1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

AC68U with three VLANs

Discussion in 'Asuswrt-Merlin' started by RHF, Sep 16, 2019.

  1. RHF

    RHF Occasional Visitor

    Joined:
    Jan 9, 2019
    Messages:
    12
    Hello everyone,

    I'm looking to replace an older Linksys E1200v2 router with Freshtomato installed on it with a better router that provides higher throughput on OpenVPN client connections and better WiFi reach. Therefore, I bought an RT-AC68U (ver. E1) and installed the latest version of Merlin on it (384.13).

    One important bit of information. My ISP (cable) doesn't offer the option of cable modem (i.e. configuring the public IP address on the AC68U). Therefore, the public IP address needs to be on the cable router they provide.

    As Merlin is based on Tomato, I'm assuming everything I have configured on my old router will be doable on the new one. However, I'm finding that most of what I need can't be configured through the GUI (at least I can't figure out how).

    Therefore, I'm hoping you might help me with a few questions:

    1. Am I going about this the right way or is there an easier way to do it? (i.e. which parts of the configuration could I do through the web interface?)
    2. Should I assign router IP addresses to the bridge (i.e. br1) or the VLAN (i.e. vlan1)?
    3. On my Tomato-based router, I'm using policy based routing with iproute2. Is that the recommended approach on Merlin? (I seem to recall seeing somewhere that this could be implemented with iptables instead)
    4. If the answer to question 3 is yes, what's the right way to add some lines to /etc/iproute2/rt_tables?
    5. Any links / HOWTO's to configure DHCP relay?
    6. How can I configure DHCP servers on br1 and br2?
    I'm attaching a diagram of what the network should look like and the commands I've used so far (I'll worry about making the settings persistent after I've managed to get this to work as it should).

    Home_Network_Diagram.png

    Also attached is a helpful diagram of the default bridges and VLANs I found here (originally for DD-WRT, but still helpful).
    RT-AC68-block-before.png

    Thanks in advance!

    Configuration:

    ## Configure bridges and VLANs

    brctl delif br0 vlan1
    brctl addif br0 vlan2
    ## Will changing the configuration of br0 mess up the default firewall configuration?
    robocfg vlan 3 ports "3 4 5t"
    robocfg vlan 1 ports "1 2 5t"
    vconfig add eth0 3
    ifconfig vlan3 up
    brctl addbr br1
    brctl addbr br2
    brctl addif br1 vlan1
    brctl addif br2 vlan3
    ifconfig br1 up
    ifconfig br2 up

    ## br0 - WAN, Wireless 2.4GHz, Wireless 5GHz
    ## br1 - LAN 1 and 2 (tun11)
    ## br2 - LAN 3 and 4 (tun12)

    ## Create IP addresses <-- can this be done through the web interface??
    ip addr add 192.168.10.5/24 brd 192.168.10.255 dev br0
    ip addr add 192.168.20.5/24 brd 192.168.10.255 dev br1
    ip addr add 192.168.30.5/24 brd 192.168.10.255 dev br2
    ip addr del 192.168.1.1/24 brd 192.168.1.255 dev br0


    ## Policy based routing (this is how it's configured on my Tomato router, but it doesn't work on the AC68U)
    echo 500 BR1 >> /etc/iproute2/rt_tables
    echo 600 BR2 >> /etc/iproute2/rt_tables

    ## Error message: "can't create /etc/iproute2/rt_tables: Read-only file system"

    ip rule add iif br1 table BR1
    ip rule add iif br2 table BR2
    ip route add default dev tun11 table BR1
    ip route add 192.168.10.0/24 dev vlan2 table BR1
    ip route add default dev tun12 table BR2
    ip route add 192.168.10.0/24 dev vlan2 table BR2


    ## Firewall
    Haven't gotten around to this yet
     
  2. Makaveli

    Makaveli Senior Member

    Joined:
    Nov 4, 2016
    Messages:
    455
    Location:
    Canada
    "higher throughput on OpenVPN client connections"

    If that was the goal you should have picked up an AC86U which has encryption logic built in ,and its only a few bucks more than the 68U these days.

    The 68U doesn't have anything to accelerate OpenVPN.
     
  3. RHF

    RHF Occasional Visitor

    Joined:
    Jan 9, 2019
    Messages:
    12
    Too late now... I bought it a couple of months ago. It will definitely be faster than my E1200. Back then I had looked into the 86U and there was some limitation that made me decide against it (can't remember anymore). Possibly VLAN support???
     
    Makaveli likes this.
  4. Val D.

    Val D. Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    447
    Location:
    Great White North
    Why so complicated?
    Is this what you want to achieve?

    Laptop 1 -> WAN
    Laptop 2 -> VPN Client 1
    Laptop 3 -> VPN Client 2

    RT-AC86U would give you 200Mbps+ OpenVPN performance, RT-AC68U only about 30Mbps.
     
    Last edited: Sep 16, 2019
  5. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,320
    Location:
    UK
    To address the error
    Code:
    ## Error message: "can't create /etc/iproute2/rt_tables: Read-only file system"
    I use the following in init-start,
    Code:
    # If custom RPDB name table exists then override RMerlin's firmware defaults.
    
    # Must be done AFTER 180 sleep as RMerlin blocks all restricted VPN clients during BOOT by 'ovpncX' names :-(
    # Tables 111-115 reserved by RMerlin RPDB Selective Policy routing
    # Tables 100/200 reserved by ASUS Dual WAN aka Primary and Secondary WAN
    #
    # Mar 2016 v380.58 RMerlin creates OpenVPN defaults
    # 111 ovpnc1
    # 112 ovpnc2
    # 113 ovpnc3
    # 114 ovpnc4
    # 115 ovpnc5
    if [ -f /jffs/configs/rt_tables ]; then
       # Use custom table
    
       #    100 wan0
       #    111 NewYork
       #    112 LA
       #    113 VPNbook
       #    114 Glenside
       #    115 UK
       #    200 wan1
    
       Say "Custom RPDB name table /jffs/configs/rt_tables replaces /etc/iproute2/rt_tables"
       mount -o bind /jffs/configs/rt_tables /etc/iproute2/rt_tables   # Override 'ovpncX' with 'TalkTalk', NewYork, LA, etc.
    fi
    and manually start the appropriate VPN during the boot rather than use the VPN Client 'Start with WAN' GUI option.

    NOTE: I create the WiFi VPN bridge(s) then create/map the appropriate Switch VLANs to the appropriate VPN bridge.

    See VPN WiFi bridge, and map the Switch VLAN to the WiFi VPN bridge
     
    Last edited: Sep 16, 2019
    RHF likes this.
  6. RHF

    RHF Occasional Visitor

    Joined:
    Jan 9, 2019
    Messages:
    12
    Showing three laptops to keep the diagram simple. There are really about 20 devices distributed across the three LANs.

    Thanks for the buyer's remorse ;-)
     
  7. RHF

    RHF Occasional Visitor

    Joined:
    Jan 9, 2019
    Messages:
    12
    Thank you! I'll try it out tonight.
     
  8. Val D.

    Val D. Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    447
    Location:
    Great White North
    I have similar number of devices on my network and each one has access to Internet through WAN or VPN and sees other devices on the network or it is isolated, some have their own DNS settings. All is done on the main router and using WebGUI settings in Asuswrt-Merlin firmware. This is why my question was what's the goal, because there may be an easier way to do it.
     
    Makaveli likes this.
  9. RHF

    RHF Occasional Visitor

    Joined:
    Jan 9, 2019
    Messages:
    12
    Fair point.

    I guess the requirements are:

    1. WAN interface bridged with the Wireless interfaces (that includes DHCP relay) so the devices that have direct access to the Internet (not through a VPN) don't need to do double NAT (once for the AC68 and again for the cable router)
    2. Specific devices always routed to the Internet via OpenVPN client 1 (including failsafe configuration)
    3. Specific devices always routed to the Internet via OpenVPN client 2 (including failsafe configuration)
    4. Bonus - Mobile devices selectively choosing whether they access the Internet via direct connection, tunnel 1 or tunnel 2 based on the Wireless network they connect to.

    Would that work through the WebUI?
     
  10. Val D.

    Val D. Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    447
    Location:
    Great White North
    Yes, most of it + 1 popular script. I had a very similar configuration on a single router. Let me get home and I’ll tell you how.
     
    Jack Yaz likes this.
  11. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,415
    Location:
    UK
    I would imagine this might be a sticking point. As I read it you're wanting to connect the wireless interfaces directly to your cable modem+router's LAN, without any intervening NATing or routing.
     
  12. Val D.

    Val D. Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    447
    Location:
    Great White North
    @Jack Yaz is now enjoying how people are trying to invent the wheel. :)
     
  13. Val D.

    Val D. Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    447
    Location:
    Great White North
    OK, I would do it using only the tools already provided by:
    @RMerlin in his Asuswrt-Merlin firmware
    @Jack Yaz in his excellent YazFi script:
    https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/

    ISP router
    - assign Static IP for your 68U
    - place 68U IP address in DMZ
    - disable WiFi
    - forget about it

    68U router
    - configure as your Main Router as usual
    - configure DDNS, external WAN IP retrieve
    - disable WAN remote access for extra security
    - configure VPN Server for remote access (IPSec in my case, easy setup)
    - assign Static IPs for clients always going through VPN (or for all clients, my preference)
    - configure OpenVPN clients, Policy Rules with Kill Switch
    - enable 3 guest networks and use YazFi script to manage them

    The result (covering the requirements + extras)
    - ISP router is used to keep the ISP happy only
    - no double NAT issues expected, 68U opens it's ports directly to Internet
    - all wired clients to 68U use WAN, VPN1 or VPN2 as per Policy Rules
    - all wireless clients to SSID1 2.4GHz and SSID2 5GHz go through WAN by default, unless listed in Policy Rules
    - all wireless clients to Guest SSID1 go throug WAN, isolated, DNS with parental control, this is the real Guest Network
    - all wireless clients to Guest SSID2 go through VPN1
    - all wireless clients to Guest SSID3 go through VPN2
    - all connected devices may see each other (if not restricted) and use shared services - printer, NAS, etc.
    - if a VPN tunnel goes down, Kill Switch cuts the communication to clients using this VPN
    - router can be remotely accessed through DDNS with secure VPN connection

    Not going to details because OP has the knowledge to set the things properly.
    Information on Policy Rules use and YazFi script installation and configuration is available here on SNB.

    P.S. I don't know what your ISP connection speed is, but since RT-AC68U has a weak VPN performance I would go different route. Keep things simple, provide reliable wired/wireless connection first, then run VPN Client software on the clients. Every client may connect to whatever is needed (with some limitations). Keep in mind even older iPhone 6s will process VPN faster than RT-AC68U. This router is a serious bottleneck for VPN client on the router setup.
     
    Last edited: Sep 17, 2019
    RHF likes this.
  14. RHF

    RHF Occasional Visitor

    Joined:
    Jan 9, 2019
    Messages:
    12
    Thank you for the comprehensive overview. I wasn't familiar with the YazFi script. Now installing it.

    Unfortunately my ISP doesn't support DMZ. It's Unitymedia in Germany. They don't support bridging either...

    I'll try to work on a solution using YazFi over the weekend.
     
  15. Val D.

    Val D. Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    447
    Location:
    Great White North
    They support online payments though, no problem with that. :)
    Any other options for more "supportive" ISP around your place?
     
    Makaveli likes this.
  16. RHF

    RHF Occasional Visitor

    Joined:
    Jan 9, 2019
    Messages:
    12
    One word: Monopoly... This is the only ISP that supports more than 20 Mbps in the area.
     
  17. RHF

    RHF Occasional Visitor

    Joined:
    Jan 9, 2019
    Messages:
    12
    Hi everyone,

    I finally made some time to work on this over the weekend and have a mostly functioning system. It's currently not pretty, but it works. There are still a few wrinkles to iron out and I need to change the "quick and dirty" scripts into something more robust.

    Below is a summary of how I implemented it. Posting in case others are interested and also hoping to get some tips from the group on how to improve it.

    First of all, some changes to the original diagram:
    • LAN1 - 192.168.37.0/24, br0 (vlan1, eth1, eth2) with IP 192.168.37.6, DHCP server on cable router (might change that in the future), internet access through ISP
    • LAN2 - 192.168.88.0/24, br10 (vlan10 --> switch ports 1,2) with IP 192.168.88.1, DHCP server on AC68U, internet access through VPN1
    • LAN3 - 192.168.89.0/24, br20 (vlan20 --> switch ports 3,4) with IP 192.168.89.1, DHCP server on AC68U, ineternet access through VPN2
    Steps (scripts attached at the end of the post):
    1. Set AC68U in Wireless Router mode - Configure VPN1 and VPN2, both starting with WAN
    2. Change AC68U to Access Point Mode - I hate doing this and would much rather keep the AC68U in router mode. But it was the only way I found to bridge the WAN port and the WiFi interfaces (eth1 and eth2). When trying to do that in Wireless Router mode, I had odd problems that I wasn't able to solve (i.e. wireless connections rejected). I even compared the nvram values between Router and AP mode and couldn't find the cause.
    3. Activate IP_Forwarding through a script (echo 1 > /proc/sys/net/ipv4/ip_forward)
    4. Configure VLANs and Bridges as per summary above
    5. Tweak routing to ensure LAN1 is routed through VPN1 and LAN2 through VPN2
    6. Tweak iptables for NAT and others (work in progress)
    Open questions:
    1. iptables - since I put the router in AP mode, I will need to create the firewall entries manually. Is there any documentation on what the default firewall rules are for? Any documentation on how to implement the VPN kill switch?
    2. alias - Where can I configure aliases that are available with every new session? I cant find a ~/.bashrc or ~/.shrc or ~/.ashrc, but there are a couple of default aliases so it must be possible.
    3. DHCP - When testing the setup I connected the same computer to LAN2 and LAN3. If I switch within a short time period, I'm getting an IP in the same subnet, regardless of which LAN I connect to. However, if I take a long time, or use different computers, that doesn't happen. Seems like dnsmaq service is keeping some sort of cache and giving an IP from the wrong IP range when it sees the same MAC. Any ideas on how to solve this?
    4. VPN's (config file for client1 attached - client2 is exactly the same except for: "daemon ovpn-clien2", "dev tun12", and "remote <SERVER IP> 1912")
      • Both tun11 and tun12 get the same IP's (inet 10.35.0.6 peer 10.35.0.5/32 scope global tun11 - inet 10.35.0.6 peer 10.35.0.5/32 scope global tun12) in spite of the fact that the nvram values for vpn_client1_local/remote and vpn_client1_local/remote are different. Any ideas on how to avoid this?
      • There's a problem with the routes created automatically upon OpenVPN client connection ("ip route show table ovpnc1" and "ip route show table ovpnc2" both give me "default via 10.35.0.5 dev tun11"). I need to manually change the route for ovpnc2 to tun12.
      • Based on the attached .ovpn config files, do you have any recommendations to optimize the VPN client configuration for betther throughput? (i.e. cipher or compression)
    BTW, I came across nvram-save.sh (r26.2), but read it hasn't been updated for newer versions of Asuswrt-Merlin. Are you aware of any significant incompatibilities? I only checked the VPN entries, but it seemed to catch everything relevant.

    Thank you all for your support so far. Hopefully all this information is of use to someone else.
     
  18. RHF

    RHF Occasional Visitor

    Joined:
    Jan 9, 2019
    Messages:
    12
    /jffs/scripts/services-start
    Code:
    #!/bin/sh
        # Configure VLANs, Bridges and IPs
        ip link add name vlan10 link eth0 type vlan id 10
        ip link add name vlan20 link eth0 type vlan id 20
        ip link set dev vlan10 up
        ip link set dev vlan20 up
        brctl addbr br10
        brctl addbr br20
        ip link set dev br10 up
        ip link set dev br20 up
        ip addr add 192.168.88.1/24 brd 192.168.88.255 dev br10
        ip addr add 192.168.89.1/24 brd 192.168.89.255 dev br20
        brctl addif br10 vlan10
        brctl addif br20 vlan20
        robocfg vlan 1 ports "0 5t"
        robocfg vlan 10 ports "1 2 5t"
        robocfg vlan 20 ports "3 4 5t"
    
        # Enable FORWARDING
        echo 1 > /proc/sys/net/ipv4/ip_forward
    
        # Configure FIREWALL
        iptables -P INPUT ACCEPT
        iptables -A INPUT -i lo -j ACCEPT
        iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        iptables -A INPUT -i br0 -m iprange --src-range 192.168.37.2-192.168.37.254 -j ACCEPT
        iptables -A INPUT -i br10 -j ACCEPT
        iptables -A INPUT -i br20 -j ACCEPT
        iptables -A INPUT -i br0 -p udp --destination-port 67 --source-port 68 -j ACCEPT
        iptables -A INPUT -m state --state INVALID -j DROP
        iptables -A INPUT -j LOG --log-prefix "INPUT: "
        #iptables -P INPUT DROP
    
        iptables -P INPUT ACCEPT
        iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
        iptables -A FORWARD -i br10 -o br0 -s 192.168.88.0/24 -d 192.168.37.0/24 -j ACCEPT
        iptables -A FORWARD -i br20 -o br0 -s 192.168.89.0/24 -d 192.168.37.0/24 -j ACCEPT
        iptables -A FORWARD -i br0 -o br10 -s 192.168.37.0/24 -d 192.168.88.0/24 -j ACCEPT
        iptables -A FORWARD -i br0 -o br20 -s 192.168.37.0/24 -d 192.168.89.0/24 -j ACCEPT
        iptables -I FORWARD 1 -o br0 ! -d 192.168.37.0/24 -j DROP
        #iptables -P INPUT DROP
    
        iptables -t nat -A POSTROUTING -o br0 -s 192.168.88.0/24 -m iprange --dst-range 192.168.37.2-192.168.37.254 -j MASQUERADE
        iptables -t nat -A POSTROUTING -o br0 -s 192.168.89.0/24 -m iprange --dst-range 192.168.37.2-192.168.37.254 -j MASQUERADE
    
        # Configure POLICY-BASED-ROUTING
        sleep 30
        ip rule add iif br10 table ovpnc1
        ip rule add iif br20 table ovpnc2
        ip route add 192.168.37.0/24 dev br0 table ovpnc1
        ip route add 192.168.37.0/24 dev br0 table ovpnc2
        ip route del default ta ovpnc1
        ip route del default ta ovpnc2
        ip route add default dev tun11 table ovpnc1
        ip route add default dev tun12 table ovpnc2
        iptables -t nat -A POSTROUTING -o tun11 -s 192.168.88.0/24 -j MASQUERADE
        iptables -t nat -A POSTROUTING -o tun12 -s 192.168.89.0/24 -j MASQUERADE
     
  19. RHF

    RHF Occasional Visitor

    Joined:
    Jan 9, 2019
    Messages:
    12
    Config.ovpn
    Code:
    # Automatically generated configuration
        daemon ovpn-client1
        client
        dev tun11
        txqueuelen 1000
        proto udp
        remote <SERVER IP> 1912
        connect-retry-max 15
        nobind
        persist-key
        persist-tun
        compress
        ncp-disable
        cipher AES-256-GCM
        auth SHA256
        route-noexec
        script-security 2
        route-delay 2
        route-up vpnrouting.sh
        route-pre-down vpnrouting.sh
        verb 3
        reneg-sec 0
        tls-auth static.key 1
        ca ca.crt
        auth-user-pass up
        up updown.sh
        down updown.sh
        status-version 2
        status status 5
    
        # Custom Configuration
        resolv-retry infinite
        tun-mtu 1500
        tun-mtu-extra 32
        mssfix 1450
        tls-client
        remote-cert-tls server
        keepalive 5 30
        fast-io
        sndbuf 393216
        rcvbuf 393216
     
  20. RHF

    RHF Occasional Visitor

    Joined:
    Jan 9, 2019
    Messages:
    12
    System state
    Code:
    [email protected]:/tmp/home/root# brctl show
        bridge name     bridge id               STP enabled     interfaces
        br0             8000.4cedfba59478       no              vlan1
                                                                eth1
                                                                eth2
        br10            8000.4cedfba59478       no              vlan10
        br20            8000.4cedfba59478       no              vlan20
    [email protected]:/tmp/home/root# robocfg show
        Switch: enabled
        Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 08:ed:b9:b2:37:79
        Port 1:   DOWN enabled stp: none vlan: 10 jumbo: off mac: 00:00:00:00:00:00
        Port 2:   DOWN enabled stp: none vlan: 10 jumbo: off mac: 00:00:00:00:00:00
        Port 3:   DOWN enabled stp: none vlan: 20 jumbo: off mac: 00:00:00:00:00:00
        Port 4:   DOWN enabled stp: none vlan: 20 jumbo: off mac: 00:00:00:00:00:00
        Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 4c:ed:fb:a5:94:78
        Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
        Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
        VLANs: BCM5301x enabled mac_check mac_hash
           1: vlan1: 0 5t
           2: vlan2: 5t
          10: vlan10: 1 2 5t
          20: vlan20: 3 4 5t
    [email protected]:/tmp/home/root# cat /proc/sys/net/ipv4/ip_forward
        1
    [email protected]:/tmp/home/root# ip ru ls
        0:      from all lookup local
        10099:  from all iif br20 lookup ovpnc2
        10100:  from all iif br10 lookup ovpnc1
        10101:  from 192.168.88.0/24 lookup ovpnc1
        10301:  from 192.168.89.0/24 lookup ovpnc2
        32766:  from all lookup main
        32767:  from all lookup default
    [email protected]:/tmp/home/root# ip ro ls ta ovpnc1
        10.35.0.5 dev tun11  proto kernel  scope link  src 10.35.0.6
        192.168.37.0/24 dev br0  proto kernel  scope link  src 192.168.37.6
        default dev tun11  scope link
    [email protected]:/tmp/home/root# ip ro ls ta ovpnc2
        10.35.0.5 dev tun12  proto kernel  scope link  src 10.35.0.6
        192.168.37.0/24 dev br0  proto kernel  scope link  src 192.168.37.6
        default dev tun12  scope link
    [email protected]:/tmp/home/root# ip add ls
        1: lo: <LOOPBACK,MULTICAST,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
            link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
            inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
            inet 127.0.1.1/8 brd 127.255.255.255 scope host secondary lo:0
        2: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
            link/ether 9e:2d:0c:c4:e9:5a brd ff:ff:ff:ff:ff:ff
        3: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
            link/ether aa:5e:cb:65:de:39 brd ff:ff:ff:ff:ff:ff
        4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
            link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
        5: dpsta: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
            link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
        6: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
            link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
        7: eth2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
            link/ether 4c:ed:fb:a5:94:7c brd ff:ff:ff:ff:ff:ff
        8: [email protected]: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
            link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
        9: [email protected]: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
            link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
        10: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
            link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
            inet 192.168.37.6/24 brd 192.168.37.255 scope global br0
        11: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
            link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
        12: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
            link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
        13: br10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
            link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
            inet 192.168.88.1/24 brd 192.168.88.255 scope global br10
        14: br20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
            link/ether 4c:ed:fb:a5:94:78 brd ff:ff:ff:ff:ff:ff
            inet 192.168.89.1/24 brd 192.168.89.255 scope global br20
        15: tun11: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
            link/none
            inet 10.35.0.6 peer 10.35.0.5/32 scope global tun11
        16: tun12: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
            link/none
            inet 10.35.0.6 peer 10.35.0.5/32 scope global tun12
    [email protected]:/tmp/home/root# iptables -t nat -L -n -v --line-numbers
        Chain PREROUTING (policy ACCEPT 19393 packets, 4038K bytes)
        num   pkts bytes target     prot opt in     out     source               destination
    
        Chain INPUT (policy ACCEPT 11568 packets, 933K bytes)
        num   pkts bytes target     prot opt in     out     source               destination
    
        Chain OUTPUT (policy ACCEPT 3222 packets, 501K bytes)
        num   pkts bytes target     prot opt in     out     source               destination
    
        Chain POSTROUTING (policy ACCEPT 3222 packets, 501K bytes)
        num   pkts bytes target     prot opt in     out     source               destination
        1        0     0 MASQUERADE  all  --  *      tun12   192.168.37.0/24      0.0.0.0/0
        2        0     0 MASQUERADE  all  --  *      tun11   192.168.37.0/24      0.0.0.0/0
        4        0     0 MASQUERADE  all  --  *      br0     192.168.88.0/24      0.0.0.0/0            destination IP range 192.168.37.2-192.168.37.254
        5        0     0 MASQUERADE  all  --  *      br0     192.168.89.0/24      0.0.0.0/0            destination IP range 192.168.37.2-192.168.37.254
        6        0     0 MASQUERADE  all  --  *      tun11   192.168.88.0/24      0.0.0.0/0
        7        0     0 MASQUERADE  all  --  *      tun12   192.168.89.0/24      0.0.0.0/0
    
        Chain DNSVPN1 (0 references)
        num   pkts bytes target     prot opt in     out     source               destination
    
        Chain DNSVPN2 (0 references)
        num   pkts bytes target     prot opt in     out     source               destination