Need Help . . . Two routers , one with VPN

[Ajay1685]

First of all , Thank you merlin for this awesome firmwares (Only reason to buy an ASUS Router) and the forum members here for lot of good information.

Here is my 2 router setup setup (of course both running merlin [378.51]):

Main Router AC66U , IP range 192.168.1.1-255 , Mask 255.255.255.0

Second Router AC68U WAN connected to LAN on the main router.
IP range 192.168.2.1-255 , Mask 255.255.255.0
WAN IP 192.168.1.2 (static)
LAN IP 192.168.2.1
OpenVPN Client Configured (Setting attached as screenshot).

I have a dedicated Headless Windows Server 2012 R2 Machine running behind the Second (VPN) Router.
this machine has , Plex Server, Torrent Client and Network Share. (static IP 192.168.2.111)

What I intend to do.
1. To be able to access Plex from all my devices connected to Primary router (plex port 32400)
2. Access network shares on the Server from all my devices connected to Primary router.
3. I have a list of IP addresses for plex I would like to by pass VPN traffic

I am not an expert when in comes to creating static routes and messing around with IP tables, So it would be great if some one could provide help with little more details

 

[Derek D]

First of all , Thank you merlin for this awesome firmwares (Only reason to buy an ASUS Router) and the forum members here for lot of good information.

Here is my 2 router setup setup (of course both running merlin [378.51]):

Main Router AC66U , IP range 192.168.1.1-255 , Mask 255.255.255.0

Second Router AC68U WAN connected to LAN on the main router.
IP range 192.168.2.1-255 , Mask 255.255.255.0
WAN IP 192.168.1.2 (static)
LAN IP 192.168.2.1
OpenVPN Client Configured (Setting attached as screenshot).

I have a dedicated Headless Windows Server 2012 R2 Machine running behind the Second (VPN) Router.
this machine has , Plex Server, Torrent Client and Network Share. (static IP 192.168.2.111)

What I intend to do.
1. To be able to access Plex from all my devices connected to Primary router (plex port 32400)
2. Access network shares on the Server from all my devices connected to Primary router.
3. I have a list of IP addresses for plex I would like to by pass VPN traffic

I am not an expert when in comes to creating static routes and messing around with IP tables, So it would be great if some one could provide help with little more details

--------------------------------------------------------------------

As I see it your Internal Router (Second Router) will need a port forwarding rule added. Since your media server already has a static NAT IP address from your INT Router. When you create the rule in the INT Router provide the Port/Port Range you want the other devices on the External Router (Main/Primary Router) to use (i.e. "http://192.168.1.2:32400" for plex in your example). Here I am using the IP Address of the INT Router because the media server is that devices network. I used the "32400" port to be consistent. Then provide the local port that the application uses on the media server (i.e. "http://192.168.2.111:32400" for plex in your example). Here I am using the IP Address of the media server because that is where the plex application is listening to port "32400".


ISP - IP Address
||
------------------------------
External Router
------------------------------
WAN IP: ISP IP Address
LAN: 192.168.1.1
DHCP: 192.168.1.2-254
------------------------------
||
------------------------------
Internal Router
------------------------------
WAN IP: 192.168.1.2
LAN: 192.168.2.1
DHCP: 192.168.2.2-254
Port Forwarding:
-IP Address: 192.168.2.111
-Port Range: 32400
-Local Port: 32400
------------------------------
||
------------------------------
Media Server
------------------------------
IP Address: 192.168.2.111
Plex address: 192.168.2.111:32400

 

[Ajay1685]

--------------------------------------------------------------------

As I see it your Internal Router (Second Router) will need a port forwarding rule added. Since your media server already has a static NAT IP address from your INT Router. When you create the rule in the INT Router provide the Port/Port Range you want the other devices on the External Router (Main/Primary Router) to use (i.e. "http://192.168.1.2:32400" for plex in your example). Here I am using the IP Address of the INT Router because the media server is that devices network. I used the "32400" port to be consistent. Then provide the local port that the application uses on the media server (i.e. "http://192.168.2.111:32400" for plex in your example). Here I am using the IP Address of the media server because that is where the plex application is listening to port "32400".


ISP - IP Address
||
------------------------------
External Router
------------------------------
WAN IP: ISP IP Address
LAN: 192.168.1.1
DHCP: 192.168.1.2-254
------------------------------
||
------------------------------
Internal Router
------------------------------
WAN IP: 192.168.1.2
LAN: 192.168.2.1
DHCP: 192.168.2.2-254
Port Forwarding:
-IP Address: 192.168.2.111
-Port Range: 32400
-Local Port: 32400
------------------------------
||
------------------------------
Media Server
------------------------------
IP Address: 192.168.2.111
Plex address: 192.168.2.111:32400

Hey Derek ,

Thank you for taking time to reply. I am familiar with port forward , I have already configured port 32400 in both router. My real issue is the VPN and devices on two different subnet be able to see each other. I think you missed the part where my internal router is configured for VPN.

I have been reading on the forum for couple of days now , managed to edit a script I found so I could bypass the plex traffic away from VPN.
I will post my openvon-event script once I get to my PC , it would be great if you could verify if my script will compromise the VPN.

And if you could suggest a way so all my devices in two different subnet could see each other.

I believe it has to do with creating a static route between my two subnet. I just don't know where and how can add those static routes.

Sent from my SM-G920T using Tapatalk

The script I am using as openvpn-event

#!/bin/sh

# Script to route traffic from home network through VPN selectively.
# Based off the discussion at http://www.smallnetbuilder.com/forums/showthread.php?t=9311
# 

logger -t "($(basename $0))" $$ Ajay VPN Customization Starting... " $0${*:+ $*}."

# Plex Server Behind the VPN Router
Server="192.168.2.111"

#
# Disable Reverse Path Filtering on all current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
tun_if="tun11"

ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
| while read ROUTE ; do
ip route add table 100 $ROUTE
logger -t "($(basename $0))" $$ Ajay VPN Table 100 added entry: $ROUTE
done

ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# By default all traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

# Bypass VPN for plex associated domain
iptables -t mangle -A PREROUTING -i br0 -d 184.72.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 50.18.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 184.169.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 54.241.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 54.176.0.0/16 -j MARK --set-mark 1

logger -t "($(basename $0))" $$ Ajay Selective customisation for: "$"Server $Server
# By default Server uses the VPN, and FORCES the use of the VPN tunnel except for port 32400
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $Server -j MARK --set-mark 0
iptables -I FORWARD -i br0 -s $Server -o eth0 -j DROP
iptables -I FORWARD -i br0 -s $Server -o eth0 -p tcp -m multiport --port 32400 -j ACCEPT
iptables -I FORWARD -i br0 -s $Server -o eth0 -p udp -m multiport --port 32400 -j ACCEPT

# Ports 22 (SSH), and 32400 (Plex) will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --port 32400,22 -j MARK --set-mark 1


logger -t "($(basename $0))" $$ Ajay VPN Selective Customization completed.
exit

 

[Huberer]

Hello,

I've quite the same setup like you. I don't have any problems connecting to the the PC's/Server within the two different subnets. My main router - RT-AC68P (with latest john's fork) is connected to the internet (IP 192.168.1.1) and the second router (RT-N66U also with latest john's fork) is running the VPN and has the IP 192.168.2.1. The second one is connected via WAN to a LAN-port of the AC68P and has the fix IP-address 192.168.1.5 (within the IP-range of the first router).
What I did was to disable the firewall of the second router because why do you need it if you have one with the first router.
And on the first router (AC68P) I have entered in the LAN-option => Route => LAN-Route => static Route enabled => and under list I have entered following option:

Network/host-IP: 192.168.2.0 (this is the one of the second router)
netmask: 255.255.255.0
Gateway: 192.168.1.5 (this is the IP-address of the 2nd router within the IP-range of the first router)
interface typ: LAN

Save it and reboot.
Here is a screen shot how mine looks like (it's in german but you should see what I mean)

 

[Ajay1685]

Hello,

I've quite the same setup like you. I don't have any problems connecting to the the PC's/Server within the two different subnets. My main router - RT-AC68P (with latest john's fork) is connected to the internet (IP 192.168.1.1) and the second router (RT-N66U also with latest john's fork) is running the VPN and has the IP 192.168.2.1. The second one is connected via WAN to a LAN-port of the AC68P and has the fix IP-address 192.168.1.5 (within the IP-range of the first router).
What I did was to disable the firewall of the second router because why do you need it if you have one with the first router.
And on the first router (AC68P) I have entered in the LAN-option => Route => LAN-Route => static Route enabled => and under list I have entered following option:

Network/host-IP: 192.168.2.0 (this is the one of the second router)
netmask: 255.255.255.0
Gateway: 192.168.1.5 (this is the IP-address of the 2nd router within the IP-range of the first router)
interface typ: LAN

Save it and reboot.
Here is a screen shot how mine looks like (it's in german but you should see what I mean)

That is the answer I was Looking for , thank you. I had already disabled the firewall.
I have created the static route on my primary router as per your suggestion, will post here if all is working well after little more testing.

 

[Huberer]

Yes, do it. Hopefully everything works like you expect. I've forgotten to check if I set up some routes within the second router but I don't know that I did some.

 

[Ajay1685]

Yes, do it. Hopefully everything works like you expect. I've forgotten to check if I set up some routes within the second router but I don't know that I did some.

Looks like it is working, I can see my network share on 192.168.2.0 subnet from all my devices on subnet 192.168.1.0.

Did you look at the script I posted few post above. I am still learning to run custom scripts on the router. There is one problem in the script : I had to hardwire the plex related domain IP values , is there a more elegant way to get those ip address range in case when plex changes on to new domain.



Sent from my SM-G920T using Tapatalk

 

[Huberer]

Good to hear that is working but for scripting I'm a real noob. I only can copy and paste with try and error, nothing more. Sorry

 

[Ajay1685]

Good to hear that is working but for scripting I'm a real noob. I only can copy and paste with try and error, nothing more. Sorry

Well thanks for the help with static route. I am also a script noob. Hope someone can chime in here with and point me to right direction.


Sent from my SM-G920T using Tapatalk

 

[Alfsu]

Unlike yours, my setup has the 68P router as main (it has the faster processor) and it is running the VPN client connection; a 56U router as the secondary. Traffic coming from the 56U (and all its clients) and some of the clients connected to the 68P, is routed through the VPN by way of using a combination of routing rules and DNS filtering.
Can you share your reasoning for having the VPN running on the (less powerful processor) secondary router?
Cheers!

 

[Ajay1685]

Unlike yours, my setup has the 68P router as main (it has the faster processor) and it is running the VPN client connection; a 56U router as the secondary. Traffic coming from the 56U (and all its clients) and some of the clients connected to the 68P, is routed through the VPN by way of using a combination of routing rules and DNS filtering.
Can you share your reasoning for having the VPN running on the (less powerful processor) secondary router?
Cheers!

I am using 68u for VPN


Sent from my iPad using Tapatalk