[MT3000] Creating an additional VLAN (besides Private & Guest)

happyzombie_slayer · September 1, 2024, 7:23pm

I've been trying to use the MT3000 as a router that has 3 different subnets: Private, Guest, and IOT.

I have set up my networks, and they all work well with one exception. In the private network, I run a VPN that filters traffic by VLAN. Through the admin panel, looking at this option only shows me Private and Guest as options.

I'm not sure even if it is possible to do this, but what would I have to change to let the VPN configuration recognize a new VLAN? I've tried editing /etc/config/wireless so my Guest networks have the option guest '1' setting and IOT has option iot '1'. This way, IOT wireless networks are on the 'iot' interface I created using Luci.

With this setup, and the VPN enabled, the Guest networks are able to access the internet (but not the VPN). But IOT cannot access the internet at all. Resetting the option to option guest '1' fixes this, but I would much rather have a third VLAN option to choose from.

I appreciate any insight anyone can give.

Thanks.

bruce · September 2, 2024, 7:43am

Do the IoT devices require to access the Internet via the VPN?

Probably it does not require to add a VLAN, but just add a network group for the IoT devices WiFi connection, and the IoT radio in this added group.

Note: If you manually add the new radio, please add this parameter in the new radio interface:

option ifname 'rax2'

‘raxn’, n≤3

happyzombie_slayer · September 3, 2024, 10:12pm

Yes, I want to be able to allow IoT devices to access the internet through the VPN, but I also need the possibility of disabling this, as well.

If I remove the network from the 'guest' interface group, and change it to 'iot', looking at the VPN policy only gives me the two options of 'Private' and 'Guest'.

Leaving the interface as part of the 'guest' group and instead forcing DHCP for all devices connected to IoT works as I want, but whether or not IoT can use the VPN is determined by the Guest VLAN policy.

Edit: Actually, forcing DHCP makes no impact with the VPN running. The 'iot' interface can't resolve anything.

I'm just hoping there is another way for the frontend panel to show a third VLAN. Hopefully what I've said makes some sense.

For further clarification, here's a screenshot.

I would like to be able to have a third VLAN set up so IoT can be toggled separately from Guest.

xize11 · September 4, 2024, 4:56am

This is possible but you need to hack this in by yourself

The logic is here:

/usr/bin/route_policy this is how i used it for a while.

In the past i was able to use the uci command and made my own custom rule, you can use uci show vpnpolicy but it is kind of advanced, i don't think i can share much since it is copyrighted.

But that is for now the closest what you can do

happyzombie_slayer · September 4, 2024, 1:39pm

Thanks for the help. I'll look into it.

happyzombie_slayer · September 5, 2024, 10:41pm

I've added 'iot' network as an option, anywhere in the script both 'guest' and 'lan' are mentioned, and just mirrored what existed for the two networks.

For reference, I edited set_vlan_firewall() and reload_domain_firewall.

Do you know if there are any other factors that contribute to the web panel's listing of VLANs?

xize11 · September 6, 2024, 5:36am

Unfortunately some scripts still are not.compatible with the gl ui, like the clients tab and the speed options.

In the future gl-inet is planning to support this but it can take some time.

happyzombie_slayer · September 6, 2024, 6:11pm

That is unfortunate.

Guess I get to look forward to the update, one day...

I appreciate all of your help, so thank you.

happyzombie_slayer · September 6, 2024, 7:57pm

I'm posting this update for anyone who might be attempting to do this like I am.

I've edited route_policy in /usr/bin/. Specifically adding an additional network (in my case, called "iot") to be configured within the set_vlan_firewall() and reload_domain_firewall() methods.

set_vlan_firewall() is the function that determines whether a VLAN can access the WAN if it is not given access to the VPN. Without this edited for additional VLAN(s); while the VPN is running, any custom VLANs will not be able to resolve any DNS queries.

I am not (yet) certain what impact reload_domain_firewall() has, though I presume it has one.

Edit: I did add and change a handful of values, using uci. Anything I have changed/added is referenced within the methods below. (To list some: network.iot, vpnpolicy.vlan.iot)

I think there was one problem with the ROUTE_POLICY chain. I did end up removing it, and re-adding it for some reason.

As you can see, I didn't change too much in reload_domain_firewall():

reload_domain_firewall()
{
        local default_policy=$(uci get vpnpolicy.domain.default_policy)
        local domain_list=$(uci get vpnpolicy.domain.domain)

        iptables -w -t mangle -F ROUTE_POLICY

        lan_ip=$(uci -q get network.lan.ipaddr)
        guest_ip=$(uci -q get network.guest.ipaddr)
        iot_ip$(uci -q get network.iot.ipaddr)
        [ -n "$lan_ip" ] && iptables -w -t mangle -A ROUTE_POLICY -i br-lan -d $lan_ip -j RETURN
        [ -n "$guest_ip" ] && iptables -w -t mangle -A ROUTE_POLICY -i br-guest -d $guest_ip -j RETURN
        [ -n "$iot_ip" ] && iptables -w -t mangle -A ROUTE_POLICY -i br-iot -d $iot_ip -j RETURN

        # l^g z =^= p^m u gVPN
        [ "${default_policy}" = "1" ] && [ -n "${domain_list}" ] && {
                iptables -w -t mangle -A ROUTE_POLICY -i br-+ -m set --match-set bypass_vpn_domain dst -j MARK --set-mark 0x8000/0xc000
        }

        # l^g z =^= p^m `^z gVPN
        [ "${default_policy}" = "0" ]  && {
                iptables -w -t mangle -A ROUTE_POLICY -i br-+ -m set ! --match-set via_vpn_domain dst -j MARK --set-mark 0x8000/0xc000
        }
}

This is what I have for set_vlan_firewall():

set_vlan_firewall()
{
        rm /status.txt
        echo -e "$(date +'%d/%m/%Y %H:%M:%S:%3N')\tVPN VLAN Firewall Policy Executing..." > /status.txt

        local private=$(uci -q get vpnpolicy.vlan.private)
        local guest=$(uci -q get vpnpolicy.vlan.guest)
        local iot=$(uci -q get vpnpolicy.vlan.iot)

        echo -e "VLAN Policy Values:" >> /status.txt
        echo -e "\tvpnpolicy.vlan.private = '${private}'" >> /status.txt
        echo -e "\tvpnpolicy.vlan.guest   = '${guest}'" >> /status.txt
        echo -e "\tvpnpolicy.vlan.iot     = '${iot}'" >> /status.txt

        iptables -w -t mangle -F ROUTE_POLICY

        if [ "${private}" == "0" ];then
                        iptables -w -t mangle -I ROUTE_POLICY -i br-lan  -j MARK --set-mark 0x8000/0xc000
                        iptables -w -t mangle -A ROUTE_POLICY -i br-lan -j CONNMARK --save-mark --nfmask 0xc000 --ctmask 0xc000
                        echo -e "$(date +'%d/%m/%Y %H:%M:%S:%3N'):\tAdded exception for LAN => WAN bypassing the VPN domain."
        fi
        if [ "${guest}" == "0" ];then
                        iptables -w -t mangle -I ROUTE_POLICY -i br-guest  -j MARK --set-mark 0x8000/0xc000
                        iptables -w -t mangle -A ROUTE_POLICY -i br-guest -j CONNMARK --save-mark --nfmask 0xc000 --ctmask 0xc000
                        echo -e "$(date +'%d/%m/%Y %H:%M:%S:%3N'):\tAdded exception for Guest => WAN bypassing the VPN domain."
        fi
        if [ "${iot}" == "0" ];then
                        iptables -w -t mangle -I ROUTE_POLICY -i br-iot  -j MARK --set-mark 0x8000/0xc000
                        iptables -w -t mangle -A ROUTE_POLICY -i br-iot -j CONNMARK --save-mark --nfmask 0xc000 --ctmask 0xc000
                        echo -e "$(date +'%d/%m/%Y %H:%M:%S:%3N'):\tAdded exception for IOT => WAN bypassing the VPN domain."
        fi
        echo conntrack  >/tmp/dnsmasq.d/conntrack

        echo -e "$(date +'%d/%m/%Y %H:%M:%S:%3N'):\tFinished Executing." >> /status.txt
}

The echo commands I decided to leave there, just because it's handy to tell what exactly was happening during testing. set_vlan_firewall() runs every time the VPN is toggled from OFF to ON. To view the results just run cat /status.txt.

Note: I am using an OpenVPN client. I'm not sure if, with something like this, it makes a difference or not.

For network DNS port forwarding, this can be seen in Luci under the Firewall => Port Forwards tab.

Note: It is worth noting that, with my current setup, the port-forward "dns for vpn iot" does not automatically disable itself when the VPN is toggled to OFF. I'm not sure what handles this, or if I was supposed to programmatically create the port-forward instead of manually, like I did.

If anyone has it, I would appreciate any input on how I can set my IOT port-forward to be automatically disabled when the VPN is turned off. For now, though, I'll take the win.