Home Network Routing Puzzle: 3 Routers, Two Internet Routes
I have a semi-complex home network with a DSL Modem/Router, a Netgear Router, and a TPLink Router.
The TPLink Router has a permanent L2TP VPN connected to ExpressVPN. The devices behind this router get their internet through the VPN. (devices on the right in the attached diagram)
The Netgear router is for normal (non-VPN) internet.
Is it possible to configure all three routers in the diagram such that the devices behind the two routers can communicate one with another seamlessly (i.e. without port forwarding for every requirement)? I almost got there with a few static routes, but I had to turn off NAT to get them working, and then that killed the internet.
A working solution would allow devices to ping each other on the LAN, communicate on all TCP/UDP ports, have broadcast packets/requests routed across both networks, but still have "segregated internet" (e.g. devices on the right go through the VPN for internet).
Notes: (1) I can't turn the Netgear into a bridge/AP because it performs wireless mesh routing with satellite devices. The TP-Link can't be a bridge either, because I need its routing function to handle the L2TP VPN tunnel. (2) If the solution requires putting the TP-Link behind the Netgear, that's okay.
Solution found!
Physically connected the routers, put them both on the same network, use custom DHCP to manage who-gets-what-gateway:
networking router vpn routing
add a comment |
I have a semi-complex home network with a DSL Modem/Router, a Netgear Router, and a TPLink Router.
The TPLink Router has a permanent L2TP VPN connected to ExpressVPN. The devices behind this router get their internet through the VPN. (devices on the right in the attached diagram)
The Netgear router is for normal (non-VPN) internet.
Is it possible to configure all three routers in the diagram such that the devices behind the two routers can communicate one with another seamlessly (i.e. without port forwarding for every requirement)? I almost got there with a few static routes, but I had to turn off NAT to get them working, and then that killed the internet.
A working solution would allow devices to ping each other on the LAN, communicate on all TCP/UDP ports, have broadcast packets/requests routed across both networks, but still have "segregated internet" (e.g. devices on the right go through the VPN for internet).
Notes: (1) I can't turn the Netgear into a bridge/AP because it performs wireless mesh routing with satellite devices. The TP-Link can't be a bridge either, because I need its routing function to handle the L2TP VPN tunnel. (2) If the solution requires putting the TP-Link behind the Netgear, that's okay.
Solution found!
Physically connected the routers, put them both on the same network, use custom DHCP to manage who-gets-what-gateway:
networking router vpn routing
I assume that the TPLink router is using the DSL modem/router to create the tunnel over?
– Damian T.
Jan 9 at 6:23
The VPN is tunnel is created on the TPLink itself, via internet provided by the DSL modem on the WAN port
– mdaddy
Jan 9 at 8:25
It’s really simple: Both need routes and the corresponding firewall rules and must only perform NAT for upstream-bound traffic. You probably won’t be able to achieve that using standard firmware.
– Daniel B
Jan 9 at 14:19
add a comment |
I have a semi-complex home network with a DSL Modem/Router, a Netgear Router, and a TPLink Router.
The TPLink Router has a permanent L2TP VPN connected to ExpressVPN. The devices behind this router get their internet through the VPN. (devices on the right in the attached diagram)
The Netgear router is for normal (non-VPN) internet.
Is it possible to configure all three routers in the diagram such that the devices behind the two routers can communicate one with another seamlessly (i.e. without port forwarding for every requirement)? I almost got there with a few static routes, but I had to turn off NAT to get them working, and then that killed the internet.
A working solution would allow devices to ping each other on the LAN, communicate on all TCP/UDP ports, have broadcast packets/requests routed across both networks, but still have "segregated internet" (e.g. devices on the right go through the VPN for internet).
Notes: (1) I can't turn the Netgear into a bridge/AP because it performs wireless mesh routing with satellite devices. The TP-Link can't be a bridge either, because I need its routing function to handle the L2TP VPN tunnel. (2) If the solution requires putting the TP-Link behind the Netgear, that's okay.
Solution found!
Physically connected the routers, put them both on the same network, use custom DHCP to manage who-gets-what-gateway:
networking router vpn routing
I have a semi-complex home network with a DSL Modem/Router, a Netgear Router, and a TPLink Router.
The TPLink Router has a permanent L2TP VPN connected to ExpressVPN. The devices behind this router get their internet through the VPN. (devices on the right in the attached diagram)
The Netgear router is for normal (non-VPN) internet.
Is it possible to configure all three routers in the diagram such that the devices behind the two routers can communicate one with another seamlessly (i.e. without port forwarding for every requirement)? I almost got there with a few static routes, but I had to turn off NAT to get them working, and then that killed the internet.
A working solution would allow devices to ping each other on the LAN, communicate on all TCP/UDP ports, have broadcast packets/requests routed across both networks, but still have "segregated internet" (e.g. devices on the right go through the VPN for internet).
Notes: (1) I can't turn the Netgear into a bridge/AP because it performs wireless mesh routing with satellite devices. The TP-Link can't be a bridge either, because I need its routing function to handle the L2TP VPN tunnel. (2) If the solution requires putting the TP-Link behind the Netgear, that's okay.
Solution found!
Physically connected the routers, put them both on the same network, use custom DHCP to manage who-gets-what-gateway:
networking router vpn routing
networking router vpn routing
edited Jan 10 at 14:17
mdaddy
asked Jan 9 at 4:24
mdaddymdaddy
1084
1084
I assume that the TPLink router is using the DSL modem/router to create the tunnel over?
– Damian T.
Jan 9 at 6:23
The VPN is tunnel is created on the TPLink itself, via internet provided by the DSL modem on the WAN port
– mdaddy
Jan 9 at 8:25
It’s really simple: Both need routes and the corresponding firewall rules and must only perform NAT for upstream-bound traffic. You probably won’t be able to achieve that using standard firmware.
– Daniel B
Jan 9 at 14:19
add a comment |
I assume that the TPLink router is using the DSL modem/router to create the tunnel over?
– Damian T.
Jan 9 at 6:23
The VPN is tunnel is created on the TPLink itself, via internet provided by the DSL modem on the WAN port
– mdaddy
Jan 9 at 8:25
It’s really simple: Both need routes and the corresponding firewall rules and must only perform NAT for upstream-bound traffic. You probably won’t be able to achieve that using standard firmware.
– Daniel B
Jan 9 at 14:19
I assume that the TPLink router is using the DSL modem/router to create the tunnel over?
– Damian T.
Jan 9 at 6:23
I assume that the TPLink router is using the DSL modem/router to create the tunnel over?
– Damian T.
Jan 9 at 6:23
The VPN is tunnel is created on the TPLink itself, via internet provided by the DSL modem on the WAN port
– mdaddy
Jan 9 at 8:25
The VPN is tunnel is created on the TPLink itself, via internet provided by the DSL modem on the WAN port
– mdaddy
Jan 9 at 8:25
It’s really simple: Both need routes and the corresponding firewall rules and must only perform NAT for upstream-bound traffic. You probably won’t be able to achieve that using standard firmware.
– Daniel B
Jan 9 at 14:19
It’s really simple: Both need routes and the corresponding firewall rules and must only perform NAT for upstream-bound traffic. You probably won’t be able to achieve that using standard firmware.
– Daniel B
Jan 9 at 14:19
add a comment |
4 Answers
4
active
oldest
votes
Not 100% sure this will work, but 95%. EDIT Nice to see as per the OP, this does work!
Put Netgear's and TPLink's LAN interface on the same subnet, i.e. both 192.168.1.* addresses. Therefore all devices are on the same LAN (local area network).
Now the fun part: manually set the "default route" (the route to use when the IP is not a local one) on each device, with the default route for all VPN-using devices set to the VPN router, and vice versa.
Depending on the routers involved, you might even be able to send out the correct default route to the correct device via DHCP and the device's MAC address.
P.S. Thanks for the clear and informative graphic.
EDIT If using DHCP, you should probably disable it on one of the routers, i.e. pick a router to be the "main" router, and the other one only a gateway for traffic sent directly to it.
I’m 100% sure this will NOT work. You simply can’t use the same LAN IP on two different network segments you expect to route together unless there is some serious NAT work going on.
– Appleoddity
Jan 9 at 6:40
@Appleoddity - I don't think BenjoWiebe was suggesting to use the same LAN IP, he was suggesting to use an IP address in the same network. It is in some ways similar to my solution. The "fun part" makes this hard, but not impossible, just like the fun part on my solution requires a second Interface.
– davidgo
Jan 9 at 8:17
1
This should be the accepted answer based on the OPs comment to me above.
– davidgo
Jan 10 at 6:44
@davidgo, good call! thank you!
– mdaddy
Jan 10 at 16:07
@davidgo This post is not clear that he is suggesting to physically connect both network segments together on the LAN side. For that reason it is confusing and doesn’t make sense. It should be clear that putting both LAN interfaces on the same “subnet” is NOT equivalent to putting them on the same “physical” network segment. A subnet is a logical construct. It should be clarified.
– Appleoddity
Jan 11 at 13:27
|
show 1 more comment
There may be more then 1 way to do it, but 1 way is to
(1) Ensure all devices in the network behind the TPG have static IP's and disable its DHCP server.
(2) Connect the LAN Interface of the Netgear with the LAN Interface of the TPG router.
(3). Bring up a second virtual Interface on the TPG router in the 192.168.1.x range.
(4). Set static routes on the TPG router to route 192.168.x.x to 192.168.1.1 and similarly set static routes on the Netgear router to route 10.x.x.x to 192.168.1.NEWIP
This will have the effect of allowing you to provide statically use a 10.x IP address to push traffic across the VPN, or DHCP or a 192.168 address for regular Internet.
I've somewhat cavalierly suggested adding a second interface on the TPG router. Depending on the router this may not be something you can do with default firmware, however it is doable using dd-wrt if you flash your router with that.
I think this will work, even without the fancy virtual interface. I can make both routers 192.168.1.x, disable DHCP on both of them, physically connect their LAN interfaces, and then run DHCP on my Linux server to assign the gateways by MAC. If I want the device to get its internet via VPN, set the gateway to the TPLink (192.168.1.253), otherwise gateway will be the Netgear (192.168.1.1). That way everything is on the same physical network, they'll have no problem talking to each other for local communication, and they'll get internet via the assigned. Thanks for the idea, I'll test tonight!
– mdaddy
Jan 10 at 4:28
1
Yes, that should work as the DHCP server on Linux is powerful enough.
– davidgo
Jan 10 at 6:42
That did it! Thanks @davidgo!
– mdaddy
Jan 10 at 14:17
add a comment |
You’ve placed a lot of restrictions on what you want and some of it is just NOT possible.
You want broadcast packets to traverse the two networks. That is not possible. Routers specifically segregate broadcast domains. The only way to do this is to put all the devices on the same network.
With that said, to get where you want to be it will require a significant change to your network. Because it looks like you are using home routers, your options are severely restricted. Maybe if you can install an alternative firmware your options would be better.
Therefore, I’ll give you the best way to do this.
Completely eliminate one of the routers.
There is no reason to use two routers to put some devices on a VPN. Especially if your goal is to allow all the devices to communicate. The best way to do this is with a single, more capable router that supports multiple interfaces. One port on the router would be for one network, the other port would be the other network, then you’d have a port for WAN. Setup routing between the two networks, NAT all packets destined to WAN, and route all traffic from one network through the VPN.
Assuming you don’t want to replace any of your equipment...
Instead, connect all the devices to the same router and establish the VPN on that router. Configure your VPN settings so that only devices within a specific IP range use the VPN. Then, configure a static IP range for those devices in DHCP. For instance, only route devices with an IP in the range 192.168.1.200-192.168.1.250
through the VPN. I’m not sure if your TPLink will support that. I imagine it will, as deciding what traffic is encrypted is part of any VPN setup. This is probably your best bet using what you currently have.
If you are trying to stay as close as possible to the current physical layout, then you need one-to-one NAT where each device on both networks is given a unique IP on the 172.16.1.x network. It would also require a tweak to the VPN settings. But, it’s complicated and I think it is really unlikely either router you have supports that.
add a comment |
I see two possible scenarios:
- Disable NAT on the inner routers. Since you are using different networks between all LAN segments, this should be fine. In fact, the only router that would need static routes would be the DSL router, to explain what networks are on the inside of the two routers. This should not break the internet, seeing as the only device that really needs NAT is the DSL router.
Or:
- Build a bridge between the two inner routers without NAT. This would likely require another router because most SOHO devices do not allow you to take a LAN port and have it act as another WAN port. In fact, this thought process can be confusing because routers just connect different networks together, and they can all be LAN, or all WAN or any combination thereof. You may be able to find an old SOHO device that you can flash with a custom firmware and basically use it to just route traffic without any bells-and-whistles (e.g. NAT, Firewall).
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1392120%2fhome-network-routing-puzzle-3-routers-two-internet-routes%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Not 100% sure this will work, but 95%. EDIT Nice to see as per the OP, this does work!
Put Netgear's and TPLink's LAN interface on the same subnet, i.e. both 192.168.1.* addresses. Therefore all devices are on the same LAN (local area network).
Now the fun part: manually set the "default route" (the route to use when the IP is not a local one) on each device, with the default route for all VPN-using devices set to the VPN router, and vice versa.
Depending on the routers involved, you might even be able to send out the correct default route to the correct device via DHCP and the device's MAC address.
P.S. Thanks for the clear and informative graphic.
EDIT If using DHCP, you should probably disable it on one of the routers, i.e. pick a router to be the "main" router, and the other one only a gateway for traffic sent directly to it.
I’m 100% sure this will NOT work. You simply can’t use the same LAN IP on two different network segments you expect to route together unless there is some serious NAT work going on.
– Appleoddity
Jan 9 at 6:40
@Appleoddity - I don't think BenjoWiebe was suggesting to use the same LAN IP, he was suggesting to use an IP address in the same network. It is in some ways similar to my solution. The "fun part" makes this hard, but not impossible, just like the fun part on my solution requires a second Interface.
– davidgo
Jan 9 at 8:17
1
This should be the accepted answer based on the OPs comment to me above.
– davidgo
Jan 10 at 6:44
@davidgo, good call! thank you!
– mdaddy
Jan 10 at 16:07
@davidgo This post is not clear that he is suggesting to physically connect both network segments together on the LAN side. For that reason it is confusing and doesn’t make sense. It should be clear that putting both LAN interfaces on the same “subnet” is NOT equivalent to putting them on the same “physical” network segment. A subnet is a logical construct. It should be clarified.
– Appleoddity
Jan 11 at 13:27
|
show 1 more comment
Not 100% sure this will work, but 95%. EDIT Nice to see as per the OP, this does work!
Put Netgear's and TPLink's LAN interface on the same subnet, i.e. both 192.168.1.* addresses. Therefore all devices are on the same LAN (local area network).
Now the fun part: manually set the "default route" (the route to use when the IP is not a local one) on each device, with the default route for all VPN-using devices set to the VPN router, and vice versa.
Depending on the routers involved, you might even be able to send out the correct default route to the correct device via DHCP and the device's MAC address.
P.S. Thanks for the clear and informative graphic.
EDIT If using DHCP, you should probably disable it on one of the routers, i.e. pick a router to be the "main" router, and the other one only a gateway for traffic sent directly to it.
I’m 100% sure this will NOT work. You simply can’t use the same LAN IP on two different network segments you expect to route together unless there is some serious NAT work going on.
– Appleoddity
Jan 9 at 6:40
@Appleoddity - I don't think BenjoWiebe was suggesting to use the same LAN IP, he was suggesting to use an IP address in the same network. It is in some ways similar to my solution. The "fun part" makes this hard, but not impossible, just like the fun part on my solution requires a second Interface.
– davidgo
Jan 9 at 8:17
1
This should be the accepted answer based on the OPs comment to me above.
– davidgo
Jan 10 at 6:44
@davidgo, good call! thank you!
– mdaddy
Jan 10 at 16:07
@davidgo This post is not clear that he is suggesting to physically connect both network segments together on the LAN side. For that reason it is confusing and doesn’t make sense. It should be clear that putting both LAN interfaces on the same “subnet” is NOT equivalent to putting them on the same “physical” network segment. A subnet is a logical construct. It should be clarified.
– Appleoddity
Jan 11 at 13:27
|
show 1 more comment
Not 100% sure this will work, but 95%. EDIT Nice to see as per the OP, this does work!
Put Netgear's and TPLink's LAN interface on the same subnet, i.e. both 192.168.1.* addresses. Therefore all devices are on the same LAN (local area network).
Now the fun part: manually set the "default route" (the route to use when the IP is not a local one) on each device, with the default route for all VPN-using devices set to the VPN router, and vice versa.
Depending on the routers involved, you might even be able to send out the correct default route to the correct device via DHCP and the device's MAC address.
P.S. Thanks for the clear and informative graphic.
EDIT If using DHCP, you should probably disable it on one of the routers, i.e. pick a router to be the "main" router, and the other one only a gateway for traffic sent directly to it.
Not 100% sure this will work, but 95%. EDIT Nice to see as per the OP, this does work!
Put Netgear's and TPLink's LAN interface on the same subnet, i.e. both 192.168.1.* addresses. Therefore all devices are on the same LAN (local area network).
Now the fun part: manually set the "default route" (the route to use when the IP is not a local one) on each device, with the default route for all VPN-using devices set to the VPN router, and vice versa.
Depending on the routers involved, you might even be able to send out the correct default route to the correct device via DHCP and the device's MAC address.
P.S. Thanks for the clear and informative graphic.
EDIT If using DHCP, you should probably disable it on one of the routers, i.e. pick a router to be the "main" router, and the other one only a gateway for traffic sent directly to it.
edited Jan 12 at 5:24
answered Jan 9 at 4:50
BenjiWiebeBenjiWiebe
6,67993458
6,67993458
I’m 100% sure this will NOT work. You simply can’t use the same LAN IP on two different network segments you expect to route together unless there is some serious NAT work going on.
– Appleoddity
Jan 9 at 6:40
@Appleoddity - I don't think BenjoWiebe was suggesting to use the same LAN IP, he was suggesting to use an IP address in the same network. It is in some ways similar to my solution. The "fun part" makes this hard, but not impossible, just like the fun part on my solution requires a second Interface.
– davidgo
Jan 9 at 8:17
1
This should be the accepted answer based on the OPs comment to me above.
– davidgo
Jan 10 at 6:44
@davidgo, good call! thank you!
– mdaddy
Jan 10 at 16:07
@davidgo This post is not clear that he is suggesting to physically connect both network segments together on the LAN side. For that reason it is confusing and doesn’t make sense. It should be clear that putting both LAN interfaces on the same “subnet” is NOT equivalent to putting them on the same “physical” network segment. A subnet is a logical construct. It should be clarified.
– Appleoddity
Jan 11 at 13:27
|
show 1 more comment
I’m 100% sure this will NOT work. You simply can’t use the same LAN IP on two different network segments you expect to route together unless there is some serious NAT work going on.
– Appleoddity
Jan 9 at 6:40
@Appleoddity - I don't think BenjoWiebe was suggesting to use the same LAN IP, he was suggesting to use an IP address in the same network. It is in some ways similar to my solution. The "fun part" makes this hard, but not impossible, just like the fun part on my solution requires a second Interface.
– davidgo
Jan 9 at 8:17
1
This should be the accepted answer based on the OPs comment to me above.
– davidgo
Jan 10 at 6:44
@davidgo, good call! thank you!
– mdaddy
Jan 10 at 16:07
@davidgo This post is not clear that he is suggesting to physically connect both network segments together on the LAN side. For that reason it is confusing and doesn’t make sense. It should be clear that putting both LAN interfaces on the same “subnet” is NOT equivalent to putting them on the same “physical” network segment. A subnet is a logical construct. It should be clarified.
– Appleoddity
Jan 11 at 13:27
I’m 100% sure this will NOT work. You simply can’t use the same LAN IP on two different network segments you expect to route together unless there is some serious NAT work going on.
– Appleoddity
Jan 9 at 6:40
I’m 100% sure this will NOT work. You simply can’t use the same LAN IP on two different network segments you expect to route together unless there is some serious NAT work going on.
– Appleoddity
Jan 9 at 6:40
@Appleoddity - I don't think BenjoWiebe was suggesting to use the same LAN IP, he was suggesting to use an IP address in the same network. It is in some ways similar to my solution. The "fun part" makes this hard, but not impossible, just like the fun part on my solution requires a second Interface.
– davidgo
Jan 9 at 8:17
@Appleoddity - I don't think BenjoWiebe was suggesting to use the same LAN IP, he was suggesting to use an IP address in the same network. It is in some ways similar to my solution. The "fun part" makes this hard, but not impossible, just like the fun part on my solution requires a second Interface.
– davidgo
Jan 9 at 8:17
1
1
This should be the accepted answer based on the OPs comment to me above.
– davidgo
Jan 10 at 6:44
This should be the accepted answer based on the OPs comment to me above.
– davidgo
Jan 10 at 6:44
@davidgo, good call! thank you!
– mdaddy
Jan 10 at 16:07
@davidgo, good call! thank you!
– mdaddy
Jan 10 at 16:07
@davidgo This post is not clear that he is suggesting to physically connect both network segments together on the LAN side. For that reason it is confusing and doesn’t make sense. It should be clear that putting both LAN interfaces on the same “subnet” is NOT equivalent to putting them on the same “physical” network segment. A subnet is a logical construct. It should be clarified.
– Appleoddity
Jan 11 at 13:27
@davidgo This post is not clear that he is suggesting to physically connect both network segments together on the LAN side. For that reason it is confusing and doesn’t make sense. It should be clear that putting both LAN interfaces on the same “subnet” is NOT equivalent to putting them on the same “physical” network segment. A subnet is a logical construct. It should be clarified.
– Appleoddity
Jan 11 at 13:27
|
show 1 more comment
There may be more then 1 way to do it, but 1 way is to
(1) Ensure all devices in the network behind the TPG have static IP's and disable its DHCP server.
(2) Connect the LAN Interface of the Netgear with the LAN Interface of the TPG router.
(3). Bring up a second virtual Interface on the TPG router in the 192.168.1.x range.
(4). Set static routes on the TPG router to route 192.168.x.x to 192.168.1.1 and similarly set static routes on the Netgear router to route 10.x.x.x to 192.168.1.NEWIP
This will have the effect of allowing you to provide statically use a 10.x IP address to push traffic across the VPN, or DHCP or a 192.168 address for regular Internet.
I've somewhat cavalierly suggested adding a second interface on the TPG router. Depending on the router this may not be something you can do with default firmware, however it is doable using dd-wrt if you flash your router with that.
I think this will work, even without the fancy virtual interface. I can make both routers 192.168.1.x, disable DHCP on both of them, physically connect their LAN interfaces, and then run DHCP on my Linux server to assign the gateways by MAC. If I want the device to get its internet via VPN, set the gateway to the TPLink (192.168.1.253), otherwise gateway will be the Netgear (192.168.1.1). That way everything is on the same physical network, they'll have no problem talking to each other for local communication, and they'll get internet via the assigned. Thanks for the idea, I'll test tonight!
– mdaddy
Jan 10 at 4:28
1
Yes, that should work as the DHCP server on Linux is powerful enough.
– davidgo
Jan 10 at 6:42
That did it! Thanks @davidgo!
– mdaddy
Jan 10 at 14:17
add a comment |
There may be more then 1 way to do it, but 1 way is to
(1) Ensure all devices in the network behind the TPG have static IP's and disable its DHCP server.
(2) Connect the LAN Interface of the Netgear with the LAN Interface of the TPG router.
(3). Bring up a second virtual Interface on the TPG router in the 192.168.1.x range.
(4). Set static routes on the TPG router to route 192.168.x.x to 192.168.1.1 and similarly set static routes on the Netgear router to route 10.x.x.x to 192.168.1.NEWIP
This will have the effect of allowing you to provide statically use a 10.x IP address to push traffic across the VPN, or DHCP or a 192.168 address for regular Internet.
I've somewhat cavalierly suggested adding a second interface on the TPG router. Depending on the router this may not be something you can do with default firmware, however it is doable using dd-wrt if you flash your router with that.
I think this will work, even without the fancy virtual interface. I can make both routers 192.168.1.x, disable DHCP on both of them, physically connect their LAN interfaces, and then run DHCP on my Linux server to assign the gateways by MAC. If I want the device to get its internet via VPN, set the gateway to the TPLink (192.168.1.253), otherwise gateway will be the Netgear (192.168.1.1). That way everything is on the same physical network, they'll have no problem talking to each other for local communication, and they'll get internet via the assigned. Thanks for the idea, I'll test tonight!
– mdaddy
Jan 10 at 4:28
1
Yes, that should work as the DHCP server on Linux is powerful enough.
– davidgo
Jan 10 at 6:42
That did it! Thanks @davidgo!
– mdaddy
Jan 10 at 14:17
add a comment |
There may be more then 1 way to do it, but 1 way is to
(1) Ensure all devices in the network behind the TPG have static IP's and disable its DHCP server.
(2) Connect the LAN Interface of the Netgear with the LAN Interface of the TPG router.
(3). Bring up a second virtual Interface on the TPG router in the 192.168.1.x range.
(4). Set static routes on the TPG router to route 192.168.x.x to 192.168.1.1 and similarly set static routes on the Netgear router to route 10.x.x.x to 192.168.1.NEWIP
This will have the effect of allowing you to provide statically use a 10.x IP address to push traffic across the VPN, or DHCP or a 192.168 address for regular Internet.
I've somewhat cavalierly suggested adding a second interface on the TPG router. Depending on the router this may not be something you can do with default firmware, however it is doable using dd-wrt if you flash your router with that.
There may be more then 1 way to do it, but 1 way is to
(1) Ensure all devices in the network behind the TPG have static IP's and disable its DHCP server.
(2) Connect the LAN Interface of the Netgear with the LAN Interface of the TPG router.
(3). Bring up a second virtual Interface on the TPG router in the 192.168.1.x range.
(4). Set static routes on the TPG router to route 192.168.x.x to 192.168.1.1 and similarly set static routes on the Netgear router to route 10.x.x.x to 192.168.1.NEWIP
This will have the effect of allowing you to provide statically use a 10.x IP address to push traffic across the VPN, or DHCP or a 192.168 address for regular Internet.
I've somewhat cavalierly suggested adding a second interface on the TPG router. Depending on the router this may not be something you can do with default firmware, however it is doable using dd-wrt if you flash your router with that.
answered Jan 9 at 8:12
davidgodavidgo
43.6k75291
43.6k75291
I think this will work, even without the fancy virtual interface. I can make both routers 192.168.1.x, disable DHCP on both of them, physically connect their LAN interfaces, and then run DHCP on my Linux server to assign the gateways by MAC. If I want the device to get its internet via VPN, set the gateway to the TPLink (192.168.1.253), otherwise gateway will be the Netgear (192.168.1.1). That way everything is on the same physical network, they'll have no problem talking to each other for local communication, and they'll get internet via the assigned. Thanks for the idea, I'll test tonight!
– mdaddy
Jan 10 at 4:28
1
Yes, that should work as the DHCP server on Linux is powerful enough.
– davidgo
Jan 10 at 6:42
That did it! Thanks @davidgo!
– mdaddy
Jan 10 at 14:17
add a comment |
I think this will work, even without the fancy virtual interface. I can make both routers 192.168.1.x, disable DHCP on both of them, physically connect their LAN interfaces, and then run DHCP on my Linux server to assign the gateways by MAC. If I want the device to get its internet via VPN, set the gateway to the TPLink (192.168.1.253), otherwise gateway will be the Netgear (192.168.1.1). That way everything is on the same physical network, they'll have no problem talking to each other for local communication, and they'll get internet via the assigned. Thanks for the idea, I'll test tonight!
– mdaddy
Jan 10 at 4:28
1
Yes, that should work as the DHCP server on Linux is powerful enough.
– davidgo
Jan 10 at 6:42
That did it! Thanks @davidgo!
– mdaddy
Jan 10 at 14:17
I think this will work, even without the fancy virtual interface. I can make both routers 192.168.1.x, disable DHCP on both of them, physically connect their LAN interfaces, and then run DHCP on my Linux server to assign the gateways by MAC. If I want the device to get its internet via VPN, set the gateway to the TPLink (192.168.1.253), otherwise gateway will be the Netgear (192.168.1.1). That way everything is on the same physical network, they'll have no problem talking to each other for local communication, and they'll get internet via the assigned. Thanks for the idea, I'll test tonight!
– mdaddy
Jan 10 at 4:28
I think this will work, even without the fancy virtual interface. I can make both routers 192.168.1.x, disable DHCP on both of them, physically connect their LAN interfaces, and then run DHCP on my Linux server to assign the gateways by MAC. If I want the device to get its internet via VPN, set the gateway to the TPLink (192.168.1.253), otherwise gateway will be the Netgear (192.168.1.1). That way everything is on the same physical network, they'll have no problem talking to each other for local communication, and they'll get internet via the assigned. Thanks for the idea, I'll test tonight!
– mdaddy
Jan 10 at 4:28
1
1
Yes, that should work as the DHCP server on Linux is powerful enough.
– davidgo
Jan 10 at 6:42
Yes, that should work as the DHCP server on Linux is powerful enough.
– davidgo
Jan 10 at 6:42
That did it! Thanks @davidgo!
– mdaddy
Jan 10 at 14:17
That did it! Thanks @davidgo!
– mdaddy
Jan 10 at 14:17
add a comment |
You’ve placed a lot of restrictions on what you want and some of it is just NOT possible.
You want broadcast packets to traverse the two networks. That is not possible. Routers specifically segregate broadcast domains. The only way to do this is to put all the devices on the same network.
With that said, to get where you want to be it will require a significant change to your network. Because it looks like you are using home routers, your options are severely restricted. Maybe if you can install an alternative firmware your options would be better.
Therefore, I’ll give you the best way to do this.
Completely eliminate one of the routers.
There is no reason to use two routers to put some devices on a VPN. Especially if your goal is to allow all the devices to communicate. The best way to do this is with a single, more capable router that supports multiple interfaces. One port on the router would be for one network, the other port would be the other network, then you’d have a port for WAN. Setup routing between the two networks, NAT all packets destined to WAN, and route all traffic from one network through the VPN.
Assuming you don’t want to replace any of your equipment...
Instead, connect all the devices to the same router and establish the VPN on that router. Configure your VPN settings so that only devices within a specific IP range use the VPN. Then, configure a static IP range for those devices in DHCP. For instance, only route devices with an IP in the range 192.168.1.200-192.168.1.250
through the VPN. I’m not sure if your TPLink will support that. I imagine it will, as deciding what traffic is encrypted is part of any VPN setup. This is probably your best bet using what you currently have.
If you are trying to stay as close as possible to the current physical layout, then you need one-to-one NAT where each device on both networks is given a unique IP on the 172.16.1.x network. It would also require a tweak to the VPN settings. But, it’s complicated and I think it is really unlikely either router you have supports that.
add a comment |
You’ve placed a lot of restrictions on what you want and some of it is just NOT possible.
You want broadcast packets to traverse the two networks. That is not possible. Routers specifically segregate broadcast domains. The only way to do this is to put all the devices on the same network.
With that said, to get where you want to be it will require a significant change to your network. Because it looks like you are using home routers, your options are severely restricted. Maybe if you can install an alternative firmware your options would be better.
Therefore, I’ll give you the best way to do this.
Completely eliminate one of the routers.
There is no reason to use two routers to put some devices on a VPN. Especially if your goal is to allow all the devices to communicate. The best way to do this is with a single, more capable router that supports multiple interfaces. One port on the router would be for one network, the other port would be the other network, then you’d have a port for WAN. Setup routing between the two networks, NAT all packets destined to WAN, and route all traffic from one network through the VPN.
Assuming you don’t want to replace any of your equipment...
Instead, connect all the devices to the same router and establish the VPN on that router. Configure your VPN settings so that only devices within a specific IP range use the VPN. Then, configure a static IP range for those devices in DHCP. For instance, only route devices with an IP in the range 192.168.1.200-192.168.1.250
through the VPN. I’m not sure if your TPLink will support that. I imagine it will, as deciding what traffic is encrypted is part of any VPN setup. This is probably your best bet using what you currently have.
If you are trying to stay as close as possible to the current physical layout, then you need one-to-one NAT where each device on both networks is given a unique IP on the 172.16.1.x network. It would also require a tweak to the VPN settings. But, it’s complicated and I think it is really unlikely either router you have supports that.
add a comment |
You’ve placed a lot of restrictions on what you want and some of it is just NOT possible.
You want broadcast packets to traverse the two networks. That is not possible. Routers specifically segregate broadcast domains. The only way to do this is to put all the devices on the same network.
With that said, to get where you want to be it will require a significant change to your network. Because it looks like you are using home routers, your options are severely restricted. Maybe if you can install an alternative firmware your options would be better.
Therefore, I’ll give you the best way to do this.
Completely eliminate one of the routers.
There is no reason to use two routers to put some devices on a VPN. Especially if your goal is to allow all the devices to communicate. The best way to do this is with a single, more capable router that supports multiple interfaces. One port on the router would be for one network, the other port would be the other network, then you’d have a port for WAN. Setup routing between the two networks, NAT all packets destined to WAN, and route all traffic from one network through the VPN.
Assuming you don’t want to replace any of your equipment...
Instead, connect all the devices to the same router and establish the VPN on that router. Configure your VPN settings so that only devices within a specific IP range use the VPN. Then, configure a static IP range for those devices in DHCP. For instance, only route devices with an IP in the range 192.168.1.200-192.168.1.250
through the VPN. I’m not sure if your TPLink will support that. I imagine it will, as deciding what traffic is encrypted is part of any VPN setup. This is probably your best bet using what you currently have.
If you are trying to stay as close as possible to the current physical layout, then you need one-to-one NAT where each device on both networks is given a unique IP on the 172.16.1.x network. It would also require a tweak to the VPN settings. But, it’s complicated and I think it is really unlikely either router you have supports that.
You’ve placed a lot of restrictions on what you want and some of it is just NOT possible.
You want broadcast packets to traverse the two networks. That is not possible. Routers specifically segregate broadcast domains. The only way to do this is to put all the devices on the same network.
With that said, to get where you want to be it will require a significant change to your network. Because it looks like you are using home routers, your options are severely restricted. Maybe if you can install an alternative firmware your options would be better.
Therefore, I’ll give you the best way to do this.
Completely eliminate one of the routers.
There is no reason to use two routers to put some devices on a VPN. Especially if your goal is to allow all the devices to communicate. The best way to do this is with a single, more capable router that supports multiple interfaces. One port on the router would be for one network, the other port would be the other network, then you’d have a port for WAN. Setup routing between the two networks, NAT all packets destined to WAN, and route all traffic from one network through the VPN.
Assuming you don’t want to replace any of your equipment...
Instead, connect all the devices to the same router and establish the VPN on that router. Configure your VPN settings so that only devices within a specific IP range use the VPN. Then, configure a static IP range for those devices in DHCP. For instance, only route devices with an IP in the range 192.168.1.200-192.168.1.250
through the VPN. I’m not sure if your TPLink will support that. I imagine it will, as deciding what traffic is encrypted is part of any VPN setup. This is probably your best bet using what you currently have.
If you are trying to stay as close as possible to the current physical layout, then you need one-to-one NAT where each device on both networks is given a unique IP on the 172.16.1.x network. It would also require a tweak to the VPN settings. But, it’s complicated and I think it is really unlikely either router you have supports that.
answered Jan 9 at 6:37
AppleoddityAppleoddity
7,24521124
7,24521124
add a comment |
add a comment |
I see two possible scenarios:
- Disable NAT on the inner routers. Since you are using different networks between all LAN segments, this should be fine. In fact, the only router that would need static routes would be the DSL router, to explain what networks are on the inside of the two routers. This should not break the internet, seeing as the only device that really needs NAT is the DSL router.
Or:
- Build a bridge between the two inner routers without NAT. This would likely require another router because most SOHO devices do not allow you to take a LAN port and have it act as another WAN port. In fact, this thought process can be confusing because routers just connect different networks together, and they can all be LAN, or all WAN or any combination thereof. You may be able to find an old SOHO device that you can flash with a custom firmware and basically use it to just route traffic without any bells-and-whistles (e.g. NAT, Firewall).
add a comment |
I see two possible scenarios:
- Disable NAT on the inner routers. Since you are using different networks between all LAN segments, this should be fine. In fact, the only router that would need static routes would be the DSL router, to explain what networks are on the inside of the two routers. This should not break the internet, seeing as the only device that really needs NAT is the DSL router.
Or:
- Build a bridge between the two inner routers without NAT. This would likely require another router because most SOHO devices do not allow you to take a LAN port and have it act as another WAN port. In fact, this thought process can be confusing because routers just connect different networks together, and they can all be LAN, or all WAN or any combination thereof. You may be able to find an old SOHO device that you can flash with a custom firmware and basically use it to just route traffic without any bells-and-whistles (e.g. NAT, Firewall).
add a comment |
I see two possible scenarios:
- Disable NAT on the inner routers. Since you are using different networks between all LAN segments, this should be fine. In fact, the only router that would need static routes would be the DSL router, to explain what networks are on the inside of the two routers. This should not break the internet, seeing as the only device that really needs NAT is the DSL router.
Or:
- Build a bridge between the two inner routers without NAT. This would likely require another router because most SOHO devices do not allow you to take a LAN port and have it act as another WAN port. In fact, this thought process can be confusing because routers just connect different networks together, and they can all be LAN, or all WAN or any combination thereof. You may be able to find an old SOHO device that you can flash with a custom firmware and basically use it to just route traffic without any bells-and-whistles (e.g. NAT, Firewall).
I see two possible scenarios:
- Disable NAT on the inner routers. Since you are using different networks between all LAN segments, this should be fine. In fact, the only router that would need static routes would be the DSL router, to explain what networks are on the inside of the two routers. This should not break the internet, seeing as the only device that really needs NAT is the DSL router.
Or:
- Build a bridge between the two inner routers without NAT. This would likely require another router because most SOHO devices do not allow you to take a LAN port and have it act as another WAN port. In fact, this thought process can be confusing because routers just connect different networks together, and they can all be LAN, or all WAN or any combination thereof. You may be able to find an old SOHO device that you can flash with a custom firmware and basically use it to just route traffic without any bells-and-whistles (e.g. NAT, Firewall).
answered Jan 9 at 14:02
Damian T.Damian T.
24019
24019
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1392120%2fhome-network-routing-puzzle-3-routers-two-internet-routes%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I assume that the TPLink router is using the DSL modem/router to create the tunnel over?
– Damian T.
Jan 9 at 6:23
The VPN is tunnel is created on the TPLink itself, via internet provided by the DSL modem on the WAN port
– mdaddy
Jan 9 at 8:25
It’s really simple: Both need routes and the corresponding firewall rules and must only perform NAT for upstream-bound traffic. You probably won’t be able to achieve that using standard firmware.
– Daniel B
Jan 9 at 14:19