RT-AC86U VPN routing issue

[Timmeh!]

Hi all,

I've had an RT-AC86U running Merlin for a little while now and have come to these forums regularly to learn more of its capabilities from the knowledgable people here. Unfortunately I've now hit a stumbling block and can't find a solution anywhere so thought I'd make a post and see if anyone else might have some ideas.

I have an OpenVPN client instance setup with a VPN provider which I use to provide VPN access for some clients on my network and it has been working fine. Recently I started looking at segregating my home network further with VLANs to isolate IoT devices and other wired devices for better security.

I have a switch capable of handling VLANs as well as setting up layer 3 vlan interfaces for them which I have done and am able to get internet connectivity working as well as inter-vlan routing. The problem I am having is as soon as I try adding a client with an IP from one of these new VLANs to the OpenVPN connection I lose internet connectivity and cannot use the VPN tunnel(main router network still works fine). Below is a breakdown of my setup:

Internet > RT-AC86U > Switch > Client device

RT-AC86U IP - 192.168.1.1
RT-AC86U network - 192.168.1.0/24
RT-AC86U static routes:
192.168.2.0 255.255.255.0 192.168.1.250
192.168.3.0 255.255.255.0 192.168.1.250
192.168.4.0 255.255.255.0 192.168.1.250

Switch:
VLAN 1 (Default) - 192.168.1.0/24 - VLAN interface 192.168.1.250 (auto connected route to this IP)
VLAN 2 - 192.168.2.0/24 - VLAN interface 192.168.2.1 (auto connected route to this IP)
VLAN 3 - 192.168.3.0/24 - VLAN interface 192.168.3.1 (auto connected route to this IP)
VLAN 4 - 192.168.4.0/24 - VLAN interface 192.168.4.1 (auto connected route to this IP)
Default static route: 0.0.0.0 0.0.0.0 192.168.1.1

While the switch is VLAN aware the router is not in this current setup(initially tried looking at setting up VLANs on the RT-AC86U but that seems a no go for now). Traffic routing for clients is handled by the static routes shown above and go via an access port on the switch on VLAN1 which connects to a LAN port on the RT-AC86U.

The OpenVPN connection is configured as type TUN / UDP, redirect internet traffic is set to "Policy Rules (strict)" and "Block routed clients if tunnel goes down" is enabled. There are some custom configuration options set too which were provided by the VPN provider which I have tried tweaking but to no avail. My best assumption at the moment is that there is a routing issue getting back to this new network but I can't quite work it out as there isn't much in the logs to go on. I can successfully ping/tracert from the client device as far as the Local NAT IP address that is created when the OpenVPN connection is activated but that's about it.

Does anyone have any ideas what I am missing to get VPN traffic to route correctly for these new networks?

Thanks in advance.

 

[CaptainSTX]

The use of different subnets for each of your VLANs causes issues as you have discovered. While with routing you might be able to do what you want if you have the options try using 802.1Q VLANs instead . Then all your devices are still in the same subnet and a simple policy routing setup will work to send some devices over the WAN connection and others over your VPN but devices on different VLANs are isolated from each other.

This is what I do with my TP-Link SG-108E switches to segregate less secure IoT type devices from devices I want to keep more secure on my primary network.

 

[Timmeh!]

@CaptainSTX thanks for your reply.

I was starting to suspect there may a be limitation with using subnets outside of that in use by the router so thanks for confirming. I hadn't thought about using VLANs within a single subnet but it sounds like a good way forward which I'll test tonight. I am also using a managed TP-Link switch so hopefully it should work fine. I'll report back when I've tested it.

Thanks again.

 

[sroghen]

I have a similar setup. was wondering if its because there needs to be a proper trunk setup between the managed switch and the asus router for this to work.
This article may be relevant https://www.snbforums.com/threads/help-setting-up-vlan-on-asus-rt-ac68u.49312/

 

[Timmeh!]

Unfortunately I have an RT-AC86U which from what I have seen online so far doesn't support VLANs in the same way as the RT-AC68U does. For now I am using a feature on my switch called port isolation to secure what IoT and similar devices have access to.

 

[sroghen]

Unfortunately I have an RT-AC86U which from what I have seen online so far doesn't support VLANs in the same way as the RT-AC68U does. For now I am using a feature on my switch called port isolation to secure what IoT and similar devices have access to.

I switched my network to same subnet. Now everything works fine. Unfortunately I had no choice.
I am guessing if its an issue with firmware when there are multiple subnets and VPN routing.

 

[TonyK132]

I have a 24-port TPLink switch that is manageable, but I gave up trying to configure it to provide the isolation that I want for the IoT devices and the critical devices on my network and still have the accesses that I need between all the devices. Is there a guide that you guys used in designing and configuring your VLANs that you could point me to?