Back to Back Router Mode/Guest Wifi/Shared Lan/Can this even be done?

[drewski22785]

Okay so I am trying to do a lot and am running into a few walls and hoping for some help.

Original Setup: AX88U (Router Mode) -> 2x AC88U (AP Mode)
I have a 3 story house where in the basement I installed my AX88U (Router Mode) with my internet connection. I ran ethernet to the main floor and upstairs where I have an AC88U (AP Mode) on each floor. This has worked perfectly, wifi hand off is flawless, full house coverage etc...

New Need: Seperate wifi SSID that connects to an OpenVPN tunnel for work. I was able to get this to work with the use of YazFi Guest Wifi addon and a few modifications to the script. Basically I setup multiple tunnels to our headends and wanted the wifi to failover between tunnels. This is where the modifications to the YazFi script came in. This works perfect to date on my main AX88U router in router mode.

Problem: I can not figure out how to extend this to my main and upstairs routers, YazFi/Guest doesnt work the same in AP mode, so I had to convert for test the main floor back to router mode. The problem this creates is keeping the existing home network setup with graceful handoff. If I connect the ethernet cable to the WAN port it forces me to change DHCP settings to a different subnet and re-enable the DHCP server. No more graceful hand off. If I connect it the LAN port a ton of other things break like NTP, DNS etc..

I was able to work through most of the problems when connecting to the LAN port, static ntp, scripts to refresh ntp after start, static dns, scripts to re-apply dns, reload different addons once ntp is working again, static routing for the different guest networks etc... The biggest issue I was not able to overcome is the Guest networks are not able to get to the internet consistently, they work for a short time then break not rhyme or reason. The vpn director acts very similar with these non local Guest Subnets, sometimes it redirects, sometimes it blocks, sometimes it ignores the vpn and goes out the wan instead... I am guessing it is an iptables issue as YazFi creates rules for the WAN interface which is not being used (I tried modifying the rules to use br0 instead to no avail). Connectivity between the LANs all work even though the internet is not so this further makes me think this is an iptables issue but I am at a loss how to fix this option.

The alternative option connecting to the WAN port, I could probably settle for hard handoff between devices but I would rather not. I have tried adding eth0 to the bridge this did nothing. I tried overlapping the ips on the LAN and the WAN, after a few hacks this came on but wasn't always consistent in working. I tried dnsmasq dhcp-relay to use the wan port instead of local DNS, still no luck. I have not found any way online to bridge the wan and lan together to be able to share an IP/subnet successfully. Is this even possible?

So long story short, I need to tshoot my LAN port setup and see where the guest traffic is disappearing to but dont know where to start looking. I need to see if there are any other options to bridge my WAN port option to allow using the basement router dhcp to keep graceful handoff capabilities... All thoughts and ideas where to go are much appreciated!!!! Thank you!

 

[eibgrad]

I have some thoughts on the matter, but let me ask you a more basic question here. What is the goal here? What problem is being solved? All too often I see users request help w/ a configuration change, but they don't explain the bigger picture. They don't explain what is driving these changes. I assume the goal is the need to *isolate* the clients bound to the workplace VPN from the rest of the network, presumably for reasons of security. But I want to hear you confirm it. Because if by chance that's NOT the case, it's a simple matter to route to the workplace network using static routes. I assume you don't need the workplace VPN for internet access reasons, but even then, specific clients could be bound to the workplace VPN for those purposes using PBR (policy based routing).

I'm asking because sometimes users create complex configurations that are NOT necessary. As you can see, once you decide to create an SSID solely for the VPN, things get a whole lot more complicated, even on the primary router. And given the limitations of the router's hardware/firmware, things get even tougher as you attempt to extend this functionality to the APs. I suppose you can often jury-rig things to get something close to what you want, but these configurations are often quite fragile, esp. because you're typically working outside the GUI and its native capabilities.

Even if the purpose of this configuration is to ensure isolation for those bound to the VPN, if that is so important, why use the router at all? Why not have the client itself bound to the VPN? If it was my goal to make sure *only* my laptop had access to the VPN, I'd be far more inclined to establish the VPN on the laptop, NOT the router. That would have the additional benefit of keeping that same laptop established on the private network (unless I specifically wanted to isolate the laptop from the private network w/ OpenVPN directives).

 

[L&LD]

@eibgrad makes some very good points above.

My question is, why don't you just use an OpenVPN client on the work computer directly?

 

[drewski22785]

I have some thoughts on the matter, but let me ask you a more basic question here. What is the goal here? What problem is being solved? All too often I see users request help w/ a configuration change, but they don't explain the bigger picture. They don't explain what is driving these changes. I assume the goal is the need to *isolate* the clients bound to the workplace VPN from the rest of the network, presumably for reasons of security. But I want to hear you confirm it. Because if by chance that's NOT the case, it's a simple matter to route to the workplace network using static routes. I assume you don't need the workplace VPN for internet access reasons, but even then, specific clients could be bound to the workplace VPN for those purposes using PBR (policy based routing).

I'm asking because sometimes users create complex configurations that are NOT necessary. As you can see, once you decide to create an SSID solely for the VPN, things get a whole lot more complicated, even on the primary router. And given the limitations of the router's hardware/firmware, things get even tougher as you attempt to extend this functionality to the APs. I suppose you can often jury-rig things to get something close to what you want, but these configurations are often quite fragile, esp. because you're typically working outside the GUI and its native capabilities.

Even if the purpose of this configuration is to ensure isolation for those bound to the VPN, if that is so important, why use the router at all? Why not have the client itself bound to the VPN? If it was my goal to make sure *only* my laptop had access to the VPN, I'd be far more inclined to establish the VPN on the laptop, NOT the router. That would have the additional benefit of keeping that same laptop established on the private network (unless I specifically wanted to isolate the laptop from the private network w/ OpenVPN directives).

I have asked myself this same question, am I making this more difficult then it needs to be?!?!?

Part of my job now being full time remote, i have to connect devices that dont support vpn natively, and or might but would be outside of the "test case" so having a direct connection to the vpn is critical.

I could just bring the devices to the basement.... That router is working perfect standalone... The main floor signal from the basement is almost unusable unless i am standing directly over the basement router. I have also thought about leaving cables ran across the floor but that would cause spousal issues....

I do have a couple netgear repeaters, I could try to daisy chain those to the working guest network and this might be a solution. The last time I used these the quality wasn't very good though and would drop out a lot...

So yeah... I do have work arounds, mostly physical, and could just give up but I feel like this should work. Maybe not with soft handoff on Guest but still feels like it should work overall.

 

[drewski22785]

@eibgrad makes some very good points above.

My question is, why don't you just use an OpenVPN client on the work computer directly?

Some of the devices that I need to connect dont have a vpn client natively.

 

[drewski22785]

Wan Port Update:

So I was able to bridge the wan port with the lan using brctl. Initial config was a little wonky, had to change the LAN to a different subnet, unplug the wan, then change the lan back to the WAN subnet then plug it in to get them both with the same IP. I know this conflicts normal setup methods but its also slightly better then then a script, all config shows in the gui's this way and is persistent with reboot.

In order for the brctl to work though, I had to remove the default gw from the wan config, which blank is an accepted gui config.

So currently I am in router mode, connected to the wan port, dhcp disabled, and seamless handoff/dhcp is working.

Only issue (maybe not an issue?) with this setup is i get this repeated every 5 seconds in the logs:

Oct 5 11:40:34 wan: finish adding multi routes

I have not tried removing the LAN route yet instead...

 

[eibgrad]

You didn't answer my question about whether this is being done for security reasons. IOW, to purposely isolate those clients bound to the VPN from the rest of the private network. Because if that is NOT the case, then why not simply configure the OpenVPN client on the router so that the remote network at your workplace is accessible to *any* device on your private network that references it?! And if for some reason they *must* be routed through the VPN for internet access, use PBR.

You may very well be able to make the case that what I just suggested will NOT satisfy your needs. But so far, you haven't done so. You seem to be making it more complicated than it needs to be for some reason.

And btw, the router is already capable of bridging the WAN and LAN. It's called AP mode! You can't have both a routed and bridged configuration at the same time. But it appears what you're trying to do so to have a bridged configuration, while retaining access to features only available in routed mode. That's the kind of stuff that will lead to all kinds of problems and a fragile configuration.

 

[L&LD]

Curious what devices need to be connected to the work VPN, yet are not able to use an OpenVPN client natively?

 

[drewski22785]

You didn't answer my question about whether this is being done for security reasons. IOW, to purposely isolate those clients bound to the VPN from the rest of the private network. Because if that is NOT the case, then why not simply configure the OpenVPN client on the router so that the remote network at your workplace is accessible to *any* device on your private network that references it?! ANd if for some reason they *must* be routed through the VPN for internet access, use PBR.

You may very well be able to make the case that what I just suggested will NOT satisfy your needs. But so far, you haven't done so. You seem to be making it more complicated than it needs to be for some reason.

And btw, the router is already capable of bridging the WAN and LAN. It's called AP mode! You can't have both a routed and bridged configuration at the same time. But it appears what you're trying to do so to have a bridged configuration, while retaining access to features only available in routed mode. That's the kind of stuff that will lead to all kinds of problems and a fragile configuration.

Thank you for the reply, there is actually no internet on this vpn without configuring the corporate policies/proxy so I can't put everyone on it. I have not tried configuring the proxy pac settings on a non corp device to see if it even works. I guess I could possibly set up as many PBR rules I can think of and then have everything else point to the WAN. This would be a constant update/work in progress but would probably work as well.

From a security perspective it is obviously a trust thou shall do the right thing situation with my company and therefore personal devices aren't supposed to access the network hence why I should try to keep everything separate.

The issue with AP mode is the guest network merges to the same subnet as the rest of the network, this is how my original home setup was configured for the Main and upstairs routers. This limitation is why I switched back to routed mode to get the separate guest networks

I am contemplating trying AIMESH, i just don't know how the guest is handled and if it can be separated to a different subnet. And can that subnet be pushed via vpn director. I also read a lot of things about AIMESH being unstable so there is that as well but still might be viable.

 

[drewski22785]

Curious what devices need to be connected to the work VPN, yet are not able to use an OpenVPN client natively?

There are a range of devices, some of it is a "staging" functionality but standalone esxi servers, routers (yes i know these can but when being deployed it won't have openvpn as part of the configuration), switches, Firewalls, a lot of opengear Out-of-band testing lately, i think these can do openvpn as well but in production they wont so it complicates things afterwards.

 

[L&LD]

Can a (spare) router be used in a double-nat set up to connect all devices instead?

 

[drewski22785]

Can a (spare) router be used in a double-nat set up to connect all devices instead?

I believe this would work, I have a spare netgear wifi repeater I thought about using, just trying to avoid additional hardware at first. The asus connectivity has been flawless and why I got away from these repeaters in the first place. If I bring new hardware in, I def have many options and this might be a scenario of is this going to be too complicated to maintain, too many custom unstable scripts etc... where just bringing in a new router is although a cost, not having to mess with it all the time might be worth that money. I already have 6-8hrs into trying to get this to work, but sometimes I find the challenge fun

 

[L&LD]

A router, not a repeater.

 

[drewski22785]

A router, not a repeater.

Yes, I would have to buy another router though but I am pretty sure I could just daisy chain it off a router in AP Mode setup a different lan etc... etc...

But I think I could take that repeater as well and have it connect to my guest network, plug it in near where there is signal and have it broadcast the same ssid. The stability is the only bad thing about that idea, at least with this particular model.

 

[eibgrad]

From a security perspective it is obviously a trust thou shall do the right thing situation with my company and therefore personal devices aren't supposed to access the network hence why I should try to keep everything separate.

Well nothing says you can't use the firewall to limit access to the VPN by specific devices known to be trustworthy. IOW, you don't *have* to create a guest network for those purposes. That just makes it convenient. If you're on the guest network, then by definition you have access. But you can always manage individual clients based on their local IP and/or MAC address to limit what has access to the VPN. You would have to decide whether that's a management headache. Seems to me the number of devices that would/should have access to the workplace should be well-defined.

Understand, I *prefer* L&LD's approach in many ways. But if you want a distributed solution, where the VPN is accessible from any router/AP, and want to keep all your devices on the same local IP network (which itself has advantages), then it seems possible provided you just use firewall rules.

 

[drewski22785]

A router, not a repeater.

I just saw your signature, how is your AImesh mode running, any stability issues? Can you add guest networks with aimesh and have them be on separate subnets? Thanks!

 

[L&LD]

Only GN 1 can be on a separate subnet and be propagated to the AiMesh nodes. No issues or stability concerns either.

 

[drewski22785]

Well nothing says you can't use the firewall to limit access to the VPN by specific devices known to be trustworthy. IOW, you don't *have* to create a guest network for those purposes. That just makes it convenient. If you're on the guest network, then by definition you have access. But you can always manage individual clients based on their local IP and/or MAC address to limit what has access to the VPN. You would have to decide whether that's a management headache. Seems to me the number of devices that would/should have access to the workplace should be well-defined.

Understand, I *prefer* L&LD's approach in many ways. But if you want a distributed solution, where the VPN is accessible from any router/AP, and want to keep all your devices on the same local IP network (which itself has advantages), then it seems possible provided you just use firewall rules.

The management issue is the devices change daily weekly etc so I would constantly be updating rules/fw to make this work. I could potentially make everything sticky/static assignment for all of my home devices, this is mostly a set QTY of devices rarely changing, in the lower half of the dhcp range. I could then write/apply fw rules/redirect for the rest of the range and have that be dynamic.

The bigger issue with this setup minus the extra maintenance is the set it and forget it scenario where anything new I will essentially have to statically assign the ip or set it in the static dhcp list etc...

If I can't get the overall configuration to work then the simplest answer on hand is the wifi repeater it would appear. Adding another router is an additional cost even if it does technically check all the boxes...

 

[drewski22785]

Only GN 1 can be on a separate subnet and be propagated to the AiMesh nodes. No issues or stability concerns either.

This might be an option, I saw the GN1 limitation referenced before, I am assuming the DHCP even propagates through the guest network making it soft handoff which I am not too concerned about for this network.

Also to clarify on the GN1 limitation, does that mean the 2.4GHz only or both the GN1 for 2.4 and 5? Thanks!

 

[drewski22785]

Okay so I have it working at the moment, not sure if it is for now or for good or what I will run a ping test all night to see how it goes.

New Setup:

Basement Router in Router mode, with OpenVPN configured, YazFi guest wifi (modified for vpn director control) vpn director forward all guest subnets to vpns in order of precedence. Static routes added in the basement router to point to the guest wifi of the main floor.

Main Floor router in router mode. Basement Lan connected to Main floor WAN. YazFi guest wifi (no mod, IP for guest different than basement), NTP script by YazFi to resync ntp. Static default pointing to the LAN of the Basement router going out the LAN (NOT WAN). DHCP DISABLED on LAN. WAN is static configured with no default gateway, IP same subnet as LAN and Basement. This does create an IP mismatch but they are bridged together so its okay, its at least working not ideal! Eth0 is added to br0.

So far everything is working, assuming this continues to work this isn't horrible, the only custom command line config is the ntp resync and adding eth0 to br0.

Will this nvram config make the br0 config permanent even on reboots?
br0_ifnames=vlan1 eth0
lan_ifnames=vlan1 eth0 eth1 eth2

The one concern so far is the following logs keep repeating itself every 5 seconds:

Oct 5 16:20:25 wan: finish adding multi routes

These two I believe will be fixed with a simple reboot hopefully!
Oct 5 16:20:25 rc_service: httpd 18045:notify_rc start_YazFiconnectedclients
Oct 5 16:20:25 custom_script: Running /jffs/scripts/service-event (args: start YazFiconnectedclients)