GL-XE3000 VPN Policy exclude MACs from VPN only on Wifi?

glumidor · July 19, 2024, 10:15pm

Hello

I am using a Wireguard VPN client setup in my GL-XE3000.
All Wifi connected clients go through this VPN, this is fine.
I changed to "VPN Policy Base on the Client Device", added two MAC addresses, which "Do Not Use VPN", this works fine, too.
I added a network on eth1, those clients also use the VPN, which is fine.

But on this eth1 LAN I have one client I would like to exclude from using VPN.
I added it's MAC address to the list, but it still uses the VPN.
(at this point I wondered why ethernet connected clients aren't recognized as clients in the Admin Panel).

Does the VPN Policy Based on Client Device only work for Wifi connected clients?
I tried to change the "Services from GL.iNet Use VPN", but it makes no difference.

Thanks in advance
Frank

bruce · July 22, 2024, 4:10am

Hi,

I would like to confirm if the Eth1 (LAN) connect a router not a terminal client device?
If yes, it probably will do address conversion, including MAC, please check the MAC in 'CLIENTS' of the GL router.

glumidor · July 22, 2024, 7:18am

Hi Bruce
on my eth1 is a server with proxmox running.
I tried to exclude the pyhsical MAC of this server (which would be OK for all containers)
and the virtual MAC of a container.
and when looking for "clients" in the Gl-iNet Admin GUI, I only see my wifi connected devices.
Frank

bruce · July 22, 2024, 10:41am

SSH execute in router, check if your proxmox MAC existed:

arp -a

it supposed to be display in the CLIENTS if this device connected or have been connected before with router, please check if the proxmox enable some features like Private MAC or Random MAC?

glumidor · July 22, 2024, 4:38pm

Hi Bruce,

thank you for helping out.

here's my arp -a from the router:

root@puliAX:~# arp -a

myiPhone.lan (10.xxx.110.213) at 80:54:e3:a3:fa:09 [ether]  on br-lan
myMacBook.lan (10.xxx.110.218) at b0:be:83:06:1e:8d [ether]  on br-lan

myProxmox (10.xxx.112.12) at e0:51:d8:14:15:cc [ether]  on eth1

some Containers on proxmox:
? (10.xxx.112.36)  at bc:24:11:19:f1:bd [ether]  on eth1
? (10.xxx.112.211) at bc:24:11:20:72:29 [ether]  on eth1
? (10.xxx.112.150) at bc:24:11:0a:e3:5c [ether]  on eth1
? (10.xxx.112.78)  at bc:24:11:5f:91:11 [ether]  on eth1
? (10.xxx.112.212) at bc:24:11:92:66:57 [ether]  on eth1
? (10.xxx.112.24)  at bc:24:11:18:98:11 [ether]  on eth1

the bc:24:11's MAC addresses are from proxmox, they are virtual.
The e0:51:d8 MAC is the physical MAC on the network card of the proxmox server.

I tried both, adding one bc:24:11 from one container I'd like to exclude from VPN
and the physical one of the server.

Here's the AdminGUI about "Clients"

Did I mention that I removed eth1 from the bridge br-lan, in order to build a DMZ for my proxmox containers?

thanks in advance
Frank

admon · July 22, 2024, 4:43pm

Afaik the Clients tab only shows clients connected to br-lan since it's hardcoded.

glumidor · July 22, 2024, 5:34pm

that's not a problem for me.
but does the vpn policy do the same thing?
could you give me some advice to re-route some (eth1) macs to the wan interface instead of the wireguard interface via the luci gui?
thanks

bruce · July 23, 2024, 4:24am

These inside MAC from the containers in the proxmox, have not transferred to or unknown by GL router, so probably could not manage to containers (inside MAC) unless change to host mode for the container.