EdgeRouter Lite: Multiple VLAN and WAN
In this instance, I’ll be going over setting up the EdgeRouter Lite on a network with multiple VLANs and also with dual WAN, but not for load balancing. The setup includes some VLANs going through one WAN and others going through the second WAN.
For this setup, the two WAN connections are the ISP and a VPN connection. This setup would still work if it were two ISP connections.
Setting up the VLANs
Because this configuration uses the router on a stick style, we setup a VLAN for the WAN connection
The above commands create the VLAN90, which I use for the connection to the cable modem.
For the rest of the VLANs we use the commands below, just replace eth0 with the interface you’re setting them up on
The IP for the VLAN 10, for example, would be on the subnet 10.0.10.0/27, which means that we would have the range from 10.0.10.1 to 10.0.10.30 available to use.
At this point, we completed the VLAN configuration. If more VLANs are needed, just repeat the above commands and change the vif number. We need to create the DHCP service for each VLAN we create
Connect to OpenVPN server
For this setup, I’m using a VPN service, but only some VLANs will connect to the Internet through this connection and the others will go through the ISP.
First, create or upload the ovpn configuration file to the /config directory of the EdgeRouter, this directory isn’t wiped with firmware upgrades, so you won’t have to set it up again.
Once the configuration file exist in the respective directory, then add the interface configuration
Adding a description is always optional, but helpful in the long run.
After adding the necessary configuration and saving the changes, the router will try to connect to the OpenVPN server and all of the Internet traffic will be routed through there.
Source Based Routing
At this point, we have the ISP and OpenVPN routes to access the Internet, but by default, only the OpenVPN is used, meaning that all traffic is encrypted. Some people would want this behavior, but there are cases where it isn’t necessary.
First, we want to make sure that routing between the VLANs is still possible. If the configuration below isn’t added, then communication between the VLANs won’t take place. Let’s create a group with all of the subnets that can communicate between each other
To make your life easier in the long run, I would recommend that you create two other groups that contain the subnets that should be routed via the unencrypted ISP Internet connection and those that should go through the encrypted VPN connection.
I had an issue with the above routing and took me a while to resolve. So I want to go over the configuration.
The Rule 10 is important that it be the first and this is because it allows for the router to correctly send the packets between the subnets. Without this rule, the VLANs won’t be able to communicate. If you want to completely isolate the different networks, then just skip adding that rule. Notice that it modifies the main table, unlike the other two rules that modify a different table.
The other two rules are for routing VLANs through the VPN and the ISP. Notice the modify table part, this is a table that we also need to create using the commands below
This table establishes the routes to take, so in each case you want to find the gateway, or router, or peer IP.
For the case of the ISP connection I check the dhcp client lease by running the command show dhcp client leases and using the IP shown in the router field.
For the case of the VPN, I checked the interface using the command show interfaces detail and using the IP in the peer field.
The last step in this process is to add this rule to the interfaces, the rule is added using the command below
Just be sure to add that entry to each of the interfaces that you want to have the routing rule applied, it would be best to add it to all of the interfaces.
That is all that is needed. In future posts I will talk about the Zone Policy for the Firewall.
