Question

Hello,

I use a rut955 to transmit data through a VPN. 

I have to add on the same modem as the cameras, they must be connected to the internet without a VPN.( how we use the internet mobile sim)

I was thinking of using a vlan to split the internet traffic (1. data with vpn , 2. Cam without VPN ) 

Internet  mobile ------split ---- > 1. Data wiht VPN

                                        ---->   2. CAM without VPN

is a good solution? how do you do it? 

Alternatively how can I do ?

Thanks  

Gerardo

Answer 1

Hi,

This is possible.

I assume the VPN is already configured and you want to use port-based VLANs.

Create a port-based VLAN for cameras (for example, 192.168.2.0 on ports 2 and 3). You can find information on how to create VLANs here.

Please, check if the VLANs are configured correctly and are working before proceeding with further configuration. This will save time in case of any issues.

Then, follow the guide here (you can ignore the Wi-Fi part if you do not want to split wifi traffic). The configuration of your policies should look something like this (execute 'ifconfig' command from CLI/SSH to find the name of your VPN interface):

#Download vpn-policy-routing package.

• opkg update
• opkg install vpn-policy-routing

#Enable VPN-policy routing and delete any existing rules.

• uci set vpn-policy-routing.config.enabled="1"
• while uci -q delete [email protected][0]; do :; done

#Add a policy to be able to reach your RUT955 from LAN.

• uci add vpn-policy-routing policy
• uci set vpn-poli[email protected][-1].dest_addr="192.168.1.0/24 192.168.2.0/24"
• uci set [email protected][-1].interface="ignore"

#Add a policy to route 192.168.2.0/24 network via mobile interface.

• uci add vpn-policy-routing policy
• uci set [email protected][-1].src_addr="192.168.2.0/24"
• uci set [email protected][-1].interface="mob1s1a1"

#Add a policy to route LAN network via your 'VPN' interface (interface name from ifconfig)

• uci add vpn-policy-routing policy
• uci set [email protected][-1].src_addr="192.168.1.0/24"
• uci set [email protected][-1].interface="VPN"

#Commit the changes and restart the service.

• uci commit
• /etc/init.d/vpn-policy-routing restart

Now, traffic from VLAN (network of 192.168.2.0/24) will be routed via mobile interface and your normal LAN will route via VPN.

Also, if you get an error when restarting the service that says 'mob1s1a1' interface is not found, then you will need to edit a config file. To do so,

execute the following command: 

• vi /etc/config/vpn-policy-routing 

This will open a file in a text editor. Press 'i' to start editing the file. Move with the arrows through the text. Add the following line under "config vpn-policy-routing 'config' ":

• list supported_interface 'mob1s1a1' 

Save the file by pressing 'esc', then typing ':wq' and pressing enter. Then you should be able to set the interface to mobile. 

In case VPN interface is not found, then, connect to the WebUI of your router and navigate to Network -> Interfaces -> Add new interface, for example, 'ovpn'. Edit this interface. Do not set anything, only in physical settings -> add custom interface (VPN interface name from 'ifconfig') and save the settings. 

Replace the name of the interface in the VPN policy routing with the new interface. For this, do "uci show vpn-policy-routing" to see which policy number is used for your current VPN. If it is 3, then change the policy 3 (number in square brackets[]): 

• uci set [email protected][3].interface="ovpn" 
• uci commit 
• /etc/init.d/vpn-policy-routing restart

Kind Regards,

Andzej

Comments

Thank you for such a clear explanation, this has helped me so much. Thank you!

I have a follow on question... When rebooted, my TRB500 doesn't seem to follow the policies I set until I issue a '/etc/init.d/vpn-policy-routing restart'

Any ideas how to force the policies to be followed at boot?

---

Hello,

Glad it was helpful!

You can try adding '/etc/init.d/vpn-policy-routing restart' to custom scripts in System -> Custom scripts before 'exit 0'. This way, the command will be executed after each reboot. I would suggest adding 'sleep 60' before the command to allow some time for other services to initialize and thus, restart the service afterwards. So:

sleep 60

/etc/init.d/vpn-policy-routing restart

exit 0

Kind Regards,

Andzej

---

Thank you so so much!

Worked like a dream, and I'm learning all the time.