What's new

[Solved] Setup dual routers with one dedicated for VPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

rtn66uftw

Senior Member
Happy Wednesday!

I currently have an AT&T U-Verse 5268AC FXN modem and two Asus routers RT-AC3100 and AC68U running Merlin's firmware. I'm wondering if it's possible to use the AC3100 as normal and the AC68U as a VPN dedicated router? What would be the best way to have these two setup?

Appreciate any help!
 
Happy Wednesday!

I currently have an AT&T U-Verse 5268AC FXN modem and two Asus routers RT-AC3100 and AC68U running Merlin's firmware. I'm wondering if it's possible to use the AC3100 as normal and the AC68U as a VPN dedicated router? What would be the best way to have these two setup?

Appreciate any help!
By default , the asus router has a feature that allows VPN passthrough,
upload_2019-6-5_13-18-9.png

with that being said, I would recommend using the RT-AC3100 for the VPN, and the AC68U as main router.
You would place them both in router mode, On the first router you would give the 2nd router (VPN router) a Static IP on your network using manual assignment.
upload_2019-6-5_13-21-13.png

Let us call the primary router 192.168.1.1 for simplicity. (you would connect lan port on router 1 to wan port on router 2)
The second router can be given the IP of 192.168.1.2 on your static manual assignment. This will show up as the WAN IP on the second router as well.. The second router will then be given it's own built in IP's from a pool of IP's let us call this 192.168.2.1. The only down side to this is that all devices on 192.168.2.1 will be able to communicate to 192.168.1.1, but none of the devices on 192.168.1.1 will be able to talk to devices on 192.168.2.1.
you can resolve this issue with static route on router 1
upload_2019-6-5_13-27-10.png

now you can ping devices on router 2.

You can then setup VPN on router 2
upload_2019-6-5_13-29-6.png


Note: you may have to take additional steps to setup the VPN the way you want as well there may be additional requirements you want to do to configure router settings on both routers to your preferred liking.

This is just the basic's on the bare minimum to do it. Note some router features that may have issues created in this double Nat setup- and may require special configuring on your part, fortunately you are at a Great forum for asking for help and using the search engine.

cheers! :cool:

Updated: you could also simply just run VPN off of the main router and skip the double Nat situation and run the second router only as an access point.. there are benefits to both methods, but only the top method has any cons that you need work arounds for.
 
Last edited:
In addition to what @Swistheater suggests above, the reason you want the RT-AC3100 to be the VPN server is because of the 1.4GHz dual-core processors it has vs. the 800MHz dual-core processors the RT-AC68U has (if you have a newer example, it may have 1GHz dual-core processors) giving you at least 40% faster VPN speeds.

The RT-AC68U will top out at around 40Mbps in an optimum environment, the RT-AC3100 around 60Mbps or so.

What are the ISP speeds you're currently paying for? And any plans to upgrade them in the foreseeable future? :)

If your ISP speeds are much lower than what is indicated above, then using a single router (the RT-AC3100, of course) is the recommended choice.
 
By default , the asus router has a feature that allows VPN passthrough,
View attachment 18069
with that being said, I would recommend using the RT-AC3100 for the VPN, and the AC68U as main router.
You would place them both in router mode, On the first router you would give the 2nd router (VPN router) a Static IP on your network using manual assignment.
View attachment 18070
Let us call the primary router 192.168.1.1 for simplicity. (you would connect lan port on router 1 to wan port on router 2)
The second router can be given the IP of 192.168.1.2 on your static manual assignment. This will show up as the WAN IP on the second router as well.. The second router will then be given it's own built in IP's from a pool of IP's let us call this 192.168.2.1. The only down side to this is that all devices on 192.168.2.1 will be able to communicate to 192.168.1.1, but none of the devices on 192.168.1.1 will be able to talk to devices on 192.168.2.1.
you can resolve this issue with static route on router 1
View attachment 18071
now you can ping devices on router 2.

You can then setup VPN on router 2
View attachment 18072

Note: you may have to take additional steps to setup the VPN the way you want as well there may be additional requirements you want to do to configure router settings on both routers to your preferred liking.

This is just the basic's on the bare minimum to do it. Note some router features that may have issues created in this double Nat setup- and may require special configuring on your part, fortunately you are at a Great forum for asking for help and using the search engine.

cheers! :cool:

Updated: you could also simply just run VPN off of the main router and skip the double Nat situation and run the second router only as an access point.. there are benefits to both methods, but only the top method has any cons that you need work arounds for.

Thank you so much for the detailed response. I'll use the AC3100 as the VPN router per your advice

In addition to what @Swistheater suggests above, the reason you want the RT-AC3100 to be the VPN server is because of the 1.4GHz dual-core processors it has vs. the 800MHz dual-core processors the RT-AC68U has (if you have a newer example, it may have 1GHz dual-core processors) giving you at least 40% faster VPN speeds.

The RT-AC68U will top out at around 40Mbps in an optimum environment, the RT-AC3100 around 60Mbps or so.

What are the ISP speeds you're currently paying for? And any plans to upgrade them in the foreseeable future? :)

If your ISP speeds are much lower than what is indicated above, then using a single router (the RT-AC3100, of course) is the recommended choice.

Thank you! Didn't know that the VPN speed is around 60 Mbps. Our AT&T ISP speed is about 300 Mbps
 
Thank you so much for the detailed response. I'll use the AC3100 as the VPN router per your advice



Thank you! Didn't know that the VPN speed is around 60 Mbps. Our AT&T ISP speed is about 300 Mbps
Also, the AES-128-GCM cipher should give you the best performance.
 
Thank you so much for the detailed response. I'll use the AC3100 as the VPN router per your advice



Thank you! Didn't know that the VPN speed is around 60 Mbps. Our AT&T ISP speed is about 300 Mbps

Is that 300Mbps up/down? Remember that your uploads/downloads will be reversed depending on who you are connecting to and where you are connecting from. :)
 
Is that 300Mbps up/down? Remember that your uploads/downloads will be reversed depending on who you are connecting to and where you are connecting from. :)

Yes it's both 300 Mbps up and down
 
By default , the asus router has a feature that allows VPN passthrough,
View attachment 18069
with that being said, I would recommend using the RT-AC3100 for the VPN, and the AC68U as main router.
You would place them both in router mode, On the first router you would give the 2nd router (VPN router) a Static IP on your network using manual assignment.
View attachment 18070
Let us call the primary router 192.168.1.1 for simplicity. (you would connect lan port on router 1 to wan port on router 2)
The second router can be given the IP of 192.168.1.2 on your static manual assignment. This will show up as the WAN IP on the second router as well.. The second router will then be given it's own built in IP's from a pool of IP's let us call this 192.168.2.1. The only down side to this is that all devices on 192.168.2.1 will be able to communicate to 192.168.1.1, but none of the devices on 192.168.1.1 will be able to talk to devices on 192.168.2.1.
you can resolve this issue with static route on router 1
View attachment 18071
now you can ping devices on router 2.

You can then setup VPN on router 2
View attachment 18072

Note: you may have to take additional steps to setup the VPN the way you want as well there may be additional requirements you want to do to configure router settings on both routers to your preferred liking.

This is just the basic's on the bare minimum to do it. Note some router features that may have issues created in this double Nat setup- and may require special configuring on your part, fortunately you are at a Great forum for asking for help and using the search engine.

cheers! :cool:

Updated: you could also simply just run VPN off of the main router and skip the double Nat situation and run the second router only as an access point.. there are benefits to both methods, but only the top method has any cons that you need work arounds for.

This setup is working great. Thank you again!

Now the only problem is the wireless printer Brother. The current setup:
1. Main router: AC68U, Merlin 384.14, connected to the modem, 192.168.1.xxx. The printer is connected to this router via WiFi with a static IP 192.168.1.10. Printing on this subnet is fine.
2. VPN router: AC3100, Merlin 384.14, WAN port connected to AC68U LAN port, different subnet 192.168.2.xxx. It is also given a static IP 192.168.1.2 on the main router AC68U.
Printing from this router is not possible even though I was able to ping to the printer

Is this possible to get the printer to work from the VPN router?
 
This setup is working great.

I see it's an old thread, but you can do everything you need on RT-AC3100 router only. With Asuswrt-Merlin firmware and Custom Scripts support you don't need 2 routers on 2 different subnets with all the potential issues related to this setup (like the one you have with the printer, for example).

You can have all your devices connecting to RT-AC3100 on the same subnet, run both OpenVPN Server and Client on it, create 2 different SSIDs (one always going through VPN, one always going through WAN) using YazFi script, create Policy Rules for different devices as you need, select different DNS servers per device (DNSFilter) or per SSID (YazFi script), etc. All the information how to do it is available here on SNB Forums. Dual router setup is used when routers have limited configuration options.
 
Dual router setup is used when routers have limited configuration options.
I disagree. I've run 2+ routers for decades as it solves many issues and can be a more self contained and more secure setup rather than trying to sort through a miriad of 3rd party scripts. Double NAT is not rocket science nor is it difficult, it's basic networking. I'm not saying it 8s always the correct option, but IMO is certainly appropriate is many situations and can be simpler, more reliable and easier than many other options, particularly scripts.
 
miriad of 3rd party scripts...

RT-AC3100 + Asuswrt-Merlin + YazFi

I'm just saying what is possible, tested and working properly. It's pretty simple and as reliable as RT-AC3100 router.
 
I'm just saying what is possible, tested and working properly.
Yes, I'm not discounting your suggestion, I'm just saying that dual nat should not be discounted as a valid option too, and doesn't require anything beyond basic networking. :)
 
Can you run the VPN server on a node if both routers are configured as AiMesh? (using the command lines instead of gui)

Edit: didn't realize this question is about vpn client, not server, will open a dedicated thread for this question
 
Last edited:
Can you turn off the firewall on the second router so you do not need to run double NAT?
On Asus' the firewall and NAT are two separate things. But you are correct, if he wants devices on router 1 to have free access to devices on router 2 then he needs to disable both of these options. As it stands the static route he setup in post #2 is serving no purpose as everything from router 2 is being NATed through 192.168.1.2.

But that's by the by. He's been running like this for 7 months and hasn't needed to do that.

So the real question is, if he can ping the printer why can't he print to it. Without knowing which of the numerous printing protocols he might be using it's difficult to guess.

2. VPN router: AC3100, Merlin 384.14, WAN port connected to AC68U LAN port, different subnet 192.168.2.xxx. It is also given a static IP 192.168.1.2 on the main router AC68U.
Printing from this router is not possible even though I was able to ping to the printer
Are you sure you're pinging the printer (192.168.1.10)? Have you setup VPN policy rules for it otherwise I'd assume everything on router 2 would be tunnelled through the VPN and never reach 192.168.1.x.
 
So the real question is, if he can ping the printer why can't he print to it.
The most common reason I've seen for this is that the return route (from the printer) is not properly configured. (i.e. the default gateway is incorrect or there is no routing rule for the subnet in question)
 
The most common reason I've seen for this is that the return route (from the printer) is not properly configured. (i.e. the default gateway is incorrect or there is no routing rule for the subnet in question)
But in that case the ping would fail also.
 
Thank you everyone!

Can you turn off the firewall on the second router so you do not need to run double NAT?

I assume I should disable AiProtection on the 2nd router too?

On Asus' the firewall and NAT are two separate things. But you are correct, if he wants devices on router 1 to have free access to devices on router 2 then he needs to disable both of these options. As it stands the static route he setup in post #2 is serving no purpose as everything from router 2 is being NATed through 192.168.1.2.

But that's by the by. He's been running like this for 7 months and hasn't needed to do that.

So the real question is, if he can ping the printer why can't he print to it. Without knowing which of the numerous printing protocols he might be using it's difficult to guess.

Are you sure you're pinging the printer (192.168.1.10)? Have you setup VPN policy rules for it otherwise I'd assume everything on router 2 would be tunnelled through the VPN and never reach 192.168.1.x.

I turned the firewall off. How can I do the same for NAT? Thanks!

The most common reason I've seen for this is that the return route (from the printer) is not properly configured. (i.e. the default gateway is incorrect or there is no routing rule for the subnet in question)

But in that case the ping would fail also.

Yes. I can ping the printer on the main network (AC68U) from the VPN network (on the 2nd router, AC3100)

Code:
Pinging 192.168.1.10 with 32 bytes of data:
Reply from 192.168.1.10: bytes=32 time=1048ms TTL=254
Reply from 192.168.1.10: bytes=32 time=18ms TTL=254
Reply from 192.168.1.10: bytes=32 time=19ms TTL=254
Reply from 192.168.1.10: bytes=32 time=19ms TTL=254
Reply from 192.168.1.10: bytes=32 time=19ms TTL=254
Reply from 192.168.1.10: bytes=32 time=24ms TTL=254
Reply from 192.168.1.10: bytes=32 time=21ms TTL=254
Reply from 192.168.1.10: bytes=32 time=20ms TTL=254
Reply from 192.168.1.10: bytes=32 time=19ms TTL=254
Reply from 192.168.1.10: bytes=32 time=19ms TTL=254
Reply from 192.168.1.10: bytes=32 time=19ms TTL=254
Reply from 192.168.1.10: bytes=32 time=19ms TTL=254
Reply from 192.168.1.10: bytes=32 time=20ms TTL=254
Reply from 192.168.1.10: bytes=32 time=20ms TTL=254
Reply from 192.168.1.10: bytes=32 time=19ms TTL=254
Reply from 192.168.1.10: bytes=32 time=19ms TTL=254
Reply from 192.168.1.10: bytes=32 time=19ms TTL=254
Reply from 192.168.1.10: bytes=32 time=21ms TTL=254
Reply from 192.168.1.10: bytes=32 time=20ms TTL=254

Ping statistics for 192.168.1.10:
    Packets: Sent = 19, Received = 19, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 18ms, Maximum = 1048ms, Average = 73ms

This is the config of the printer if it helps

v56SXbW.png
 
I turned the firewall off. How can I do the same for NAT? Thanks!
Leave that alone for the time being. That's not the problem we're trying to fix at the moment.

Yes. I can ping the printer on the main network (AC68U) from the VPN network (on the 2nd router, AC3100)
Can you ping the printer by name? e.g. ping BrotherL2740DW4
If not configure the port settings to use the IP address (192.168.1.10) instead of a name.

Can you print or use the PC's ControlCenter utility when the VPN client on the AC3100 is turned off?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top