What's new

VPN Router behind ISP Router

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

moebis

Occasional Visitor
I hope somewhere here can help me. I have 2 wifi routers, router1 is the ISP wifi router and most machines connect to it for internet access (192.168.0.1), router2 is my VPN router an Asus AC56U running Merlin 380.69 (192.168.1.1). I'm using time machine and SMB on router2. I want to be able to access router2 (192.168.1.1) while connected to router1 (192.168.0.1). I can't even get the webui to show up unless I'm connected to router2. Strange thing is when I'm connected to router2 I can access the ISP webui on router1, just not in reverse. I imagine once I get these 2 networks to see each other I can access samba shares and Time Machine backups on router2 when I'm connected to router1. I have router2 setup as a "wireless router" not an "AP". Oh forgot to mention, router2 WAN port is connected to PORT 1 on the router1. AP mode worked great, but I can't set it up as a VPN router, plus I like the fact that I have my Apple TV plugged into router2 and it automatically uses the VPN, and when I need a VPN on my computers I just switch to router2 wifi network.
 
I forgot to mention that on the ISP router there is no option for static routes. Bridge mode doesn't work because it IPV6..... and if I were to plug in the LAN port to LAN port instead of WAN to LAN to make it a switch, I would lose the VPN client correct?
 
You can get a VPN client to run on your second router by double NATing the second router behind the first. If you want a VPN server it isn't so simple.

By the very nature of double NATing each router will be in a different subnet making communications between devices on the different subnets tough. As you have discovered 2 can communicate with 1 since the connection on 1 is through a LAN port. The communications from 1 -2 will require some clever routing between the two subnets and probably can't be done using the GUI.
 
I hope somewhere here can help me. I have 2 wifi routers, router1 is the ISP wifi router and most machines connect to it for internet access (192.168.0.1), router2 is my VPN router an Asus AC56U running Merlin 380.69 (192.168.1.1). I'm using time machine and SMB on router2. I want to be able to access router2 (192.168.1.1) while connected to router1 (192.168.0.1). I can't even get the webui to show up unless I'm connected to router2. Strange thing is when I'm connected to router2 I can access the ISP webui on router1, just not in reverse. I imagine once I get these 2 networks to see each other I can access samba shares and Time Machine backups on router2 when I'm connected to router1. I have router2 setup as a "wireless router" not an "AP". Oh forgot to mention, router2 WAN port is connected to PORT 1 on the router1. AP mode worked great, but I can't set it up as a VPN router, plus I like the fact that I have my Apple TV plugged into router2 and it automatically uses the VPN, and when I need a VPN on my computers I just switch to router2 wifi network.

What make/model of your ISP router? You sure it doesn't have static routes? I have this working just fine on my setup. What you need though is static routes to be able to point traffic to the VPN router.

My setup is using Ubiquity USG as my router and ASUS RT-AC3100 as my VPN router handling my client VPN connections. USG sucks for OpenVPN performance so that's why I use the second ASUS router as a VPN router. Note I am not passing any Internet traffic just LAN only over TUN to access remote LAN's. I am not using it for connecting to a VPN service like PIA. That would be slightly different setup.

Instructions

-Main router LAN port to your Asus WAN port.
-Disable firewall on the Asus allows all incoming traffic pass through the WAN to the Asus VPN router.
-Set Asus subnet differently than the subnet of primary LAN (example primary subnet 192.168.1.0 and Asus subnet should be 192.168.2.0)
-Create route rule on primary router for any traffic destined for the Asus subnet. The gateway IP should be the IP the Asus gets from the primary LAN. (example your primary LAN router is usually set to something like 192.168.1.1. And devices get assigned a DHCP address. If possible assign a DHCP reservation for the Asus like 192.168.1.2. Or you can manually set this on the Asus route with static IP in the WAN settings of **.2 with the settings from the primary LAN subnet)
-Once that is set then you need to add static routes in your ISP router for any of the remote subnets you are connecting to. example (remote subnet 192.168.3.0 and remote subnet 192.168.4.0 and point them all the to address of Asus WAN IP as the gateway. Metric is of 2 is fine.
-Connect the clients using the OpenVPN client on the Asus router it should all work.
 
You can get a VPN client to run on your second router by double NATing the second router behind the first. If you want a VPN server it isn't so simple.

By the very nature of double NATing each router will be in a different subnet making communications between devices on the different subnets tough. As you have discovered 2 can communicate with 1 since the connection on 1 is through a LAN port. The communications from 1 -2 will require some clever routing between the two subnets and probably can't be done using the GUI.

Yes, this is a VPN client not server on the 2nd router. I did SSH into the router2 and update the firewall with this:

iptables -I FORWARD -s 192.168.0.0/24 -j ACCEPT

but I still didn't see any services showing up (like time machine or samba shares) from router2 when connected to router1.
 
What make/model of your ISP router? You sure it doesn't have static routes? I have this working just fine on my setup. What you need though is static routes to be able to point traffic to the VPN router.

It's a UPC modem router which I think is this: CBN CH7465LG ...I'm 100% sure there is no static routing. The closest I got was IP and Port filtering, but it only let's me set IPv6 rules:
MTzDl75.png

I had an idea to turn off the DHCP on router2, and set it to the same IP address range and subnet as router1, but the ASUS console wouldn't let me. There has to be some way to join these 2 networks. router1 (the main router) doesn't have many options, but router2 the Asus router has so many powerful features there just has to be a way to see services running on while connected to router1.
 
Without being able to setup a static route on the ISP router this will never work.
 
Yes, this is a VPN client not server on the 2nd router. I did SSH into the router2 and update the firewall with this:

iptables -I FORWARD -s 192.168.0.0/24 -j ACCEPT

but I still didn't see any services showing up (like time machine or samba shares) from router2 when connected to router1.

Get you double NAT working first then setup the VPN. There isn't any reason in a double NAT that you need to put router 2 in the DMZ or port forward.

Once you get these two things working you can look at routing between routers but as Collin said it maybe impossible given the limitations of router 1.
 
It's a UPC modem router which I think is this: CBN CH7465LG ...I'm 100% sure there is no static routing. The closest I got was IP and Port filtering, but it only let's me set IPv6 rules:
I had an idea to turn off the DHCP on router2, and set it to the same IP address range and subnet as router1, but the ASUS console wouldn't let me. There has to be some way to join these 2 networks. router1 (the main router) doesn't have many options, but router2 the Asus router has so many powerful features there just has to be a way to see services running on while connected to router1.

After checking out this site that has all the screenshots from your gateway device, I determined its not going to be possible. You are correct it does not have static routes ability. Without the static routes it will not work.

Recommend you trying to get a different modem/gateway.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top