OpenVPN TAP bridge on ETH1 and WLAN

Hi!

Bought a GL-MT3000 as a travel companion to easily connect my IOT devices etc. when I am not at home.
I do need a TAP bridge, as I need the layer 2 traffic. My router at home is running Pfsense.

My ultimate goal is to have the GL router connect to the Pfsense for my Pfsense to seamlessly hand out IP-addresses to my connected devices through the GL via the Pfsense DHCP. I would like like to bind the ETH1 (LAN) interface and a new WiFi with SSID called IOT to the VPN TAP bridge.

I quickly discovered that Luci is my friend here, even though I know next to nothing about OpenWRT.

I already have the TAP S2S VPN (Pfsense as server, GL as client) established between pfsense and GL router, it is up and running, and if I configure a unmanaged tap0 interface and bridges that on the br-lan on the GL, I can get an IP-address on my IOT network handed out by the Pfsense and ping between devices without a problem.

But as stated, I would like to create a new network on the GL, instead of using the default LAN-network and br-lan. But I can't seem to wrap my head around that part.

How would I create a new network, and bridge that to the tap0 interface, to work both on ETH1 and one single WLAN ? - and how would I create that WLAN. I am aware that I won't get any IP-adresses assigned, before the S2S VPN is up, that's alright.

I have a feeling that it's rather simple when you know how :slight_smile:

The firewall rules might be all over the place, don't really know about those.
I can post my OpenVPN client config, if it could be useful for anyone.

Here's my configs, this is the state that is currently working, when the tap0 interface is added on br-lan.

/etc/config/network
root@GL-MT3000:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdef:0a60:a21b::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        option macaddr '94:83:c4:46:90:3e'
        list ports 'eth1'
        list ports 'tap0'

config device
        option name 'eth1'
        option macaddr '94:83:c4:46:90:3e'

config interface 'lan'
        option device 'br-lan'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option isolate '0'
        option proto 'static'

config device
        option name 'eth0'
        option macaddr '94:83:c4:46:90:3d'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option force_link '0'
        option ipv6 '0'
        option metric '10'

config interface 'wan6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@wan'

config interface 'tethering6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@tethering'

config interface 'wwan6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@wwan'

config interface 'guest'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option multicast_querier '1'
        option igmp_snooping '0'
        option isolate '0'
        option bridge_empty '1'
        option disabled '1'

config interface 'wwan'
        option proto 'dhcp'

config interface 'modem_1_1_2_6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@modem_1_1_2'

config rule 'policy_direct_rt'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule 'policy_default_rt_vpn'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule6 'policy_direct_rt6'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule6 'policy_default_rt_vpn6'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule 'policy_default_rt_vpn_ts'
        option lookup 'main'
        option priority '1099'
        option mark '0x80000/0xc0000'
        option invert '0'

config interface 'IOT_S2S_VPN'
        option device 'tap0'
        option type 'bridge'
        option proto 'none'
/etc/config/firewall
root@GL-MT3000:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option input 'DROP'
        option masq '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config include 'nat6'
        option path '/etc/firewall.nat6'
        option reload '1'

config rule 'block_dns'
        option name 'block_dns'
        option src '*'
        option device 'br-+'
        option dest_port '53'
        option target 'REJECT'
        option enabled '0'

config rule 'process_mark'
        option name 'process_mark'
        option dest '*'
        option proto 'all'
        option extra '-m owner --gid-owner 65533'
        option target 'MARK'
        option set_xmark '0x8000/0xc000'

config rule 'wan_in_conn_mark'
        option name 'wan_in_conn_mark'
        option src 'wan'
        option dest '*'
        option set_xmark '0x8000/0xc000'
        option target 'MARK'
        option extra '-j CONNMARK --set-xmark 0x8000/0xc000'
        option enabled '0'

config rule 'lan_in_conn_mark_restore'
        option name 'lan_in_conn_mark_restore'
        option src 'lan'
        option dest '*'
        option set_xmark '0x8000/0xc000'
        option target 'MARK'
        option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
        option enabled '0'

config rule 'out_conn_mark_restore'
        option name 'out_conn_mark_restore'
        option dest '*'
        option set_xmark '0x8000/0xc000'
        option target 'MARK'
        option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
        option enabled '0'

config include 'swap_wan_in_conn_mark'
        option type 'script'
        option reload '1'
        option path '/etc/firewall.swap_wan_in_conn_mark.sh'
        option enabled '0'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glblock'
        option type 'script'
        option path '/usr/bin/gl_block.sh'
        option reload '1'

config zone
        option name 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'
        option enabled '1'

config rule
        option name 'Allow-DHCP'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule
        option name 'Allow-DNS'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config include 'vpn_server_policy'
        option type 'script'
        option path '/etc/firewall.vpn_server_policy.sh'
        option reload '1'
        option enabled '1'

config zone
        option name 'S2S_VPN'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        list network 'IOT_S2S_VPN'

config forwarding
        option dest 'wan'
        option src 'S2S_VPN'

config zone
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        list network 'lan'

config forwarding
        option dest 'S2S_VPN'

config forwarding
        option dest 'S2S_VPN'

config forwarding
        option dest 'S2S_VPN'
        option src 'lan'

root@GL-MT3000:~#

Hi,

I did not sure if my understanding is correct, for further confirm that do you require to create a new 'network-bridge' for the TAP0, the Eth1 (LAN1) and the IoT Wi-Fi? As for the devices of the interface Eth1 and IoT Wi-Fi, can be obtain the DHCP IP from the Pfsense, right?

Hi Bruce

That's correct.
I don't actually know if I need to bridge TAP0, ETH1 and IOT WiFi, but I believe I have to, in order for ETH1 and IOT WiFi to receive DHCP IP-address and communicate via TAP0 from my Pfsense.

I believe I have to:

  • Create a bridge to bridge TAP0, ETH1, IOT WiFi
  • Create a interface ??? or is it all good now that I have TAP0 as unmanaged interface already
  • Configure IOT WiFi
  • Configure ETH1 and IOT WiFi to be a member of the bridge
  • Probably set up some firewall rule on the GL to allow traffic to/from/between TAP0, ETH1, IOT WiFi ???

Any idea @bruce ?
Am I right in what I have to do, or ?

Yes, we're on the same page.

These jobs are required to config in the Luci, as they are advanced customize settings, probably required to learn about the Luci.

  1. Interface TAP0 is supposed to create if the Device Mode is TAP-S2S and link connected, can check if it created in the Luci -> Network -> Interface -> Interfces.
  2. Create the net-bridge, Luci -> Network -> Interface -> Devices -> Add:
  3. Choose the Interface what you want in the bridge ports.
  4. If you trust the traffic of these interfaces, can accept ' Input/Output/Forward'.

Thanks Bruce

I will try that!
How would I create a new SSID for the IOT network ?
I guess I have to end up with that SSID having it's own interface so that I can add it to the bridge in order to bridge TAP0, ETH1 and IOT WiFi.

There is a guest Wi-Fi in GL GUI -> Wireless, or add the new Wi-Fi interface in the Luci -> Network -> Wireless