Home Network Routing Puzzle: 3 Routers, Two Internet Routes












1















I have a semi-complex home network with a DSL Modem/Router, a Netgear Router, and a TPLink Router.



The TPLink Router has a permanent L2TP VPN connected to ExpressVPN. The devices behind this router get their internet through the VPN. (devices on the right in the attached diagram)



The Netgear router is for normal (non-VPN) internet.



Is it possible to configure all three routers in the diagram such that the devices behind the two routers can communicate one with another seamlessly (i.e. without port forwarding for every requirement)? I almost got there with a few static routes, but I had to turn off NAT to get them working, and then that killed the internet.



A working solution would allow devices to ping each other on the LAN, communicate on all TCP/UDP ports, have broadcast packets/requests routed across both networks, but still have "segregated internet" (e.g. devices on the right go through the VPN for internet).



Notes: (1) I can't turn the Netgear into a bridge/AP because it performs wireless mesh routing with satellite devices. The TP-Link can't be a bridge either, because I need its routing function to handle the L2TP VPN tunnel. (2) If the solution requires putting the TP-Link behind the Netgear, that's okay.
enter image description here



Solution found!



Physically connected the routers, put them both on the same network, use custom DHCP to manage who-gets-what-gateway:
enter image description here










share|improve this question

























  • I assume that the TPLink router is using the DSL modem/router to create the tunnel over?

    – Damian T.
    Jan 9 at 6:23













  • The VPN is tunnel is created on the TPLink itself, via internet provided by the DSL modem on the WAN port

    – mdaddy
    Jan 9 at 8:25











  • It’s really simple: Both need routes and the corresponding firewall rules and must only perform NAT for upstream-bound traffic. You probably won’t be able to achieve that using standard firmware.

    – Daniel B
    Jan 9 at 14:19
















1















I have a semi-complex home network with a DSL Modem/Router, a Netgear Router, and a TPLink Router.



The TPLink Router has a permanent L2TP VPN connected to ExpressVPN. The devices behind this router get their internet through the VPN. (devices on the right in the attached diagram)



The Netgear router is for normal (non-VPN) internet.



Is it possible to configure all three routers in the diagram such that the devices behind the two routers can communicate one with another seamlessly (i.e. without port forwarding for every requirement)? I almost got there with a few static routes, but I had to turn off NAT to get them working, and then that killed the internet.



A working solution would allow devices to ping each other on the LAN, communicate on all TCP/UDP ports, have broadcast packets/requests routed across both networks, but still have "segregated internet" (e.g. devices on the right go through the VPN for internet).



Notes: (1) I can't turn the Netgear into a bridge/AP because it performs wireless mesh routing with satellite devices. The TP-Link can't be a bridge either, because I need its routing function to handle the L2TP VPN tunnel. (2) If the solution requires putting the TP-Link behind the Netgear, that's okay.
enter image description here



Solution found!



Physically connected the routers, put them both on the same network, use custom DHCP to manage who-gets-what-gateway:
enter image description here










share|improve this question

























  • I assume that the TPLink router is using the DSL modem/router to create the tunnel over?

    – Damian T.
    Jan 9 at 6:23













  • The VPN is tunnel is created on the TPLink itself, via internet provided by the DSL modem on the WAN port

    – mdaddy
    Jan 9 at 8:25











  • It’s really simple: Both need routes and the corresponding firewall rules and must only perform NAT for upstream-bound traffic. You probably won’t be able to achieve that using standard firmware.

    – Daniel B
    Jan 9 at 14:19














1












1








1








I have a semi-complex home network with a DSL Modem/Router, a Netgear Router, and a TPLink Router.



The TPLink Router has a permanent L2TP VPN connected to ExpressVPN. The devices behind this router get their internet through the VPN. (devices on the right in the attached diagram)



The Netgear router is for normal (non-VPN) internet.



Is it possible to configure all three routers in the diagram such that the devices behind the two routers can communicate one with another seamlessly (i.e. without port forwarding for every requirement)? I almost got there with a few static routes, but I had to turn off NAT to get them working, and then that killed the internet.



A working solution would allow devices to ping each other on the LAN, communicate on all TCP/UDP ports, have broadcast packets/requests routed across both networks, but still have "segregated internet" (e.g. devices on the right go through the VPN for internet).



Notes: (1) I can't turn the Netgear into a bridge/AP because it performs wireless mesh routing with satellite devices. The TP-Link can't be a bridge either, because I need its routing function to handle the L2TP VPN tunnel. (2) If the solution requires putting the TP-Link behind the Netgear, that's okay.
enter image description here



Solution found!



Physically connected the routers, put them both on the same network, use custom DHCP to manage who-gets-what-gateway:
enter image description here










share|improve this question
















I have a semi-complex home network with a DSL Modem/Router, a Netgear Router, and a TPLink Router.



The TPLink Router has a permanent L2TP VPN connected to ExpressVPN. The devices behind this router get their internet through the VPN. (devices on the right in the attached diagram)



The Netgear router is for normal (non-VPN) internet.



Is it possible to configure all three routers in the diagram such that the devices behind the two routers can communicate one with another seamlessly (i.e. without port forwarding for every requirement)? I almost got there with a few static routes, but I had to turn off NAT to get them working, and then that killed the internet.



A working solution would allow devices to ping each other on the LAN, communicate on all TCP/UDP ports, have broadcast packets/requests routed across both networks, but still have "segregated internet" (e.g. devices on the right go through the VPN for internet).



Notes: (1) I can't turn the Netgear into a bridge/AP because it performs wireless mesh routing with satellite devices. The TP-Link can't be a bridge either, because I need its routing function to handle the L2TP VPN tunnel. (2) If the solution requires putting the TP-Link behind the Netgear, that's okay.
enter image description here



Solution found!



Physically connected the routers, put them both on the same network, use custom DHCP to manage who-gets-what-gateway:
enter image description here







networking router vpn routing






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 10 at 14:17







mdaddy

















asked Jan 9 at 4:24









mdaddymdaddy

1084




1084













  • I assume that the TPLink router is using the DSL modem/router to create the tunnel over?

    – Damian T.
    Jan 9 at 6:23













  • The VPN is tunnel is created on the TPLink itself, via internet provided by the DSL modem on the WAN port

    – mdaddy
    Jan 9 at 8:25











  • It’s really simple: Both need routes and the corresponding firewall rules and must only perform NAT for upstream-bound traffic. You probably won’t be able to achieve that using standard firmware.

    – Daniel B
    Jan 9 at 14:19



















  • I assume that the TPLink router is using the DSL modem/router to create the tunnel over?

    – Damian T.
    Jan 9 at 6:23













  • The VPN is tunnel is created on the TPLink itself, via internet provided by the DSL modem on the WAN port

    – mdaddy
    Jan 9 at 8:25











  • It’s really simple: Both need routes and the corresponding firewall rules and must only perform NAT for upstream-bound traffic. You probably won’t be able to achieve that using standard firmware.

    – Daniel B
    Jan 9 at 14:19

















I assume that the TPLink router is using the DSL modem/router to create the tunnel over?

– Damian T.
Jan 9 at 6:23







I assume that the TPLink router is using the DSL modem/router to create the tunnel over?

– Damian T.
Jan 9 at 6:23















The VPN is tunnel is created on the TPLink itself, via internet provided by the DSL modem on the WAN port

– mdaddy
Jan 9 at 8:25





The VPN is tunnel is created on the TPLink itself, via internet provided by the DSL modem on the WAN port

– mdaddy
Jan 9 at 8:25













It’s really simple: Both need routes and the corresponding firewall rules and must only perform NAT for upstream-bound traffic. You probably won’t be able to achieve that using standard firmware.

– Daniel B
Jan 9 at 14:19





It’s really simple: Both need routes and the corresponding firewall rules and must only perform NAT for upstream-bound traffic. You probably won’t be able to achieve that using standard firmware.

– Daniel B
Jan 9 at 14:19










4 Answers
4






active

oldest

votes


















0














Not 100% sure this will work, but 95%. EDIT Nice to see as per the OP, this does work!



Put Netgear's and TPLink's LAN interface on the same subnet, i.e. both 192.168.1.* addresses. Therefore all devices are on the same LAN (local area network).



Now the fun part: manually set the "default route" (the route to use when the IP is not a local one) on each device, with the default route for all VPN-using devices set to the VPN router, and vice versa.



Depending on the routers involved, you might even be able to send out the correct default route to the correct device via DHCP and the device's MAC address.



P.S. Thanks for the clear and informative graphic.



EDIT If using DHCP, you should probably disable it on one of the routers, i.e. pick a router to be the "main" router, and the other one only a gateway for traffic sent directly to it.






share|improve this answer


























  • I’m 100% sure this will NOT work. You simply can’t use the same LAN IP on two different network segments you expect to route together unless there is some serious NAT work going on.

    – Appleoddity
    Jan 9 at 6:40











  • @Appleoddity - I don't think BenjoWiebe was suggesting to use the same LAN IP, he was suggesting to use an IP address in the same network. It is in some ways similar to my solution. The "fun part" makes this hard, but not impossible, just like the fun part on my solution requires a second Interface.

    – davidgo
    Jan 9 at 8:17






  • 1





    This should be the accepted answer based on the OPs comment to me above.

    – davidgo
    Jan 10 at 6:44











  • @davidgo, good call! thank you!

    – mdaddy
    Jan 10 at 16:07











  • @davidgo This post is not clear that he is suggesting to physically connect both network segments together on the LAN side. For that reason it is confusing and doesn’t make sense. It should be clear that putting both LAN interfaces on the same “subnet” is NOT equivalent to putting them on the same “physical” network segment. A subnet is a logical construct. It should be clarified.

    – Appleoddity
    Jan 11 at 13:27



















1














There may be more then 1 way to do it, but 1 way is to



(1) Ensure all devices in the network behind the TPG have static IP's and disable its DHCP server.



(2) Connect the LAN Interface of the Netgear with the LAN Interface of the TPG router.
(3). Bring up a second virtual Interface on the TPG router in the 192.168.1.x range.
(4). Set static routes on the TPG router to route 192.168.x.x to 192.168.1.1 and similarly set static routes on the Netgear router to route 10.x.x.x to 192.168.1.NEWIP



This will have the effect of allowing you to provide statically use a 10.x IP address to push traffic across the VPN, or DHCP or a 192.168 address for regular Internet.



I've somewhat cavalierly suggested adding a second interface on the TPG router. Depending on the router this may not be something you can do with default firmware, however it is doable using dd-wrt if you flash your router with that.






share|improve this answer
























  • I think this will work, even without the fancy virtual interface. I can make both routers 192.168.1.x, disable DHCP on both of them, physically connect their LAN interfaces, and then run DHCP on my Linux server to assign the gateways by MAC. If I want the device to get its internet via VPN, set the gateway to the TPLink (192.168.1.253), otherwise gateway will be the Netgear (192.168.1.1). That way everything is on the same physical network, they'll have no problem talking to each other for local communication, and they'll get internet via the assigned. Thanks for the idea, I'll test tonight!

    – mdaddy
    Jan 10 at 4:28








  • 1





    Yes, that should work as the DHCP server on Linux is powerful enough.

    – davidgo
    Jan 10 at 6:42











  • That did it! Thanks @davidgo!

    – mdaddy
    Jan 10 at 14:17



















0














You’ve placed a lot of restrictions on what you want and some of it is just NOT possible.



You want broadcast packets to traverse the two networks. That is not possible. Routers specifically segregate broadcast domains. The only way to do this is to put all the devices on the same network.



With that said, to get where you want to be it will require a significant change to your network. Because it looks like you are using home routers, your options are severely restricted. Maybe if you can install an alternative firmware your options would be better.



Therefore, I’ll give you the best way to do this.



Completely eliminate one of the routers.



There is no reason to use two routers to put some devices on a VPN. Especially if your goal is to allow all the devices to communicate. The best way to do this is with a single, more capable router that supports multiple interfaces. One port on the router would be for one network, the other port would be the other network, then you’d have a port for WAN. Setup routing between the two networks, NAT all packets destined to WAN, and route all traffic from one network through the VPN.



Assuming you don’t want to replace any of your equipment...



Instead, connect all the devices to the same router and establish the VPN on that router. Configure your VPN settings so that only devices within a specific IP range use the VPN. Then, configure a static IP range for those devices in DHCP. For instance, only route devices with an IP in the range 192.168.1.200-192.168.1.250 through the VPN. I’m not sure if your TPLink will support that. I imagine it will, as deciding what traffic is encrypted is part of any VPN setup. This is probably your best bet using what you currently have.



If you are trying to stay as close as possible to the current physical layout, then you need one-to-one NAT where each device on both networks is given a unique IP on the 172.16.1.x network. It would also require a tweak to the VPN settings. But, it’s complicated and I think it is really unlikely either router you have supports that.






share|improve this answer































    0














    I see two possible scenarios:




    1. Disable NAT on the inner routers. Since you are using different networks between all LAN segments, this should be fine. In fact, the only router that would need static routes would be the DSL router, to explain what networks are on the inside of the two routers. This should not break the internet, seeing as the only device that really needs NAT is the DSL router.


    Or:




    1. Build a bridge between the two inner routers without NAT. This would likely require another router because most SOHO devices do not allow you to take a LAN port and have it act as another WAN port. In fact, this thought process can be confusing because routers just connect different networks together, and they can all be LAN, or all WAN or any combination thereof. You may be able to find an old SOHO device that you can flash with a custom firmware and basically use it to just route traffic without any bells-and-whistles (e.g. NAT, Firewall).






    share|improve this answer























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "3"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1392120%2fhome-network-routing-puzzle-3-routers-two-internet-routes%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      4 Answers
      4






      active

      oldest

      votes








      4 Answers
      4






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      Not 100% sure this will work, but 95%. EDIT Nice to see as per the OP, this does work!



      Put Netgear's and TPLink's LAN interface on the same subnet, i.e. both 192.168.1.* addresses. Therefore all devices are on the same LAN (local area network).



      Now the fun part: manually set the "default route" (the route to use when the IP is not a local one) on each device, with the default route for all VPN-using devices set to the VPN router, and vice versa.



      Depending on the routers involved, you might even be able to send out the correct default route to the correct device via DHCP and the device's MAC address.



      P.S. Thanks for the clear and informative graphic.



      EDIT If using DHCP, you should probably disable it on one of the routers, i.e. pick a router to be the "main" router, and the other one only a gateway for traffic sent directly to it.






      share|improve this answer


























      • I’m 100% sure this will NOT work. You simply can’t use the same LAN IP on two different network segments you expect to route together unless there is some serious NAT work going on.

        – Appleoddity
        Jan 9 at 6:40











      • @Appleoddity - I don't think BenjoWiebe was suggesting to use the same LAN IP, he was suggesting to use an IP address in the same network. It is in some ways similar to my solution. The "fun part" makes this hard, but not impossible, just like the fun part on my solution requires a second Interface.

        – davidgo
        Jan 9 at 8:17






      • 1





        This should be the accepted answer based on the OPs comment to me above.

        – davidgo
        Jan 10 at 6:44











      • @davidgo, good call! thank you!

        – mdaddy
        Jan 10 at 16:07











      • @davidgo This post is not clear that he is suggesting to physically connect both network segments together on the LAN side. For that reason it is confusing and doesn’t make sense. It should be clear that putting both LAN interfaces on the same “subnet” is NOT equivalent to putting them on the same “physical” network segment. A subnet is a logical construct. It should be clarified.

        – Appleoddity
        Jan 11 at 13:27
















      0














      Not 100% sure this will work, but 95%. EDIT Nice to see as per the OP, this does work!



      Put Netgear's and TPLink's LAN interface on the same subnet, i.e. both 192.168.1.* addresses. Therefore all devices are on the same LAN (local area network).



      Now the fun part: manually set the "default route" (the route to use when the IP is not a local one) on each device, with the default route for all VPN-using devices set to the VPN router, and vice versa.



      Depending on the routers involved, you might even be able to send out the correct default route to the correct device via DHCP and the device's MAC address.



      P.S. Thanks for the clear and informative graphic.



      EDIT If using DHCP, you should probably disable it on one of the routers, i.e. pick a router to be the "main" router, and the other one only a gateway for traffic sent directly to it.






      share|improve this answer


























      • I’m 100% sure this will NOT work. You simply can’t use the same LAN IP on two different network segments you expect to route together unless there is some serious NAT work going on.

        – Appleoddity
        Jan 9 at 6:40











      • @Appleoddity - I don't think BenjoWiebe was suggesting to use the same LAN IP, he was suggesting to use an IP address in the same network. It is in some ways similar to my solution. The "fun part" makes this hard, but not impossible, just like the fun part on my solution requires a second Interface.

        – davidgo
        Jan 9 at 8:17






      • 1





        This should be the accepted answer based on the OPs comment to me above.

        – davidgo
        Jan 10 at 6:44











      • @davidgo, good call! thank you!

        – mdaddy
        Jan 10 at 16:07











      • @davidgo This post is not clear that he is suggesting to physically connect both network segments together on the LAN side. For that reason it is confusing and doesn’t make sense. It should be clear that putting both LAN interfaces on the same “subnet” is NOT equivalent to putting them on the same “physical” network segment. A subnet is a logical construct. It should be clarified.

        – Appleoddity
        Jan 11 at 13:27














      0












      0








      0







      Not 100% sure this will work, but 95%. EDIT Nice to see as per the OP, this does work!



      Put Netgear's and TPLink's LAN interface on the same subnet, i.e. both 192.168.1.* addresses. Therefore all devices are on the same LAN (local area network).



      Now the fun part: manually set the "default route" (the route to use when the IP is not a local one) on each device, with the default route for all VPN-using devices set to the VPN router, and vice versa.



      Depending on the routers involved, you might even be able to send out the correct default route to the correct device via DHCP and the device's MAC address.



      P.S. Thanks for the clear and informative graphic.



      EDIT If using DHCP, you should probably disable it on one of the routers, i.e. pick a router to be the "main" router, and the other one only a gateway for traffic sent directly to it.






      share|improve this answer















      Not 100% sure this will work, but 95%. EDIT Nice to see as per the OP, this does work!



      Put Netgear's and TPLink's LAN interface on the same subnet, i.e. both 192.168.1.* addresses. Therefore all devices are on the same LAN (local area network).



      Now the fun part: manually set the "default route" (the route to use when the IP is not a local one) on each device, with the default route for all VPN-using devices set to the VPN router, and vice versa.



      Depending on the routers involved, you might even be able to send out the correct default route to the correct device via DHCP and the device's MAC address.



      P.S. Thanks for the clear and informative graphic.



      EDIT If using DHCP, you should probably disable it on one of the routers, i.e. pick a router to be the "main" router, and the other one only a gateway for traffic sent directly to it.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Jan 12 at 5:24

























      answered Jan 9 at 4:50









      BenjiWiebeBenjiWiebe

      6,67993458




      6,67993458













      • I’m 100% sure this will NOT work. You simply can’t use the same LAN IP on two different network segments you expect to route together unless there is some serious NAT work going on.

        – Appleoddity
        Jan 9 at 6:40











      • @Appleoddity - I don't think BenjoWiebe was suggesting to use the same LAN IP, he was suggesting to use an IP address in the same network. It is in some ways similar to my solution. The "fun part" makes this hard, but not impossible, just like the fun part on my solution requires a second Interface.

        – davidgo
        Jan 9 at 8:17






      • 1





        This should be the accepted answer based on the OPs comment to me above.

        – davidgo
        Jan 10 at 6:44











      • @davidgo, good call! thank you!

        – mdaddy
        Jan 10 at 16:07











      • @davidgo This post is not clear that he is suggesting to physically connect both network segments together on the LAN side. For that reason it is confusing and doesn’t make sense. It should be clear that putting both LAN interfaces on the same “subnet” is NOT equivalent to putting them on the same “physical” network segment. A subnet is a logical construct. It should be clarified.

        – Appleoddity
        Jan 11 at 13:27



















      • I’m 100% sure this will NOT work. You simply can’t use the same LAN IP on two different network segments you expect to route together unless there is some serious NAT work going on.

        – Appleoddity
        Jan 9 at 6:40











      • @Appleoddity - I don't think BenjoWiebe was suggesting to use the same LAN IP, he was suggesting to use an IP address in the same network. It is in some ways similar to my solution. The "fun part" makes this hard, but not impossible, just like the fun part on my solution requires a second Interface.

        – davidgo
        Jan 9 at 8:17






      • 1





        This should be the accepted answer based on the OPs comment to me above.

        – davidgo
        Jan 10 at 6:44











      • @davidgo, good call! thank you!

        – mdaddy
        Jan 10 at 16:07











      • @davidgo This post is not clear that he is suggesting to physically connect both network segments together on the LAN side. For that reason it is confusing and doesn’t make sense. It should be clear that putting both LAN interfaces on the same “subnet” is NOT equivalent to putting them on the same “physical” network segment. A subnet is a logical construct. It should be clarified.

        – Appleoddity
        Jan 11 at 13:27

















      I’m 100% sure this will NOT work. You simply can’t use the same LAN IP on two different network segments you expect to route together unless there is some serious NAT work going on.

      – Appleoddity
      Jan 9 at 6:40





      I’m 100% sure this will NOT work. You simply can’t use the same LAN IP on two different network segments you expect to route together unless there is some serious NAT work going on.

      – Appleoddity
      Jan 9 at 6:40













      @Appleoddity - I don't think BenjoWiebe was suggesting to use the same LAN IP, he was suggesting to use an IP address in the same network. It is in some ways similar to my solution. The "fun part" makes this hard, but not impossible, just like the fun part on my solution requires a second Interface.

      – davidgo
      Jan 9 at 8:17





      @Appleoddity - I don't think BenjoWiebe was suggesting to use the same LAN IP, he was suggesting to use an IP address in the same network. It is in some ways similar to my solution. The "fun part" makes this hard, but not impossible, just like the fun part on my solution requires a second Interface.

      – davidgo
      Jan 9 at 8:17




      1




      1





      This should be the accepted answer based on the OPs comment to me above.

      – davidgo
      Jan 10 at 6:44





      This should be the accepted answer based on the OPs comment to me above.

      – davidgo
      Jan 10 at 6:44













      @davidgo, good call! thank you!

      – mdaddy
      Jan 10 at 16:07





      @davidgo, good call! thank you!

      – mdaddy
      Jan 10 at 16:07













      @davidgo This post is not clear that he is suggesting to physically connect both network segments together on the LAN side. For that reason it is confusing and doesn’t make sense. It should be clear that putting both LAN interfaces on the same “subnet” is NOT equivalent to putting them on the same “physical” network segment. A subnet is a logical construct. It should be clarified.

      – Appleoddity
      Jan 11 at 13:27





      @davidgo This post is not clear that he is suggesting to physically connect both network segments together on the LAN side. For that reason it is confusing and doesn’t make sense. It should be clear that putting both LAN interfaces on the same “subnet” is NOT equivalent to putting them on the same “physical” network segment. A subnet is a logical construct. It should be clarified.

      – Appleoddity
      Jan 11 at 13:27













      1














      There may be more then 1 way to do it, but 1 way is to



      (1) Ensure all devices in the network behind the TPG have static IP's and disable its DHCP server.



      (2) Connect the LAN Interface of the Netgear with the LAN Interface of the TPG router.
      (3). Bring up a second virtual Interface on the TPG router in the 192.168.1.x range.
      (4). Set static routes on the TPG router to route 192.168.x.x to 192.168.1.1 and similarly set static routes on the Netgear router to route 10.x.x.x to 192.168.1.NEWIP



      This will have the effect of allowing you to provide statically use a 10.x IP address to push traffic across the VPN, or DHCP or a 192.168 address for regular Internet.



      I've somewhat cavalierly suggested adding a second interface on the TPG router. Depending on the router this may not be something you can do with default firmware, however it is doable using dd-wrt if you flash your router with that.






      share|improve this answer
























      • I think this will work, even without the fancy virtual interface. I can make both routers 192.168.1.x, disable DHCP on both of them, physically connect their LAN interfaces, and then run DHCP on my Linux server to assign the gateways by MAC. If I want the device to get its internet via VPN, set the gateway to the TPLink (192.168.1.253), otherwise gateway will be the Netgear (192.168.1.1). That way everything is on the same physical network, they'll have no problem talking to each other for local communication, and they'll get internet via the assigned. Thanks for the idea, I'll test tonight!

        – mdaddy
        Jan 10 at 4:28








      • 1





        Yes, that should work as the DHCP server on Linux is powerful enough.

        – davidgo
        Jan 10 at 6:42











      • That did it! Thanks @davidgo!

        – mdaddy
        Jan 10 at 14:17
















      1














      There may be more then 1 way to do it, but 1 way is to



      (1) Ensure all devices in the network behind the TPG have static IP's and disable its DHCP server.



      (2) Connect the LAN Interface of the Netgear with the LAN Interface of the TPG router.
      (3). Bring up a second virtual Interface on the TPG router in the 192.168.1.x range.
      (4). Set static routes on the TPG router to route 192.168.x.x to 192.168.1.1 and similarly set static routes on the Netgear router to route 10.x.x.x to 192.168.1.NEWIP



      This will have the effect of allowing you to provide statically use a 10.x IP address to push traffic across the VPN, or DHCP or a 192.168 address for regular Internet.



      I've somewhat cavalierly suggested adding a second interface on the TPG router. Depending on the router this may not be something you can do with default firmware, however it is doable using dd-wrt if you flash your router with that.






      share|improve this answer
























      • I think this will work, even without the fancy virtual interface. I can make both routers 192.168.1.x, disable DHCP on both of them, physically connect their LAN interfaces, and then run DHCP on my Linux server to assign the gateways by MAC. If I want the device to get its internet via VPN, set the gateway to the TPLink (192.168.1.253), otherwise gateway will be the Netgear (192.168.1.1). That way everything is on the same physical network, they'll have no problem talking to each other for local communication, and they'll get internet via the assigned. Thanks for the idea, I'll test tonight!

        – mdaddy
        Jan 10 at 4:28








      • 1





        Yes, that should work as the DHCP server on Linux is powerful enough.

        – davidgo
        Jan 10 at 6:42











      • That did it! Thanks @davidgo!

        – mdaddy
        Jan 10 at 14:17














      1












      1








      1







      There may be more then 1 way to do it, but 1 way is to



      (1) Ensure all devices in the network behind the TPG have static IP's and disable its DHCP server.



      (2) Connect the LAN Interface of the Netgear with the LAN Interface of the TPG router.
      (3). Bring up a second virtual Interface on the TPG router in the 192.168.1.x range.
      (4). Set static routes on the TPG router to route 192.168.x.x to 192.168.1.1 and similarly set static routes on the Netgear router to route 10.x.x.x to 192.168.1.NEWIP



      This will have the effect of allowing you to provide statically use a 10.x IP address to push traffic across the VPN, or DHCP or a 192.168 address for regular Internet.



      I've somewhat cavalierly suggested adding a second interface on the TPG router. Depending on the router this may not be something you can do with default firmware, however it is doable using dd-wrt if you flash your router with that.






      share|improve this answer













      There may be more then 1 way to do it, but 1 way is to



      (1) Ensure all devices in the network behind the TPG have static IP's and disable its DHCP server.



      (2) Connect the LAN Interface of the Netgear with the LAN Interface of the TPG router.
      (3). Bring up a second virtual Interface on the TPG router in the 192.168.1.x range.
      (4). Set static routes on the TPG router to route 192.168.x.x to 192.168.1.1 and similarly set static routes on the Netgear router to route 10.x.x.x to 192.168.1.NEWIP



      This will have the effect of allowing you to provide statically use a 10.x IP address to push traffic across the VPN, or DHCP or a 192.168 address for regular Internet.



      I've somewhat cavalierly suggested adding a second interface on the TPG router. Depending on the router this may not be something you can do with default firmware, however it is doable using dd-wrt if you flash your router with that.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Jan 9 at 8:12









      davidgodavidgo

      43.6k75291




      43.6k75291













      • I think this will work, even without the fancy virtual interface. I can make both routers 192.168.1.x, disable DHCP on both of them, physically connect their LAN interfaces, and then run DHCP on my Linux server to assign the gateways by MAC. If I want the device to get its internet via VPN, set the gateway to the TPLink (192.168.1.253), otherwise gateway will be the Netgear (192.168.1.1). That way everything is on the same physical network, they'll have no problem talking to each other for local communication, and they'll get internet via the assigned. Thanks for the idea, I'll test tonight!

        – mdaddy
        Jan 10 at 4:28








      • 1





        Yes, that should work as the DHCP server on Linux is powerful enough.

        – davidgo
        Jan 10 at 6:42











      • That did it! Thanks @davidgo!

        – mdaddy
        Jan 10 at 14:17



















      • I think this will work, even without the fancy virtual interface. I can make both routers 192.168.1.x, disable DHCP on both of them, physically connect their LAN interfaces, and then run DHCP on my Linux server to assign the gateways by MAC. If I want the device to get its internet via VPN, set the gateway to the TPLink (192.168.1.253), otherwise gateway will be the Netgear (192.168.1.1). That way everything is on the same physical network, they'll have no problem talking to each other for local communication, and they'll get internet via the assigned. Thanks for the idea, I'll test tonight!

        – mdaddy
        Jan 10 at 4:28








      • 1





        Yes, that should work as the DHCP server on Linux is powerful enough.

        – davidgo
        Jan 10 at 6:42











      • That did it! Thanks @davidgo!

        – mdaddy
        Jan 10 at 14:17

















      I think this will work, even without the fancy virtual interface. I can make both routers 192.168.1.x, disable DHCP on both of them, physically connect their LAN interfaces, and then run DHCP on my Linux server to assign the gateways by MAC. If I want the device to get its internet via VPN, set the gateway to the TPLink (192.168.1.253), otherwise gateway will be the Netgear (192.168.1.1). That way everything is on the same physical network, they'll have no problem talking to each other for local communication, and they'll get internet via the assigned. Thanks for the idea, I'll test tonight!

      – mdaddy
      Jan 10 at 4:28







      I think this will work, even without the fancy virtual interface. I can make both routers 192.168.1.x, disable DHCP on both of them, physically connect their LAN interfaces, and then run DHCP on my Linux server to assign the gateways by MAC. If I want the device to get its internet via VPN, set the gateway to the TPLink (192.168.1.253), otherwise gateway will be the Netgear (192.168.1.1). That way everything is on the same physical network, they'll have no problem talking to each other for local communication, and they'll get internet via the assigned. Thanks for the idea, I'll test tonight!

      – mdaddy
      Jan 10 at 4:28






      1




      1





      Yes, that should work as the DHCP server on Linux is powerful enough.

      – davidgo
      Jan 10 at 6:42





      Yes, that should work as the DHCP server on Linux is powerful enough.

      – davidgo
      Jan 10 at 6:42













      That did it! Thanks @davidgo!

      – mdaddy
      Jan 10 at 14:17





      That did it! Thanks @davidgo!

      – mdaddy
      Jan 10 at 14:17











      0














      You’ve placed a lot of restrictions on what you want and some of it is just NOT possible.



      You want broadcast packets to traverse the two networks. That is not possible. Routers specifically segregate broadcast domains. The only way to do this is to put all the devices on the same network.



      With that said, to get where you want to be it will require a significant change to your network. Because it looks like you are using home routers, your options are severely restricted. Maybe if you can install an alternative firmware your options would be better.



      Therefore, I’ll give you the best way to do this.



      Completely eliminate one of the routers.



      There is no reason to use two routers to put some devices on a VPN. Especially if your goal is to allow all the devices to communicate. The best way to do this is with a single, more capable router that supports multiple interfaces. One port on the router would be for one network, the other port would be the other network, then you’d have a port for WAN. Setup routing between the two networks, NAT all packets destined to WAN, and route all traffic from one network through the VPN.



      Assuming you don’t want to replace any of your equipment...



      Instead, connect all the devices to the same router and establish the VPN on that router. Configure your VPN settings so that only devices within a specific IP range use the VPN. Then, configure a static IP range for those devices in DHCP. For instance, only route devices with an IP in the range 192.168.1.200-192.168.1.250 through the VPN. I’m not sure if your TPLink will support that. I imagine it will, as deciding what traffic is encrypted is part of any VPN setup. This is probably your best bet using what you currently have.



      If you are trying to stay as close as possible to the current physical layout, then you need one-to-one NAT where each device on both networks is given a unique IP on the 172.16.1.x network. It would also require a tweak to the VPN settings. But, it’s complicated and I think it is really unlikely either router you have supports that.






      share|improve this answer




























        0














        You’ve placed a lot of restrictions on what you want and some of it is just NOT possible.



        You want broadcast packets to traverse the two networks. That is not possible. Routers specifically segregate broadcast domains. The only way to do this is to put all the devices on the same network.



        With that said, to get where you want to be it will require a significant change to your network. Because it looks like you are using home routers, your options are severely restricted. Maybe if you can install an alternative firmware your options would be better.



        Therefore, I’ll give you the best way to do this.



        Completely eliminate one of the routers.



        There is no reason to use two routers to put some devices on a VPN. Especially if your goal is to allow all the devices to communicate. The best way to do this is with a single, more capable router that supports multiple interfaces. One port on the router would be for one network, the other port would be the other network, then you’d have a port for WAN. Setup routing between the two networks, NAT all packets destined to WAN, and route all traffic from one network through the VPN.



        Assuming you don’t want to replace any of your equipment...



        Instead, connect all the devices to the same router and establish the VPN on that router. Configure your VPN settings so that only devices within a specific IP range use the VPN. Then, configure a static IP range for those devices in DHCP. For instance, only route devices with an IP in the range 192.168.1.200-192.168.1.250 through the VPN. I’m not sure if your TPLink will support that. I imagine it will, as deciding what traffic is encrypted is part of any VPN setup. This is probably your best bet using what you currently have.



        If you are trying to stay as close as possible to the current physical layout, then you need one-to-one NAT where each device on both networks is given a unique IP on the 172.16.1.x network. It would also require a tweak to the VPN settings. But, it’s complicated and I think it is really unlikely either router you have supports that.






        share|improve this answer


























          0












          0








          0







          You’ve placed a lot of restrictions on what you want and some of it is just NOT possible.



          You want broadcast packets to traverse the two networks. That is not possible. Routers specifically segregate broadcast domains. The only way to do this is to put all the devices on the same network.



          With that said, to get where you want to be it will require a significant change to your network. Because it looks like you are using home routers, your options are severely restricted. Maybe if you can install an alternative firmware your options would be better.



          Therefore, I’ll give you the best way to do this.



          Completely eliminate one of the routers.



          There is no reason to use two routers to put some devices on a VPN. Especially if your goal is to allow all the devices to communicate. The best way to do this is with a single, more capable router that supports multiple interfaces. One port on the router would be for one network, the other port would be the other network, then you’d have a port for WAN. Setup routing between the two networks, NAT all packets destined to WAN, and route all traffic from one network through the VPN.



          Assuming you don’t want to replace any of your equipment...



          Instead, connect all the devices to the same router and establish the VPN on that router. Configure your VPN settings so that only devices within a specific IP range use the VPN. Then, configure a static IP range for those devices in DHCP. For instance, only route devices with an IP in the range 192.168.1.200-192.168.1.250 through the VPN. I’m not sure if your TPLink will support that. I imagine it will, as deciding what traffic is encrypted is part of any VPN setup. This is probably your best bet using what you currently have.



          If you are trying to stay as close as possible to the current physical layout, then you need one-to-one NAT where each device on both networks is given a unique IP on the 172.16.1.x network. It would also require a tweak to the VPN settings. But, it’s complicated and I think it is really unlikely either router you have supports that.






          share|improve this answer













          You’ve placed a lot of restrictions on what you want and some of it is just NOT possible.



          You want broadcast packets to traverse the two networks. That is not possible. Routers specifically segregate broadcast domains. The only way to do this is to put all the devices on the same network.



          With that said, to get where you want to be it will require a significant change to your network. Because it looks like you are using home routers, your options are severely restricted. Maybe if you can install an alternative firmware your options would be better.



          Therefore, I’ll give you the best way to do this.



          Completely eliminate one of the routers.



          There is no reason to use two routers to put some devices on a VPN. Especially if your goal is to allow all the devices to communicate. The best way to do this is with a single, more capable router that supports multiple interfaces. One port on the router would be for one network, the other port would be the other network, then you’d have a port for WAN. Setup routing between the two networks, NAT all packets destined to WAN, and route all traffic from one network through the VPN.



          Assuming you don’t want to replace any of your equipment...



          Instead, connect all the devices to the same router and establish the VPN on that router. Configure your VPN settings so that only devices within a specific IP range use the VPN. Then, configure a static IP range for those devices in DHCP. For instance, only route devices with an IP in the range 192.168.1.200-192.168.1.250 through the VPN. I’m not sure if your TPLink will support that. I imagine it will, as deciding what traffic is encrypted is part of any VPN setup. This is probably your best bet using what you currently have.



          If you are trying to stay as close as possible to the current physical layout, then you need one-to-one NAT where each device on both networks is given a unique IP on the 172.16.1.x network. It would also require a tweak to the VPN settings. But, it’s complicated and I think it is really unlikely either router you have supports that.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 9 at 6:37









          AppleoddityAppleoddity

          7,24521124




          7,24521124























              0














              I see two possible scenarios:




              1. Disable NAT on the inner routers. Since you are using different networks between all LAN segments, this should be fine. In fact, the only router that would need static routes would be the DSL router, to explain what networks are on the inside of the two routers. This should not break the internet, seeing as the only device that really needs NAT is the DSL router.


              Or:




              1. Build a bridge between the two inner routers without NAT. This would likely require another router because most SOHO devices do not allow you to take a LAN port and have it act as another WAN port. In fact, this thought process can be confusing because routers just connect different networks together, and they can all be LAN, or all WAN or any combination thereof. You may be able to find an old SOHO device that you can flash with a custom firmware and basically use it to just route traffic without any bells-and-whistles (e.g. NAT, Firewall).






              share|improve this answer




























                0














                I see two possible scenarios:




                1. Disable NAT on the inner routers. Since you are using different networks between all LAN segments, this should be fine. In fact, the only router that would need static routes would be the DSL router, to explain what networks are on the inside of the two routers. This should not break the internet, seeing as the only device that really needs NAT is the DSL router.


                Or:




                1. Build a bridge between the two inner routers without NAT. This would likely require another router because most SOHO devices do not allow you to take a LAN port and have it act as another WAN port. In fact, this thought process can be confusing because routers just connect different networks together, and they can all be LAN, or all WAN or any combination thereof. You may be able to find an old SOHO device that you can flash with a custom firmware and basically use it to just route traffic without any bells-and-whistles (e.g. NAT, Firewall).






                share|improve this answer


























                  0












                  0








                  0







                  I see two possible scenarios:




                  1. Disable NAT on the inner routers. Since you are using different networks between all LAN segments, this should be fine. In fact, the only router that would need static routes would be the DSL router, to explain what networks are on the inside of the two routers. This should not break the internet, seeing as the only device that really needs NAT is the DSL router.


                  Or:




                  1. Build a bridge between the two inner routers without NAT. This would likely require another router because most SOHO devices do not allow you to take a LAN port and have it act as another WAN port. In fact, this thought process can be confusing because routers just connect different networks together, and they can all be LAN, or all WAN or any combination thereof. You may be able to find an old SOHO device that you can flash with a custom firmware and basically use it to just route traffic without any bells-and-whistles (e.g. NAT, Firewall).






                  share|improve this answer













                  I see two possible scenarios:




                  1. Disable NAT on the inner routers. Since you are using different networks between all LAN segments, this should be fine. In fact, the only router that would need static routes would be the DSL router, to explain what networks are on the inside of the two routers. This should not break the internet, seeing as the only device that really needs NAT is the DSL router.


                  Or:




                  1. Build a bridge between the two inner routers without NAT. This would likely require another router because most SOHO devices do not allow you to take a LAN port and have it act as another WAN port. In fact, this thought process can be confusing because routers just connect different networks together, and they can all be LAN, or all WAN or any combination thereof. You may be able to find an old SOHO device that you can flash with a custom firmware and basically use it to just route traffic without any bells-and-whistles (e.g. NAT, Firewall).







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Jan 9 at 14:02









                  Damian T.Damian T.

                  24019




                  24019






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Super User!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1392120%2fhome-network-routing-puzzle-3-routers-two-internet-routes%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Probability when a professor distributes a quiz and homework assignment to a class of n students.

                      Aardman Animations

                      Are they similar matrix