotten around to this yet

To address the error

## Error message: "can't create /etc/iproute2/rt_tables: Read-only file system"

I use the following in init-start,

# If custom RPDB name table exists then override RMerlin's firmware defaults.

# Must be done AFTER 180 sleep as RMerlin blocks all restricted VPN clients during BOOT by 'ovpncX' names :-(
# Tables 111-115 reserved by RMerlin RPDB Selective Policy routing
# Tables 100/200 reserved by ASUS Dual WAN aka Primary and Secondary WAN
#
# Mar 2016 v380.58 RMerlin creates OpenVPN defaults
# 111 ovpnc1
# 112 ovpnc2
# 113 ovpnc3
# 114 ovpnc4
# 115 ovpnc5
if [ -f /jffs/configs/rt_tables ]; then
   # Use custom table

   #    100 wan0
   #    111 NewYork
   #    112 LA
   #    113 VPNbook
   #    114 Glenside
   #    115 UK
   #    200 wan1

   Say "Custom RPDB name table /jffs/configs/rt_tables replaces /etc/iproute2/rt_tables"
   mount -o bind /jffs/configs/rt_tables /etc/iproute2/rt_tables   # Override 'ovpncX' with 'TalkTalk', NewYork, LA, etc.
fi

and manually start the appropriate VPN during the boot rather than use the VPN Client 'Start with WAN' GUI option.

NOTE: I create the WiFi VPN bridge(s) then create/map the appropriate Switch VLANs to the appropriate VPN bridge.

See VPN WiFi bridge, and map the Switch VLAN to the WiFi VPN bridge

 

[RHF]

Why so complicated?
Is this what you want to achieve?

Laptop 1 -> WAN
Laptop 2 -> VPN Client 1
Laptop 3 -> VPN Client 2

RT-AC86U would give you 200Mbps+ OpenVPN performance, RT-AC68U only about 30Mbps.

Showing three laptops to keep the diagram simple. There are really about 20 devices distributed across the three LANs.

Thanks for the buyer's remorse ;-)

 

[RHF]

To address the error

## Error message: "can't create /etc/iproute2/rt_tables: Read-only file system"

I use the following in init-start,

# If custom RPDB name table exists then override RMerlin's firmware defaults.

# Must be done AFTER 180 sleep as RMerlin blocks all restricted VPN clients during BOOT by 'ovpncX' names :-(
# Tables 111-115 reserved by RMerlin RPDB Selective Policy routing
# Tables 100/200 reserved by ASUS Dual WAN aka Primary and Secondary WAN
#
# Mar 2016 v380.58 RMerlin creates OpenVPN defaults
# 111 ovpnc1
# 112 ovpnc2
# 113 ovpnc3
# 114 ovpnc4
# 115 ovpnc5
if [ -f /jffs/configs/rt_tables ]; then
   # Use custom table

   #    100 wan0
   #    111 NewYork
   #    112 LA
   #    113 VPNbook
   #    114 Glenside
   #    115 UK
   #    200 wan1

   Say "Custom RPDB name table /jffs/configs/rt_tables replaces /etc/iproute2/rt_tables"
   mount -o bind /jffs/configs/rt_tables /etc/iproute2/rt_tables   # Override 'ovpncX' with 'TalkTalk', NewYork, LA, etc.
fi

and manually start the appropriate VPN during the boot rather than use the VPN Client 'Start with WAN' GUI option.

NOTE: I create the WiFi VPN bridge(s) then create/map the appropriate Switch VLANs to the appropriate VPN bridge.

See VPN WiFi bridge, and map the Switch VLAN to the WiFi VPN bridge

Thank you! I'll try it out tonight.

 

[Val D.]

There are really about 20 devices distributed across the three LANs.

I have similar number of devices on my network and each one has access to Internet through WAN or VPN and sees other devices on the network or it is isolated, some have their own DNS settings. All is done on the main router and using WebGUI settings in Asuswrt-Merlin firmware. This is why my question was what's the goal, because there may be an easier way to do it.

 

[RHF]

I have similar number of devices on my network and each one has access to Internet through WAN or VPN and sees other devices on the network or it is isolated, some have their own DNS settings. All is done on the main router and using WebGUI settings in Asuswrt-Merlin firmware. This is why my question was what's the goal, because there may be an easier way to do it.

Fair point.

I guess the requirements are:

1. WAN interface bridged with the Wireless interfaces (that includes DHCP relay) so the devices that have direct access to the Internet (not through a VPN) don't need to do double NAT (once for the AC68 and again for the cable router)
2. Specific devices always routed to the Internet via OpenVPN client 1 (including failsafe configuration)
3. Specific devices always routed to the Internet via OpenVPN client 2 (including failsafe configuration)
4. Bonus - Mobile devices selectively choosing whether they access the Internet via direct connection, tunnel 1 or tunnel 2 based on the Wireless network they connect to.

Would that work through the WebUI?

 

[Val D.]

Would that work through the WebUI?

Yes, most of it + 1 popular script. I had a very similar configuration on a single router. Let me get home and I’ll tell you how.

 

[ColinTaylor]

1. WAN interface bridged with the Wireless interfaces (that includes DHCP relay) so the devices that have direct access to the Internet (not through a VPN) don't need to do double NAT (once for the AC68 and again for the cable router)

I would imagine this might be a sticking point. As I read it you're wanting to connect the wireless interfaces directly to your cable modem+router's LAN, without any intervening NATing or routing.

 

[Val D.]

Let me get home and I’ll tell you how.

@Jack Yaz is now enjoying how people are trying to invent the wheel.

 

[Val D.]

I guess the requirements are:

1. WAN interface bridged with the Wireless interfaces (that includes DHCP relay) so the devices that have direct access to the Internet (not through a VPN) don't need to do double NAT (once for the AC68 and again for the cable router)
2. Specific devices always routed to the Internet via OpenVPN client 1 (including failsafe configuration)
3. Specific devices always routed to the Internet via OpenVPN client 2 (including failsafe configuration)
4. Bonus - Mobile devices selectively choosing whether they access the Internet via direct connection, tunnel 1 or tunnel 2 based on the Wireless network they connect to.

OK, I would do it using only the tools already provided by:
@RMerlin in his Asuswrt-Merlin firmware
@Jack Yaz in his excellent YazFi script:
https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/

ISP router
- assign Static IP for your 68U
- place 68U IP address in DMZ
- disable WiFi
- forget about it

68U router
- configure as your Main Router as usual
- configure DDNS, external WAN IP retrieve
- disable WAN remote access for extra security
- configure VPN Server for remote access (IPSec in my case, easy setup)
- assign Static IPs for clients always going through VPN (or for all clients, my preference)
- configure OpenVPN clients, Policy Rules with Kill Switch
- enable 3 guest networks and use YazFi script to manage them

The result (covering the requirements + extras)
- ISP router is used to keep the ISP happy only
- no double NAT issues expected, 68U opens it's ports directly to Internet
- all wired clients to 68U use WAN, VPN1 or VPN2 as per Policy Rules
- all wireless clients to SSID1 2.4GHz and SSID2 5GHz go through WAN by default, unless listed in Policy Rules
- all wireless clients to Guest SSID1 go throug WAN, isolated, DNS with parental control, this is the real Guest Network
- all wireless clients to Guest SSID2 go through VPN1
- all wireless clients to Guest SSID3 go through VPN2
- all connected devices may see each other (if not restricted) and use shared services - printer, NAS, etc.
- if a VPN tunnel goes down, Kill Switch cuts the communication to clients using this VPN
- router can be remotely accessed through DDNS with secure VPN connection

Not going to details because OP has the knowledge to set the things properly.
Information on Policy Rules use and YazFi script installation and configuration is available here on SNB.

P.S. I don't know what your ISP connection speed is, but since RT-AC68U has a weak VPN performance I would go different route. Keep things simple, provide reliable wired/wireless connection first, then run VPN Client software on the clients. Every client may connect to whatever is needed (with some limitations). Keep in mind even older iPhone 6s will process VPN faster than RT-AC68U. This router is a serious bottleneck for VPN client on the router setup.

 

[RHF]

OK, I would do it using only the tools already provided by:
@RMerlin in his Asuswrt-Merlin firmware
@Jack Yaz in his excellent YazFi script:
https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/

Thank you for the comprehensive overview. I wasn't familiar with the YazFi script. Now installing it.

Unfortunately my ISP doesn't support DMZ. It's Unitymedia in Germany. They don't support bridging either...

I'll try to work on a solution using YazFi over the weekend.

 

[Val D.]

Unfortunately my ISP doesn't support DMZ. It's Unitymedia in Germany. They don't support bridging either...

They support online payments though, no problem with that.
Any other options for more "supportive" ISP around your place?

 

[RHF]

They support online payments though, no problem with that.
Any other options for more "supportive" ISP around your place?

One word: Monopoly... This is the only ISP that supports more than 20 Mbps in the area.

 

[RHF]

Hi everyone,

I finally made some time to work on this over the weekend and have a mostly functioning system. It's currently not pretty, but it works. There are still a few wrinkles to iron out and I need to change the "quick and dirty" scripts into something more robust.

Below is a summary of how I implemented it. Posting in case others are interested and also hoping to get some tips from the group on how to improve it.

First of all, some changes to the original diagram:

• LAN1 - 192.168.37.0/24, br0 (vlan1, eth1, eth2) with IP 192.168.37.6, DHCP server on cable router (might change that in the future), internet access through ISP
  
• LAN2 - 192.168.88.0/24, br10 (vlan10 --> switch ports 1,2) with IP 192.168.88.1, DHCP server on AC68U, internet access through VPN1
• LAN3 - 192.168.89.0/24, br20 (vlan20 --> switch ports 3,4) with IP 192.168.89.1, DHCP server on AC68U, ineternet access through VPN2

Steps (scripts attached at the end of the post):

1. Set AC68U in Wireless Router mode - Configure VPN1 and VPN2, both starting with WAN
2. Change AC68U to Access Point Mode - I hate doing this and would much rather keep the AC68U in router mode. But it was the only way I found to bridge the WAN port and the WiFi interfaces (eth1 and eth2). When trying to do that in Wireless Router mode, I had odd problems that I wasn't able to solve (i.e. wireless connections rejected). I even compared the nvram values between Router and AP mode and couldn't find the cause.
3. Activate IP_Forwarding through a script (echo 1 > /proc/sys/net/ipv4/ip_forward)
4. Configure VLANs and Bridges as per summary above
5. Tweak routing to ensure LAN1 is routed through VPN1 and LAN2 through VPN2
6. Tweak iptables for NAT and others (work in progress)

Open questions:

1. iptables - since I put the router in AP mode, I will need to create the firewall entries manually. Is there any documentation on what the default firewall rules are for? Any documentation on how to implement the VPN kill switch?
   
2. alias - Where can I configure aliases that are available with every new session? I cant find a ~/.bashrc or ~/.shrc or ~/.ashrc, but there are a couple of default aliases so it must be possible.
3. DHCP - When testing the setup I connected the same computer to LAN2 and LAN3. If I switch within a short time period, I'm getting an IP in the same subnet, regardless of which LAN I connect to. However, if I take a long time, or use different computers, that doesn't happen. Seems like dnsmaq service is keeping some sort of cache and giving an IP from the wrong IP range when it sees the same MAC. Any ideas on how to solve this?
   
4. VPN's (config file for client1 attached - client2 is exactly the same except for: "daemon ovpn-clien2", "dev tun12", and "remote <SERVER IP> 1912")
   • Both tun11 and tun12 get the same IP's (inet 10.35.0.6 peer 10.35.0.5/32 scope global tun11 - inet 10.35.0.6 peer 10.35.0.5/32 scope global tun12) in spite of the fact that the nvram values for vpn_client1_local/remote and vpn_client1_local/remote are different. Any ideas on how to avoid this?
   • There's a problem with the routes created automatically upon OpenVPN client connection ("ip route show table ovpnc1" and "ip route show table ovpnc2" both give me "default via 10.35.0.5 dev tun11"). I need to manually change the route for ovpnc2 to tun12.
   • Based on the attached .ovpn config files, do you have any recommendations to optimize the VPN client configuration for betther throughput? (i.e. cipher or compression)

BTW, I came across nvram-save.sh (r26.2), but read it hasn't been updated for newer versions of Asuswrt-Merlin. Are you aware of any significant incompatibilities? I only checked the VPN entries, but it seemed to catch everything relevant.

Thank you all for your support so far. Hopefully all this information is of use to someone else.

 

[RHF]

/jffs/scripts/services-start

#!/bin/sh
    # Configure VLANs, Bridges and IPs
    ip link add name vlan10 link eth0 type vlan id 10
    ip link add name vlan20 link eth0 type vlan id 20
    ip link set dev vlan10 up
    ip link set dev vlan20 up
    brctl addbr br10
    brctl addbr br20
    ip link set dev br10 up
    ip link set dev br20 up
    ip addr add 192.168.88.1/24 brd 192.168.88.255 dev br10
    ip addr add 192.168.89.1/24 brd 192.168.89.255 dev br20
    brctl addif br10 vlan10
    brctl addif br20 vlan20
    robocfg vlan 1 ports "0 5t"
    robocfg vlan 10 ports "1 2 5t"
    robocfg vlan 20 ports "3 4 5t"

    # Enable FORWARDING
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # Configure FIREWALL
    iptables -P INPUT ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i br0 -m iprange --src-range 192.168.37.2-192.168.37.254 -j ACCEPT
    iptables -A INPUT -i br10 -j ACCEPT
    iptables -A INPUT -i br20 -j ACCEPT
    iptables -A INPUT -i br0 -p udp --destination-port 67 --source-port 68 -j ACCEPT
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables -A INPUT -j LOG --log-prefix "INPUT: "
    #iptables -P INPUT DROP

    iptables -P INPUT ACCEPT
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i br10 -o br0 -s 192.168.88.0/24 -d 192.168.37.0/24 -j ACCEPT
    iptables -A FORWARD -i br20 -o br0 -s 192.168.89.0/24 -d 192.168.37.0/24 -j ACCEPT
    iptables -A FORWARD -i br0 -o br10 -s 192.168.37.0/24 -d 192.168.88.0/24 -j ACCEPT
    iptables -A FORWARD -i br0 -o br20 -s 192.168.37.0/24 -d 192.168.89.0/24 -j ACCEPT
    iptables -I FORWARD 1 -o br0 ! -d 192.168.37.0/24 -j DROP
    #iptables -P INPUT DROP

    iptables -t nat -A POSTROUTING -o br0 -s 192.168.88.0/24 -m iprange --dst-range 192.168.37.2-192.168.37.254 -j MASQUERADE
    iptables -t nat -A POSTROUTING -o br0 -s 192.168.89.0/24 -m iprange --dst-range 192.168.37.2-192.168.37.254 -j MASQUERADE

    # Configure POLICY-BASED-ROUTING
    sleep 30
    ip rule add iif br10 table ovpnc1
    ip rule add iif br20 table ovpnc2
    ip route add 192.168.37.0/24 dev br0 table ovpnc1
    ip route add 192.168.37.0/24 dev br0 table ovpnc2
    ip route del default ta ovpnc1
    ip route del default ta ovpnc2
    ip route add default dev tun11 table ovpnc1
    ip route add default dev tun12 table ovpnc2
    iptables -t nat -A POSTROUTING -o tun11 -s 192.168.88.0/24 -j MASQUERADE
    iptables -t nat -A POSTROUTING -o tun12 -s 192.168.89.0/24 -j MASQUERADE

 

[RHF]

Config.ovpn

# Automatically generated configuration
    daemon ovpn-client1
    client
    dev tun11
    txqueuelen 1000
    proto udp
    remote <SERVER IP> 1912
    connect-retry-max 15
    nobind
    persist-key
    persist-tun
    compress
    ncp-disable
    cipher AES-256-GCM
    auth SHA256
    route-noexec
    script-security 2
    route-delay 2
    route-up vpnrouting.sh
    route-pre-down vpnrouting.sh
    verb 3
    reneg-sec 0
    tls-auth static.key 1
    ca ca.crt
    auth-user-pass up
    up updown.sh
    down updown.sh
    status-version 2
    status status 5

    # Custom Configuration
    resolv-retry infinite
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    tls-client
    remote-cert-tls server
    keepalive 5 30
    fast-io
    sndbuf 393216
    rcvbuf 393216

 

[RHF]

System state

admin@RT-AC68U-9478:/tmp/home/root# brctl show
    bridge name     bridge id               STP enabled     interfaces
    br0             8000.4cedfba59478       no              vlan1
                                                            eth1
                                                            eth2
    br10            8000.4cedfba59478       no              vlan10
    br20            8000.4cedfba59478       no              vlan20
admin@RT-AC68U-9478:/tmp/home/root# robocfg show
    Switch: enabled
    Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 08:ed:b9:b2:37:79
    Port 1:   DOWN enabled stp: none vlan: 10 jumbo: off mac: 00:00:00:00:00:00
    Port 2:   DOWN enabled stp: none vlan: 10 jumbo: off mac: 00:00:00:00:00:00
    Port 3:   DOWN enabled stp: none vlan: 20 jumbo: off mac: 00:00:00:00:00:00
    Port 4:   DOWN enabled stp: none vlan: 20 jumbo: off mac: 00:00:00:00:00:00
    Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 4c:ed:fb:a5:94:78
    Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
    VLANs: BCM5301x enabled mac_check mac_hash
       1: vlan1: 0 5t
       2: vlan2: 5t
      10: vlan10: 1 2 5t
      20: vlan20: 3 4 5t
admin@RT-AC68U-9478:/tmp/home/root# cat /proc/sys/net/ipv4/ip_forward
    1
admin@RT-AC68U-9478:/tmp/home/root# ip ru ls
    0:      from all lookup local
    10099:  from all iif br20 lookup ovpnc2
    10100:  from all iif br10 lookup ovpnc1
    10101:  from 192.168.88.0/24 lookup ovpnc1
    10301:  from 192.168.89.0/24 lookup ovpnc2
    32766:  from all lookup main
    32767:  from all lookup default
admin@RT-AC68U-9478:/tmp/home/root# ip ro ls ta ovpnc1
    10.35.0.5 dev tun11  proto kernel  scope link  src 10.35.0.6
    192.168.37.0/24 dev br0  proto kernel  scope link  src 192.168.37.6
    default dev tun11  scope link
admin@RT-AC68U-9478:/tmp/home/root# ip ro ls ta ovpnc2
    10.35.0.5 dev tun12  proto kernel  scope link  src 10.35.0.6
    192.168.37.0/24 dev br0  proto kernel  scope link  src 192.168.37.6
    default dev tun12  scope link
admin@RT-AC68U-9478:/tmp/home/root# ip add ls
    1: lo: <LOOPBACK,MULTICAST,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
        inet 127.0.1.1/8 brd 127.255.255.255 scope host secondary lo:0
    2: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
        link/ether 9e:2d:0c:c4:e9:5a brd ff:ff:ff:ff:ff:ff
    3: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
        link/ether aa:5e:cb:65:de:39 brd ff:ff:ff:ff:ff:ff
    4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
        link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
    5: dpsta: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
        link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
    6: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
        link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
    7: eth2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
        link/ether 4c:ed:fb:a5:94:7c brd ff:ff:ff:ff:ff:ff
    8: vlan1@eth0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
        link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
    9: vlan2@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
        link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
    10: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
        link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
        inet 192.168.37.6/24 brd 192.168.37.255 scope global br0
    11: vlan10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
        link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
    12: vlan20@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
        link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
    13: br10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
        link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
        inet 192.168.88.1/24 brd 192.168.88.255 scope global br10
    14: br20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
        link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
        inet 192.168.89.1/24 brd 192.168.89.255 scope global br20
    15: tun11: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
        link/none
        inet 10.35.0.6 peer 10.35.0.5/32 scope global tun11
    16: tun12: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
        link/none
        inet 10.35.0.6 peer 10.35.0.5/32 scope global tun12
admin@RT-AC68U-9478:/tmp/home/root# iptables -t nat -L -n -v --line-numbers
    Chain PREROUTING (policy ACCEPT 19393 packets, 4038K bytes)
    num   pkts bytes target     prot opt in     out     source               destination

    Chain INPUT (policy ACCEPT 11568 packets, 933K bytes)
    num   pkts bytes target     prot opt in     out     source               destination

    Chain OUTPUT (policy ACCEPT 3222 packets, 501K bytes)
    num   pkts bytes target     prot opt in     out     source               destination

    Chain POSTROUTING (policy ACCEPT 3222 packets, 501K bytes)
    num   pkts bytes target     prot opt in     out     source               destination
    1        0     0 MASQUERADE  all  --  *      tun12   192.168.37.0/24      0.0.0.0/0
    2        0     0 MASQUERADE  all  --  *      tun11   192.168.37.0/24      0.0.0.0/0
    4        0     0 MASQUERADE  all  --  *      br0     192.168.88.0/24      0.0.0.0/0            destination IP range 192.168.37.2-192.168.37.254
    5        0     0 MASQUERADE  all  --  *      br0     192.168.89.0/24      0.0.0.0/0            destination IP range 192.168.37.2-192.168.37.254
    6        0     0 MASQUERADE  all  --  *      tun11   192.168.88.0/24      0.0.0.0/0
    7        0     0 MASQUERADE  all  --  *      tun12   192.168.89.0/24      0.0.0.0/0

    Chain DNSVPN1 (0 references)
    num   pkts bytes target     prot opt in     out     source               destination

    Chain DNSVPN2 (0 references)
    num   pkts bytes target     prot opt in     out     source               destination