Want to setup 2nd router behind main router

[nachocheese]

I tried searching on how to accomplish this, but I can't seem to find the answer so I apologize in advance if this has already been solved/posted.

I have a main router AX86U with alpha4 firmware that's working fine. I have Astrill applet installed no problem. I also have an older AC86U with new beta firmware on it. It works fine as AiMesh node as well as an AP.

I would prefer not to run Astrill applet on the main router, as I have noticed with both AX86U and AC86U that the Astrill applet can cause slowdown/latency issues for the devices I don't want on the VPN. I would prefer to have the Astrill applet on the older AC86U, so any devices I want on VPN will simply connect to the AC86U, and all other devices I don't want on VPN (plus AC86U) connects to AX86U.

However, the problem is I also want all devices, no matter if they connect to AX86U or AC86U to be on the same subnet. One big reason for this is Apple Homesharing; Apple requires all devices to be on the same subnet. So for example if I simply set both routers on "Wireless router mode" and connect AC86U to AX86U, and my server/NAS connects to AX86U, then any devices (such as AppleTV) that connects to AC86U (to get VPN) will not find my server.

I tried putting the AC86U into "Access Point (AP) mode", but then I don't have access to the Astrill applet (no more access ASUSwrt-Merlin GUI) . Just using SSH doesn't seem to be enough to change/choose server and turn on VPN.

I then tried turning off NAT, DHCP, and firewall on the AC86U hoping it would simply pass through the DHCP assignment from AX86U, but that resulted in my devices not getting any IP assigned to it.

Is there something I'm doing wrong in setting up the routers? Or, is my whole approach wrong and there is a better way that will work? I'd appreciate all the help I can get! Thanks in advance.

 

[Jeffrey Young]

You can't get around not being on separate subnets and still have each box acting as a router (I mean that is what a router does).

You can try disabling the firewall on the second router and add a static route to the first router so the subnet on the second router can see the first.

 

[nachocheese]

You can't get around not being on separate subnets and still have each box acting as a router (I mean that is what a router does).

Sorry I wasn't clear. I don't need the 2nd router (AC86U) to be in any specific mode. The only problem for me with the "Access Point" mode is I don't have access to the Merlin GUI, and no access to the Astrill applet.

My only goal is to have the AC86U be able to run Astrill applet, and have all outbound traffic from it route through the VPN. For intranet connections (such as Apple TV searching for iTunes server), it will go from the AX86U and can find the server (with the one weakness, Apple refuses to cross to another subnet).

 

[Jeffrey Young]

Gotcha.

I've never used asus as an access point, so I am afraid that I am not much more help to you.

I would imagine that you should be able to turn on/off the VPN Server/Clients via NVRAM and then use the postconf scripts to adjust set up settings. Again, just some thoughts that come to mind. I use SoftEtherVPN as my server (running on my AC86U) in order to overcome a CGNAT issue. SE does support OpenVPN, that may be an option if all else fails.

 

[eibgrad]

Sorry I wasn't clear. I don't need the 2nd router (AC86U) to be in any specific mode. The only problem for me with the "Access Point" mode is I don't have access to the Merlin GUI, and no access to the Astrill applet.

Not sure why the Merlin GUI wouldn't be available because just it's in AP mode (unless you mean the Astrill applet specifically).

But as far as the Astrill applet, I strongly suspect it's bound solely to the WAN, as opposed to WAN + LAN. In the case of my own FT (FreshTomato) router, for example, OpenVPN *is* bound to both WAN and LAN, and so it matters NOT whether I'm using a routed (i.e., active WAN) or bridged (i.e., non-active WAN) configuration. In AP mode, you specify the *LAN* IP of the AP as the default gateway for those devices you want forced over the VPN.

But if the VPN is only bound to the WAN, that forces your hand into requiring a routed configuration.

What you should be able to do is have the WAN side of the VPN router facing the primary local network, thus still allowing the Astrill applet to work across its WAN over the primary network and up to the internet. But now assign the *WAN* IP of that router as the default gateway to the devices on the primary network. What makes it different from AP mode is that the WAN's firewall will prevent this unless you make the necessary changes. But once overcome, then it just amounts to a remote access type of configuration, where clients of the primary network are routed into the WAN of the VPN router, over the VPN, and back out its WAN.

 

[CaptainSTX]

Why don't you look at installing Merlin's firmware on your primary router. Then run the VPN client on this router using policy based routing which enables you to select which devices connected to your router use the WAN and which use the VPN tunnel. The second router can then be used as an AP if you need additional WiFi coverage.

The Astrill app was great and had its day but the features in Merlin give you the same functionality.

If you still want to use two routers they both need to be in the router mode with the second router double NATed behind the first. When connected devices are connected to the second router they will be able to see devices on the first router. Devices on the first router will not be able to see devices on the second router unless you get some of the work arounds mentioned above to work for you.

However you run the VPN unless it is on a PC your speed probably won't exceed 250 Mbps.

 

[nachocheese]

Why don't you look at installing Merlin's firmware on your primary router. Then run the VPN client on this router using policy based routing which enables you to select which devices connected to your router use the WAN and which use the VPN tunnel. The second router can then be used as an AP if you need additional WiFi coverage.

I agree, from everything I read this would be perfect as Merlin implementation of OpenVPN is solid. However being in China with the way the government screws with the internet, it's really inconsistent getting OpenVPN to work even with same Astrill servers. Somehow, the "RouterPro" feature using TCP works very consistently with good speeds. Netflix 4k HDR streams no problem for example.

The bug I've seen with Astrill VPN applet is it seems to make the router intermittently slow (both AC and AX). Non-VPN traffic will suddenly see some extra latency hiccups, and seems to get worse with time (after 1-2 days uptime). After fresh reboot no problems for 1st day. If I go a few days without turning on the VPN, then no problems at all. The CPU graphs don't show anything. I've had it on AC86U from 382.1 up to 384.19, plus now just saw it with AX86U on alpha4. My thought was to offload the VPN work to the older AC86U, and leave the AX86U as is.

Not sure why the Merlin GUI wouldn't be available because just it's in AP mode (unless you mean the Astrill applet specifically).

It's been a few days, but when I activated AP mode, I couldn't access the router from either LAN port (using router.asus.com) nor WAN port (using the IP address assigned by the main router, using a device manually connect to main router). Is there a specific way I should be accessing a router in AP mode? I'll try and play around with this some more this weekend.

 

[CaptainSTX]

You should be able to access the AP from your router using the IP assigned to the AP by the primary router.

I normally setup APs by assigning them a static IP on the main router which is outside the DHCP pool on the main router. Then on the AP set it to obtain its IP automatically.

You also can access the AP by connecting to a LAN port on it an address it at whatever its LAN IP is. Same if connecting using the WiFi on the AP.

 

[dosborne]

You can't get around not being on separate subnets and still have each box acting as a router (I mean that is what a router does).

Actually, you can, there are no restrictions in that respect.

I have 3 ASUS routers, all configured as routers, all on the same subnet. They all have assigned ip addresses (192.168.0.1, 192.168.0.2 and 192.168.0.3 respectively). 2 of the 3 have dhcp servers running and assign addresses in small, non overlapping ranges. In addition, they are all part of a double nat setup and dual isp service.

 

[eibgrad]

Actually, you can, there are no restrictions in that respect.

I have 3 ASUS routers, all configured as routers, all on the same subnet. They all have assigned ip addresses (192.168.0.1, 192.168.0.2 and 192.168.0.3 respectively). 2 of the 3 have dhcp servers running and assign addresses in small, non overlapping ranges. In addition, they are all part of a double nat setup and dual isp service.

The point @Jeffrey Young was making is that when routers are *daisy-chained* WAN to LAN (which was the alternative to the OP's choice of using AP mode, LAN to LAN), they must be using different networks or else routing becomes ambiguous. If router "A" and "B" are both supporting 192.168.1.0/24, and router "B" is connected via its WAN to the LAN of router "A", any reference to the 192.168.1.0/24 network will necessarily be confined to router "B"'s network, thus making router "A"'s network unreachable.

Best I can tell, YOU are talking about having multiple routers w/ their respective *LAN* sides sharing the same network, w/ each offering a different gateway to the internet (e.g., each WAN is connected to a different ISP, or maybe using a VPN). A completely different scenario (if I misunderstood, please clarify).

In short, @Jeffrey Young was correct within the context of the OP's stated situation.

 

[bob123456]

Sorry I wasn't clear. I don't need the 2nd router (AC86U) to be in any specific mode. The only problem for me with the "Access Point" mode is I don't have access to the Merlin GUI, and no access to the Astrill applet.

My only goal is to have the AC86U be able to run Astrill applet, and have all outbound traffic from it route through the VPN. For intranet connections (such as Apple TV searching for iTunes server), it will go from the AX86U and can find the server (with the one weakness, Apple refuses to cross to another subnet).

If I remember correctly, once the router is in "AP" mode, the interface/gui is available from another ip and not the usual "192.168.x.y".
So let's say the default gui for a router is 192.168.1.1, once in AP; that changes to let's say 192.168.1.250 (or something else).

Of course it depends on the device and how it is working, I think it was something like that.

 

[dosborne]

In short, @Jeffrey Young was correct within the context of the OP's stated situation.

Yes, perhaps clarification on both our parts was in order. However, I was not assuming that a wan-lan was a requirement but simply going by the posted requirement in posting #3