ASUS RT-AC68U/Merlin Split Tunnel

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

jim99

Occasional Visitor
I have a home network that supports several laptops over wireless and two servers (NethServer and a HikVision NVR) on copper. I have a FTTP connection to the Internet, and a single public IP address. The NethServer supports an email server, and three small websites, the HikVision NVR is accessible externally by the use of non-standard port numbers, so it doesn't clash with the NethServer (because of the single IP address).

It all works fine, has done for years, but now I want to protect my outgoing browsing with a VPN. I am running with SurfShark loaded on my clients, but I want to move the VPN to the router. This is where it gets a bit complex. I want to route all client traffic down the VPN, but have all incoming port 80/443 browsing traffic and mail traffic go directly to the servers, so a kind of split tunnel.

Is this going to need Merlin (or similar) to work on an Asus RT-AC86U, or can I do it with the stock F/W?

If I need Merlin, where is the best source of documentation

Thanks
Jim
 

eibgrad

Very Senior Member
If your intent is to route all *outgoing* traffic over the VPN, while remotely accessing your servers over the WAN, then it will only work if you do NOT have those servers being routed down the VPN.

IOW, you can't have any given local device bound to both the WAN and VPN at the same time. It's one or the other.

With that said, if your VPN provider supports port forwarding over the tunnel, then you should be able to keep all your local devices bound to, and remotely accessible from, the VPN.

Does it require Merlin? If you decide to split tunneling as described above (some devices bound to the WAN, others to the VPN), or decide to keep *all* local devices bound to the VPN and use port forwarding over the VPN for remote access purposes, it will require Merlin, since I don't believe the OEM firmware is capable of either.
 

jim99

Occasional Visitor
If your intent is to route all *outgoing* traffic over the VPN, while remotely accessing your servers over the WAN, then it will only work if you do NOT have those servers being routed down the VPN.

IOW, you can't have any given local device bound to both the WAN and VPN at the same time. It's one or the other.

With that said, if your VPN provider supports port forwarding over the tunnel, then you should be able to keep all your local devices bound to, and remotely accessible from, the VPN.

Does it require Merlin? If you decide to split tunneling as described above (some devices bound to the WAN, others to the VPN), or decide to keep *all* local devices bound to the VPN and use port forwarding over the VPN for remote access purposes, it will require Merlin, since I don't believe the OEM firmware is capable of either.
Hi eibgrad,
Thanks for your response, you have confirmed what I thought was the case. As you rightly say, I want all locally-originated sessions (like outbound PC traffic to web servers in the Internet) to go through the VPN tunnel, but I want all Internet-originated sessions (either browsing the 3 web servers on NethServer, or communicating with the mail server) to go through the native WAN connection, so it looks like I need to teach myself how to work Merlin....I feel a vertical learning curve facing me :)

Thanks

Jim
 

eibgrad

Very Senior Member
I should add one other option, esp. since it would work w/ Merlin or OEM firmware.

If you know the public IP(s) of the device(s) that will be the remotely accessing over the WAN (e.g., workplace, home of friend/relative, favorite wifi cafe, etc.), then you can add static routes that bind those public IPs to the WAN (at least if they are static). In that case, it *is* possible to have those servers bound to both the WAN and VPN at the same time. The problem is (obviously), most ppl do NOT know the public IPs from which they will be remotely accessing their home network, because they are truly roaming. But for those who do know, that would work.
 

jim99

Occasional Visitor
Once again, Thanks eibgrad, I got Merlin flashed with no dramas, and two hours of playing later, I have the browser traffic going down the VPN, the servers going out to the Internet over the Local WAN, a shared disk hung off the USB port and I can get access to my camera server from both inide and outside the network. Surprisingly easy, its never going to compete with Cisco for configuratbility but its pretty damn good!
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top