2 Router Setup - 1 is VPN. How to allow devices under 2nd router to be visible across network?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.


New Around Here

I have a home setup with 2 routers, looks roughly like the below. Primary router is a NightHawk X4S, VPN router is an ASUS RT-AC86U(Asuswrt-Merlin). The VPN is PIA.

ISP→→→PR→→→VPNR→→→→Comp2, Roku's, etc.
Comp1, most other devices.​

This is a new setup, so it worked for what I needed it for (Roku's) when I set it up (this week). However today I am trying to use the 2nd pc as well and ran into my first issue.

Is it possible to somehow make Computer 1 (and vice versa) and Computer 2 see each other on the network, preferably without compromising the VPN setup itself? Would the negatives outweigh the positives? Should I just move Comp2 to the PR and use the PIA client on it? I want to learn a bit more about how this works and what I should be doing.

Appreciate any input or if anyone can please just point me in the right direction. Thank you so much


Very Senior Member
Let's but aside the issue of the OpenVPN client for the moment, because having the ability to access the local networks on each side of the second router is NOT affected by the VPN.

Whenever you daisy-chain routers WAN to LAN, the downstream router (furthest from ISP) *always* has access to the upstream router's network, if only because it has to pass through that network to reach the primary router, and then internet. The trouble comes when you want the upstream network to be able to access the downstream network, because those clients have no idea where the secondary router's network is located. You have to add a static route to the primary router (or to the specific client) that points to the WAN ip of the second router as the gateway to the network behind it. And depending on the firmware used on the primary router, that may or may NOT be possible. You also have to configure the firewall on the second router to allow connections to be initiated into its WAN and forwarded to the network behind it.

Again, all of this has NOTHING to do w/ the VPN.

Also, what do you mean by "see"? For some ppl, this means they want network discovery to work between the networks (which will NOT work by default). For other ppl, they just want to be able to communicate between the two networks (even if network discovery itself is not available). In the former case, you would need to use Avahi and configure a reflector on the second router. In the latter case, what I described above will do the trick.

Finally, whether it makes more sense to establish the OpenVPN client on the primary router and only use the second router as a WAP (thus all your clients remain on the same network), or perhaps use the PC to host the VPN, etc., is totally your decision. A case can be made for every configuration.


New Around Here
Hi, thank you for that response.

In my case I am trying to get network discovery to work between the two computers.

Is there a good guide to setting using Avahi and configuring a reflector on the second router? Learning more about how this works in general?



Very Senior Member
I use tomato and dd-wrt a lot more than Merlin. I was hoping Merlin made this a little easier, esp. since he already has the Avahi daemon (service) installed in the firmware for the purposes of Bonjour/Zeroconf proxy configuration. But after a brief look, I don't see any specific section of the GUI where you can configure the Avahi daemon w/ a the reflector. Unless you just get lucky and Merlin *happens* to automatically configure the reflector (I suspect NOT), you'd probably have to use a postconf script to reconfigure the Avahi config file.


I recently posted a tutorial on the tomato forums about how to configure an Avahi reflector. In that case, the tomato firmware does NOT even include the Avahi daemon (had to be added as Entware), so it's even harder. But the principles are the same.

Remember, you *still* have to make those changes to the routing and firewall to make it possible to initiate connections from the primary router's network to the secondary router's network. Network discovery only tells you what's available. It doesn't solve the routing/firewall problems.

All of this will prove challenging if you're not familiar w/ reconfiguring the firewall, routing, postconf scripts, Avahi, etc.


New Around Here
Hi. Thank you for that information. My time is not my own during the week, so I was only able to try and make sense of everything today.

I was able to create the static route on the primary router (Netgear) for the 2nd router. I believe (hope) I did this correctly based on the instructions here (https://www.snbforums.com/threads/solved-setup-dual-routers-with-one-dedicated-for-vpn.56940/), just done on the Netgear client instead of Asus.

I am not sure about the second part
You also have to configure the firewall on the second router to allow connections to be initiated into its WAN and forwarded to the network behind it.

Would this be done in the Port Forwarding section for WAN?


Very Senior Member
You don't use port forwarding. Instead, you enable JFFS custom scripts on the Administration->System page of the ASUS/Merlin router, then paste the following script into an ssh window. It will automatically create the necessary firewall script.

mkdir -p /jffs/scripts

cat << "EOF" > /jffs/scripts/firewall-start

WAN_IF=$(nvram get wan0_ifname)
WAN_NET=$(nvram get wan0_ipaddr)/$(nvram get wan0_netmask)

iptables -D INPUT   -i $WAN_IF -s $WAN_NET -j ACCEPT 2> /dev/null
iptables -I INPUT   -i $WAN_IF -s $WAN_NET -j ACCEPT

iptables -D FORWARD -i $WAN_IF -s $WAN_NET -j ACCEPT 2> /dev/null
iptables -I FORWARD -i $WAN_IF -s $WAN_NET -j ACCEPT

chmod +x /jffs/scripts/firewall-start

In plain English, we're telling the ASUS/Merlin router to allow *all* traffic from the Netgear's network over the WAN, whether destined for the ASUS/Merlin router itself (INPUT chain) or devices behind it on its network (FORWARD chain).

The router will automatically call the /jffs/scripts/firewall-start script when the firewall needs to be configured.

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online