Iptables / Route avec 2 ssid hostapd et sous-réseaux et configuration openvpn

J'ai du mal à configurer iptables / routing de la bonne manière.

L’objectif est: - Le trafic des clients connectés au wifi-KK pour ne pas utiliser le tunnel mais aller via eth0 au routeur - Le trafic des clients connectés au wifi-KK-VPN pour utiliser le tunnel

Je pense que cela nécessite un amendement de iptables et probablement de différentes routes, ainsi que de remplacer celles transmises par openvpn.

Toute aide serait grandement appréciée

J'ai une configuration réseau comme suit:

Routeur: 192.168.0.1 (Virgin default) avec wifi ssid VMxxx

Serveur: eth0: 191.168.0.254 (sur le même réseau que le routeur) wlan0: 192.168.101.1 (réseau wi-fi pour les clients utilisant une connexion sécurisée par réseau privé virtuel) wlan0_0: 191.168.102.1 (réseau wi-fi pour une connexion standard) tun0: tunnel OpenVPN

(sortie ifconfig ci-dessous)

Les deux réseaux wifi utilisent des serveurs DHCP comme suit:

subnet 192.168.101.0 netmask 255.255.255.0 {
range 192.168.101.10 192.168.101.50;
option broadcast-address 192.168.101.255;
option routers 192.168.101.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local";
option domain-name-servers 8.8.8.8, 8.8.4.4;
}

subnet 192.168.102.0 netmask 255.255.255.0 {
range 192.168.102.10 192.168.102.50;
option broadcast-address 192.168.102.255;
option routers 192.168.102.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local2";
option domain-name-servers 8.8.8.8, 8.8.4.4;
}

Hostapd exécute deux SSID sur une seule carte réseau (sortie ci-dessous)

Iptables: et itinéraires:

    root@odroidc1-001e06101641:~# cat /etc/iptables.ipv4.nat
    #Generated by iptables-save v1.4.21 on Wed May 27 11:41:17 2015

*filter
:INPUT ACCEPT [9:496]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13:1488]
-A FORWARD -s 192.168.101.0/24 -i wlan0 -o eth0 -m conntrack --ctstate NEW -m comment --comment "Block traffic from clients to eth0" -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.101.0/24 -i wlan0 -o tun0 -m conntrack --ctstate NEW -m comment --comment "Allow only traffic from clients to tun0" -j ACCEPT
COMMIT
# Completed on Wed May 27 11:41:17 2015
# Generated by iptables-save v1.4.21 on Wed May 27 11:41:17 2015
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -m comment --comment "Use VPN IP for eth0" -j MASQUERADE
-A POSTROUTING -o tun0 -m comment --comment "Use VPN IP for tun0" -j MASQUERADE
COMMIT
# Completed on Wed May 27 11:41:17 2015
root@odroidc1-001e06101641:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.10.100.9     128.0.0.0       UG    0      0        0 tun0
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
10.10.100.1     10.10.100.9     255.255.255.255 UGH   0      0        0 tun0
10.10.100.9     *               255.255.255.255 UH    0      0        0 tun0
91.109.241.36.s 192.168.0.1     255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       10.10.100.9     128.0.0.0       UG    0      0        0 tun0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
192.168.101.0   *               255.255.255.0   U     0      0        0 wlan0
192.168.102.0   *               255.255.255.0   U     0      0        0 wlan0_0

ifconfig:

eth0      Link encap:Ethernet  HWaddr 00:1e:06:10:16:41
          inet addr:192.168.0.254  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:6ff:fe10:1641/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9584376 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6015092 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4173640561 (3.8 GiB)  TX bytes:2116013071 (1.9 GiB)
          Interrupt:40

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:163 errors:0 dropped:0 overruns:0 frame:0
          TX packets:163 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:31514 (30.7 KiB)  TX bytes:31514 (30.7 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.10.100.10  P-t-P:10.10.100.9  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:5141382 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4101062 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:205969325 (196.4 MiB)  TX bytes:1000934406 (954.5 MiB)

wlan0     Link encap:Ethernet  HWaddr 02:3a:35:d0:36:90
          inet addr:192.168.101.1  Bcast:192.168.101.255  Mask:255.255.255.0
          inet6 addr: fe80::3a:35ff:fed0:3690/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5947384 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7650191 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1402507838 (1.3 GiB)  TX bytes:3212528188 (2.9 GiB)

wlan0_0   Link encap:Ethernet  HWaddr 02:3a:35:d0:36:91
          inet addr:192.168.102.1  Bcast:192.168.102.255  Mask:255.255.255.0
          inet6 addr: fe80::3a:35ff:fed0:3691/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:588 errors:0 dropped:0 overruns:0 frame:0
          TX packets:703 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:71131 (69.4 KiB)  TX bytes:214448 (209.4 KiB)

hostapd:

root@odroidc1-001e06101641:~# cat /etc/hostapd/hostapd.conf
# interface
interface=wlan0
# new mac
bssid=02:3a:35:d0:36:90
# driver
driver=nl80211
# CTRL-Interface
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
# SSID
ssid=wifi-KK-VPN
# WLAN
country_code=KR
hw_mode=g
channel=1
beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
preamble=1
# Logging
logger_syslog=-1
logger_syslog_level=3
logger_stdout=-1
logger_stdout_level=2
# passphrase
wpa_passphrase=
# WPA2
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
beacon_int=100
auth_algs=3
# 1=wpa, 2=wep, 3=both macaddr_acl=0
wmm_enabled=1
eap_reauth_period=360000000
#rsn_preauth=1
#rsn_preauth_interfaces=wlan0
wpa_group_rekey=600
wpa_ptk_rekey=600
wpa_gmk_rekey=86400

##### new wifi
bss=wlan0_0
ssid=wifi-KK
# WLAN
##country_code=KR
##hw_mode=g
##channel=1
##beacon_int=100
##dtim_period=2
##max_num_sta=255
##rts_threshold=2347
##fragm_threshold=2346
##preamble=1
# Logging
logger_syslog=-1
logger_syslog_level=3
logger_stdout=-1
logger_stdout_level=2
# passphrase
wpa_passphrase=
# WPA2
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
beacon_int=100
auth_algs=3
# 1=wpa, 2=wep, 3=both macaddr_acl=0
##wmm_enabled=1
##eap_reauth_period=360000000
#rsn_preauth=1
#rsn_preauth_interfaces=wlan0
##wpa_group_rekey=600
##wpa_ptk_rekey=600
##wpa_gmk_rekey=86400

linux networking routing iptables openvpn Keksi
la source