Setting 2 separate groups on AC68U (with vpn, without vpn)

blade12

Occasional Visitor
Hi, I wanted to set up a router VPN on my AC68U. I installed asuswrt_Merlin for that, and I see it's possible to create a VPN tunnel & set certain IPs to use VPN, exclude others. However, the only way to change from using the tunnel to not using it is by manually moving the IP.

Is it possible to create 2 separate groups? I want 1 group to go through VPN and another group to bypass the VPN, both on the same router. If I am on the VPN group and want to switch to the other group, I want to be able to reconnect to other group. Is that possible with the AC68 or perhaps another Asus router??

Is my only option to purchase a 2nd router and have 2 separate networks running simultaneously on the same WAN? I would love to be able to use a single router for this purpose, but perhaps I'm asking for too much. :confused:


If what I'm asking for not possible, is it possible to create a whitelist to exclude certain apps from using the VPN tunnel? Certain services like Amazon, Netflix and online banking are very good at detecting VPNs so it would be nice to whitelist those. Again, I might be asking for the impossible, but I'm trying to get a network-wide VPN & exclude certain things when and only if they cause an issue.
 
Last edited:

TITAN

Occasional Visitor
You could potentially do something using the wif and guest wifi networks
Set it up so that your Wifi goes via the VPN (use VPN director for this) and the guest wifi goes via your real WAN IP (you need to use Guest 1, as it allocated a different subnet which won't hit any of the VPN director rules)
 

blade12

Occasional Visitor
You could potentially do something using the wif and guest wifi networks
Set it up so that your Wifi goes via the VPN (use VPN director for this) and the guest wifi goes via your real WAN IP (you need to use Guest 1, as it allocated a different subnet which won't hit any of the VPN director rules)
That's a good idea worth trying.

I'm not sure of the difference between 'VPN director' and 'VPN client' since I just installed asusmerlin right before making this thread. Don't I have to setup the VPN connection through VPN client??
 

eibgrad

Part of the Furniture
A word of caution about using guest #1 for these purposes.

I'm NOT sure it applies to all Merlin compatible routers, but certainly for my own RT-AC68U, while it will assign a different IP network for guest 2.4GHz (192.168.101.x) or guest 5GHz (192.168.102.x), it will only use those networks if you disable intranet access. Otherwise, it will use the private network, just like guest #2 and #3 do.

Now granted, for most ppl using a guest network, they typically do NOT want guests to have access to the private network anyway. But in the case of the OP, since he would only be leveraging the guest network because it uses a different IP network, he may in fact *want* to allow access between the two IP networks. And this assumes all such clients are only wireless; guest networks do NOT support wired clients.

That's the problem w/ trying to leverage a guest network for purposes for which it was NOT intended. Sometimes it works out. But other times, the way guest networks have been implemented just doesn't jive w/ your needs. And in the case of guest #1, ASUS has jury-rigged that particular guest network w/ these two IP networks (192.168.101.x and 192.168.102.x) for the benefit of AiMesh. But to the extent you might consider that advantageous, as I said, it requires you to disable intranet access.

P.S. I suppose you could add IP firewall rules to re-enable access between the 192.168.101.x/192.168.102.x and private networks.
 
Last edited:

blade12

Occasional Visitor
@eibgrad

So you are essentially saying that if something/someone is on the guest network, they would not be able to access the router & devices on the other main network (the VPN network)? That could be an issue because I was planning on placing devices like the robot vacuum and digital thermostat, etc outside the VPN (so on the guest network). That would make them inaccessible, huh? I would have to place them all behind the VPN, which isn't really a big issue tbh.

Would your "p.s" solve that issue though with IP firewall rule? If it would then this would no longer pose a problem. I am just not certain how to do it, but it shouldn't be hard to figure out.

Might want to consider YazFi too (if you can live w/ only wireless users).
So with that, the guest network would be wifi only? Would that script overcome the issue of disabling intranet like discussed above?



The issue still remaining is that certain services like Amazon, Netflix, etc are good at detecting & blocking vpns. I truly don't know how to approach that if I decide to push for network level router VPN rather than device level VPN. Some vpns are good at swerving past Amazon/netflix blocks, but it's a constant battle in some ways. Vpns create new ips, the companies block them. It is whack-a-mole, and you are not guaranteed to get a vpn IP assigned that isn't blocked or doesn't get blocked.

The more I think about it, the more I am starting to question myself whether a router VPN is worth it over using VPN on individual devices. There is no way I could whitelist every IP range used by Amazon/netflix. Vpn on device level would mean I can just disable vpn temporarily if I notice Prime video or netflix is blocking that IP. That's what I was thinking about throughout today, and I don't have a great idea of how to deal with that, if I can deal with that. I would be curious to see how others deal with that.
 

eibgrad

Part of the Furniture
Would your "p.s" solve that issue though with IP firewall rule? If it would then this would no longer pose a problem. I am just not certain how to do it, but it shouldn't be hard to figure out. So with that, the guest network would be wifi only? Would that script overcome the issue of disabling intranet like discussed above?

I presume so. I'm always a bit tentative until I've verified something like that personally. I simply haven't at this point.

As far as YazFi, it leverages the existing guest networks, so yes, it would be wireless only. But it's significantly more featured and robust than simply choosing to use the wireless networks as-is. It's designed specifically to place the guest network(s) on their own IP networks, where you can take of advantage of that for various purposes, the most common being able to segregate guests from other guests and the private network for selective routing w/ the VPNs. Plus you can control whether the guests can communicate w/ the private network, and control AP isolation on a per guest basis.

The issue still remaining is that certain services like Amazon, Netflix, etc are good at detecting & blocking vpns. I truly don't know how to approach that if I decide to push for network level router VPN rather than device level VPN. Some vpns are good at swerving past Amazon/netflix blocks, but it's a constant battle in some ways. Vpns create new ips, the companies block them. It is whack-a-mole, and you are not guaranteed to get a vpn IP assigned that isn't blocked or doesn't get blocked.

The more I think about it, the more I am starting to question myself whether a router VPN is worth it over using VPN on individual devices. There is no way I could whitelist every IP range used by Amazon/netflix. Vpn on device level would mean I can just disable vpn temporarily if I notice Prime video or netflix is blocking that IP. That's what I was thinking about throughout today, and I don't have a great idea of how to deal with that, if I can deal with that. I would be curious to see how others deal with that.

Dealing w/ blockage by streaming content providers will always be problematic, no matter the router or firmware, for the reasons you've already stated. I don't know of any firmware that specifically deals w/ this issue directly. Best you will typically find is the ability to route specific clients, based on their source IP, to either the VPN or WAN. But it's always *YOU* that ultimately has to take responsibility for situations where things go wrong. For example, in theory you could determine all the destination IPs used by Amazon, Netflix, et al., and bind them to the WAN, either as static routes or via PBR (policy based routing). But given the number of domains and sub-domains used by these content providers, and ever-changing IPs, that's a tall order. IOW, it's usually impractical. You may have to use a script like the following to make it work.


In the end, it's nearly impossible for someone else to say what is right for YOU. It's a complex issue, made even more complex by the fact the problem w/ streaming content providers is NOT a technical one; it's an administrative one. So it's a constant cat and mouse game. And trying to find a technical solution that will always work can be elusive.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top