Menu
What's new
By:
Filters Better Search

Solved HOW TO use second router through VPN for guests

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

JSeb

Occasional Visitor
Hi,

I have a simple task, but I don't know how to do it and if it's easy as it is to ask...

I have an AC1900p (AC68u Merlin's firmware). I want to use it as the main router for my family. I also have the router from my ISP (which can't connect to VPN as client). I want to connect the ISP router to a lan port of my AC68u and have all its traffic passing through a VPN for security reasons.

I also want to make sure that it will not be possible to access the network and the config page of the AC68u.

Is it an easy task?

Thanks for the help
 
no need for a second router ;)

https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/

if you setup a wifi using yazfi and disable intranet access in that wifi in merlin, you won't be able to login to the router since you'll be on a different subnet. i do this - just tested it, and both 192.168.1.1 and 192.168.3.1 refused to connect while on a 192.168.3.14 lan addressed client. the only downside is your router may only manage about 30mbps over wifi because the VPN logic residing in the router slows it down that much. if you want high speed vpn over wifi in the same router, you'll need to buy one of the newer asus 1.8ghz cpu based routers as the sole router.
 
Last edited:
I want to connect the ISP router to a lan port of my AC68u and have all its traffic passing through a VPN for security reasons.

Which port of the ISP router? WAN? LAN? Makes a big difference since the former places those clients on a different local network from the RT-AC68U, while the latter places them on the *same* local network as the RT-AC68U.
 
JSeb said:
Hi,

I have a simple task, but I don't know how to do it and if it's easy as it is to ask...

I have an AC1900p (AC68u Merlin's firmware). I want to use it as the main router for my family. I also have the router from my ISP (which can't connect to VPN as client). I want to connect the ISP router to a lan port of my AC68u and have all its traffic passing through a VPN for security reasons.

I also want to make sure that it will not be possible to access the network and the config page of the AC68u.

Is it an easy task?
Click to expand...

Yes, see this tutorial Set up 2nd router as VPN router

One caveat, as noted at the end of the article regarding the need for additional firewall rules/static routes, as although the two networks should be mostly isolated, there are sometimes pinholes access for some devices that may not be appropriate - so carefully test access from connections on both routers.
 
eibgrad said:
I want to connect the ISP router to a lan port of my AC68u and have all its traffic passing through a VPN for security reasons.

Which port of the ISP router? WAN? LAN? Makes a big difference since the former places those clients on a different local network from the RT-AC68U, while the latter places them on the *same* local network as the RT-AC68U.
Click to expand...
I was thinking of connecting ISP router from LAN of RT-AC68U to WAN or the ISP router. I hope to know if it can be setup within Merlin GUI. 2 different networks with everything coming from the WAN port of the ISP router passing through the VPN setup in RT-AC68U. And be sure that network of the ISP router that will serve for guests is unable to reach devices in network of RT-AC68U.
 
consorts said:
no need for a second router ;)

https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/

if you setup a wifi using yazfi and disable intranet access in that wifi in merlin, you won't be able to login to the router since you'll be on a different subnet. i do this - just tested it, and both 192.168.1.1 and 192.168.3.1 refused to connect while on a 192.168.3.14 lan addressed client. the only downside is your router may only manage about 30mbps over wifi because the VPN logic residing in the router slows it down that much. if you want high speed vpn over wifi in the same router, you'll need to buy one of the newer asus 1.8ghz cpu based routers as the sole router.
Click to expand...
I made a check about Yazfi. It needs using scripts and I don't feel confortable doing that. I prefer to do it through Merlin GUI if possible.
And what cause the 30mbps cap? Is it possible to avoid this cap if I use the second router through VPN sets in the first for guests instead of the internal guest network?
 
JSeb said:
I was thinking of connecting ISP router from LAN of RT-AC68U to WAN or the ISP router. I hope to know if it can be setup within Merlin GUI. 2 different networks with everything coming from the WAN port of the ISP router passing through the VPN setup in RT-AC68U. And be sure that network of the ISP router that will serve for guests is unable to reach devices in network of RT-AC68U.
Click to expand...

As long as you can install third-party firmware on the ISP router, then it's simple matter of adding a firewall rule to block access to the upstream router's local network.

What follows is a script I use w/ dd-wrt for similar purposes.

https://pastebin.com/1df1XsuK

Notice the following lines in particular:

Code: 
WAN_IP="$(nvram get wan_ipaddr)"
WAN_NET="$WAN_IP/$(nvram get wan_netmask)"
...
# deny access to private network by guests (internet only)
iptables -I FORWARD -i br0 -d $WAN_NET -m state --state NEW -j REJECT

The nvram variables might differ slightly from firmware to firmware, but the basic concept and rule remains the same.
 
Last edited:
Martineau said:
Yes, see this tutorial Set up 2nd router as VPN router

One caveat, as noted at the end of the article regarding the need for additional firewall rules/static routes, as although the two networks should be mostly isolated, there are sometimes pinholes access for some devices that may not be appropriate - so carefully test access from connections on both routers.
Click to expand...
I already read this tutorial. It is interesting, but didn't really help me because I want to use my VPN router, that is better in every ways, for my home network and the non-VPN router for guests network. This separate network should be tunnel through the VPN running in the VPN router.
In the tutorial, the VPN router is placed in the second place. It would be very easy to set this up, but the range and the efficiency of the RT-AC1900P (RT-AC68U) will serve guests instead of me...
 
JSeb said:
I made a check about Yazfi. It needs using scripts and I don't feel confortable doing that. I prefer to do it through Merlin GUI if possible.
Click to expand...

I was the same way about scripts 6 months ago. Don't let them scare you. The amazing amtm script does all the heaving lifting for you. @L&LD has prepared a great tutorial on using amtm. Find it here: https://www.snbforums.com/threads/amtm-step-by-step-install-guide-l-ld.56237/#post-483421
And once you get your feet with with your first script be sure to add Diversion to your toolbox.

JSeb said:
And what cause the 30mbps cap? Is it possible to avoid this cap if I use the second router through VPN sets in the first for guests instead of the internal guest network?
Click to expand...

Using a VPN is cpu intensive on a router. Your 1900P should do around 60 Mbps. My old AC68U (1.0 GHz dual core) could do around 50 Mbps and my old AC3100 (1.4 GHz dual core) could do around 60 Mbps. Your 1900P also has a 1.4 GHz dual core cpu.

The 86U has hardware VPN acceleration and can do 250+ Mbps over a VPN. Might be a good upgrade if you need faster VPN speeds.
 
eibgrad said:
As long as you can install third-party firmware on the ISP router, then it's simple matter of adding a firewall rule to block access to the upstream router's local network.

What follows is a script I use w/ dd-wrt for similar purposes.

https://pastebin.com/1df1XsuK

Notice the following lines in particular:

Code: 
WAN_IP="$(nvram get wan_ipaddr)"
WAN_NET="$WAN_IP/$(nvram get wan_netmask)"
...
# deny access to private network by guests (internet only)
iptables -I FORWARD -i br0 -d $WAN_NET -m state --state NEW -j REJECT

The nvram variables might differ slightly from firmware to firmware, but the basic concept and rule remains the same.
Click to expand...
Sorry, my ISP router is the kind that needs to much physical manipulations for my confidence to install that kind of firmware.
But, as I see, it needs scripting...
 
doczenith1 said:
I was the same way about scripts 6 months ago. Don't let them scare you. The amazing amtm script does all the heaving lifting for you. @L&LD has prepared a great tutorial on using amtm. Find it here: https://www.snbforums.com/threads/amtm-step-by-step-install-guide-l-ld.56237/#post-483421
And once you get your feet with with your first script be sure to add Diversion to your toolbox.



Using a VPN is cpu intensive on a router. Your 1900P should do around 60 Mbps. My old AC68U (1.0 GHz dual core) could do around 50 Mbps and my old AC3100 (1.4 GHz dual core) could do around 60 Mbps. Your 1900P also has a 1.4 GHz dual core cpu.

The 86U has hardware VPN acceleration and can do 250+ Mbps over a VPN. Might be a good upgrade if you need faster VPN speeds.
Click to expand...
Thanks.
I'll check this thread. Maybe I'll try to get into scripts...
For the speed cap, since it will be for guests (not use intensely everyday), maybe the cap won't be a big deal.
 
JSeb said:
Sorry, my ISP router is the kind that needs to much physical manipulations for my confidence to install that kind of firmware.
But, as I see, it needs scripting...
Click to expand...

I understand. That's the problem many times w/ trying to reuse ISP equipment. The OEM firmware is limited, and unless you can install third party firmware, you can't solve certain kinds of problems, like those that require scripting.

After so many years and so many routers, I always seem to have a spare that supports third-party firmware. The old wireless G routers are plenty good enough for guests.
 
You must log in or register to reply here.

Similar threads

C
How can I do this.. Router VPN Client to Server 2
Replies
3
Views
327
ComputerSteve
C
J
Correctly using VPN Director?
Replies
2
Views
563
jetpack42
J
Preskitt.man
setup ac68U as bridge to eero network for vpn support
Replies
18
Views
1K
heysoundude
heysoundude
G
[Help] Routing VPN server through VPN client (external VPN Provider)
Replies
14
Views
1K
ZebMcKayhan
Z
G
VPN Client with Public IP, split tunnel web server over VPN and other traffic not on the VPN
Replies
4
Views
404
Grefyne
G
Similar threads
Thread starter Title Forum Replies Date
H Any Risk In Adding Second IP Address To br0 Interface? Asuswrt-Merlin 3
C Is there a way to only stop the second wan interface? Asuswrt-Merlin 3
S Prevent client from connecting to router but allow connection to internet via access point Asuswrt-Merlin 4
PaulA Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP Asuswrt-Merlin 1
H Solved xbox one not able to sign in when connected through router running asuswrt-merlin on an rt-ac5300. Asuswrt-Merlin 5
pdc Router DNS returning Refused Asuswrt-Merlin 2
alan6854321 Router threw a wobbla - "Top" info in syslog? Asuswrt-Merlin 0
randomName Possibly in the market for a new router Asuswrt-Merlin 27
muffintastic Cannot Stream from Router - Samba Problem Asuswrt-Merlin 2
J RT-AX88U Dual WAN Ports 5-8 Almost Bricks Router Asuswrt-Merlin 6

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 835 (members: 15, guests: 820)
Top