How to let's AP control by router but try not to using AP mode?

pureexe

New Around Here
Let me explain my setup first.

I lived in a university dorm and they block the internet to prevent a student to access an entertaining website/service.

One simple solution is just using a VPN to bypass.

Until recently, I use L2TP VPN on Asus RT-AX3000 that can run fast on a Gigabit connection.

But the VPN provider just decide to ditch L2TP support and ask me to move into OpenVPN instead.

With the OpenVPN, Asus RT-AX3000 can only perform about 30-40 Mbps (even if the internet is 1Gbps)

So, I end up purchasing the Firewall that is capable of performing 1Gbps OpenVPN throughput.

This Firewall has 4 of 2.5G RJ45 ports. So, I upgraded NAS, Computer, and RT-AX3000 to 2.5G

RT-AX3000 doesn't have a 2.5G WAN. However, I used the Realtek RTL8156 adapter to USB and it works.


1669876010517.png



Now, my current network map is shown below

1669875097989.png



I set the Firewall rule to go VPN or use University WAN in the Opnsense.
And here is the problem when I try to set RT-AX3000

Router mode:
When setting RT-AX3000 as a router mode, RT-AX3000 shows in Opnsense as a single device. I cannot select which device goes over VPN or University WAN

AP mode:
In AP mode, Opensense can see all of the device if i connect to RT-AX3000 WAN port but the Realtek RTL8156 adapter as a WAN is not working

LAN Bridge: (see this topic)
I must plug the cable from the firewall to the LAN port of the RT-AX3000. Sadly, the Realtek RTL8156 adapter works only in WAN mode but not the LAN.


How can I overcome this problem?
 
Last edited:

Don->

Regular Contributor
Let me explain my setup first.

I lived in a university dorm and they block the internet to prevent a student to access an entertaining website/service.

One simple solution is just using a VPN to bypass.

Until recently, I use L2TP VPN on Asus RT-AX3000 that can run fast on a Gigabit connection.

But the VPN provider just decide to ditch L2TP support and ask me to move into OpenVPN instead.

With the OpenVPN, Asus RT-AX3000 can only perform about 30-40 Mbps (even if the internet is 1Gbps)

So, I end up purchasing the Firewall that is capable of performing 1Gbps OpenVPN throughput.

This Firewall has 4 of 2.5G RJ45 ports. So, I upgraded NAS, Computer, and RT-AX3000 to 2.5G

RT-AX3000 doesn't have a 2.5G WAN. However, I used the Realtek RTL8156 adapter to USB and it works.


View attachment 45874


Now, my current network map is shown below

View attachment 45873


I set the Firewall rule to go VPN or use University WAN in the Opnsense.
And here is the problem when I try to set RT-AX3000

Router mode:
When setting RT-AX3000 as a router mode, RT-AX3000 shows in Opnsense as a single device. I cannot select which device goes over VPN or University WAN
I suspect when in Router Mode you have not disabled NAT on the ASUS. Thus OPNsense only "sees" one IP address from the Asus , however that IP address has may TCP/UDP Ports in use. These map back to the originating IP address and TCP/UDP Port on your wirless Lan. From memory this is termed Double Natting.
 

pureexe

New Around Here
I suspect when in Router Mode you have not disabled NAT on the ASUS. Thus OPNsense only "sees" one IP address from the Asus , however that IP address has may TCP/UDP Ports in use. These map back to the originating IP address and TCP/UDP Port on your wirless Lan. From memory this is termed Double Natting.

With disabled NAT (and disabled DHCP) in the router mode, Opnsense didn't see any device. and the device that connects wirelessly cannot use the internet. Do I miss something?
 

Tech9

Part of the Furniture
You don’t need this firewall. What AX3000 can do on OpenVPN is enough for HD streaming on few devices. You don’t need this USB adapter as well. Nothing on AX3000 can reach 2.5Gb throughput. The university will see the traffic generated and implement other limitations making your investment in extra hardware pointless. All the students will suffer as a result.
 

drinkingbird

Very Senior Member
With disabled NAT (and disabled DHCP) in the router mode, Opnsense didn't see any device. and the device that connects wirelessly cannot use the internet. Do I miss something?

Once you disable NAT you need to add a static route on your firewall pointing your Asus LAN subnet to the Asus WAN IP.

You will need to leave DHCP enabled on the Asus so your LAN devices will get IPs, as in router mode they will not be able to send DHCP upstream to your firewall. Your firewall DHCP will assign IPs to the router WAN and to the other devices connected to it (or if you want those to be static, you can disable DHCP on the firewall).

So for example
Firewall WAN will be whatever IP it gets from the university
Firewall LAN will be 192.168.100.1/24
Asus WAN will be 192.168.100.2
Asus LAN will be 192.168.200.1/24
Devices on the LAN will be 192.168.200.x

NAS and computer will be in the 192.168.100.x firewall LAN subnet.

Firewall needs a static route for 192.168.200.0/24 via 192.168.100.2
The asus should have a default route pointing to 192.168.100.1 so that takes care of the routing for it.
 
Last edited:

Don->

Regular Contributor
See This LinkWith disabled NAT (and disabled DHCP) in the router mode, Opnsense didn't see any device. and the device that connects wirelessly cannot use the internet. Do I miss something?
I did miss this reply , my appologies. There is more to disableing NAT on an ASUS Router than just disabling NAT on the WAN link See This Link from Asus.
I loaded up TCPDUMP on my internet facing Router (Ubiquiti) and confirmed that I can see several different 192.168.50.x address that the Ubiquiti then NAT's You must leave DHCP on the Lan of the ASUS else no clients will obtain an IP address iformatio. I use a fixed IP address on the WAN port of the ASUS router i.e 192.168.10.2 with the UDM using 192.168.10.1 The only Gotcha you may encounter is that you cannot http/https to the wan port of the ASUS from the Opensense device as its blocked by default.

Internet --- UDM --- 192.168.10.x/24 --- ASUS ---- Lan 192.168.50.x/24

I have run this exact setup for several months without issue.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top