Need help configuring 2nd router behind vpn

newcomers

Active Member
Hi,

I have bt infintity and I have had a standalone TD-W9980 modem router for a couple of years now, in place of the Home Hub. It has been working perfectly, but I decided I wanted a VPN, so I purchased a Netgear R7000 and I have installed DD-WRT on it, and I have an account with a vpn provider.

Eventually managed to get them both working together (although when connected to WD9980 wifi, I cant connect to admin interface of R7000, and vice versa, which bothers me, but its minor atm).

VPN is working fine, but now plex is not working from outside of my network and neither is my VNC viewer or torrent client. I have tried port forwarding on both routers, I have tried setting a static route from the WD9980 to the R7000 but still no luck. I have tried setting the WD9980 to bridge mode (modem only) but as far as I can see theres no way of doing it.

Here is my config:

WD9980 - LAN IP - 192.168.1.1 (MODEM)
DCHP SERVER 192.168.1.100-200

R7000 - LAN IP - 192.168.2.1 (what all my devices now connect to via wifi)
WAN IP - 192.168.1.101
DCHP SERVER - 192.168.2.100-149

How do I get all traffic to get the R7000 router?? Would a standalone modem be the answer?
 

mickevh

Distinguished Member
Have a read of the "Using Two Routers Together" FAQ pinned in this forum.

Using the configuration described, you've created a load of "problems" because you've partitioned your network into two separate subnets with a "router behind a router."

The TD-W9980 has not become a "modem" just because you "say" it is - to function as a modem, it needs to have proper "modem mode" setting and many SOHO routers lack such. ("Bridge" mode may not be the same thing - we'll have to check the manual. EDIT - not much info. in the manual, I think best to assume it's not a "modem" mode - if it were I'd expect it to render Wi-Fi inactive, knock out DHCP & NAT and a bunch of other stuff, so I think it's best to presume this isn't "Modem" mode./EDIT)

The best configuration for VPN is to have the VPN end point int he ISP connected router. Having it in something "inside" your ISP router (as you have) is doable with the right equipment, but with what you have in hand, I think it's highly likely it's not going to work the way you expect.

Yes, you could (probably) "fix" this with a separate VDSL modem (proper modem, or a router that has a "modem mode.")

Internet---Modem---R7000---everything else.

That renders the TD-W9980 redundant, though you could keep it and use it as an additional Wi-Fi Access Point (AP) if you wanted (again, see the aforementioned FAQ.)
 
Last edited:

newcomers

Active Member
I also checked the manual and doesnt look like it can be set to modem only.

If i were to follow that guide, the r7000 would be the secondary router and have dhcp disabled. How would the clients connect to it (need them to connect to it for vpn) if it doesnt do dhcp?
 

mickevh

Distinguished Member
DHCP is nothing to do with "connecting to routers" - DHCP is a mechanism to provide IP addressing to hosts that request it, (actually to NIC's - some device have more than one NIC, laptop being the obvious example.)

A DHCP server can be hosted anywhere on the LAN, it doesn't have to be in a router - in big shops we often have dedicated DHCP Servers in entirely separate boxes. The reason SOHO routers contain DHCP Servers is just for a matter of convenience - not least because the SOHO router is often the only networking box most SOHO users have.

I'm not sure connecting your R7000 as a "secondary" router (WAP/Switch combo behind the TP-Link) is going to achieve what you want in terms of hosting the VPN end point. Firstly, R7000 may not be prepared to create/accept VPN establishment through one of it's "LAN" ports - it may require session to arrive/depart at the WAN port. A case of check the manual.

Then as you've identified, your LAN devices might need some static routes to reach the VPN end point (or your ISP router - the "default gateway" would have to bounce them over.) Another reason why having the VPN endpoint in your ISP connected router is a better practise for SOHO - you've got all your routing decisions happening in one place. It depends a bit on the "type" of VPN you want - there's a few varieties (site-to-site, site-to-client, layer2, layer3, etc.)
 
Last edited:

newcomers

Active Member
Think ill have to scrap the idea of running a dedicated vpn router, and just use the vpn apps on each client.
 

mickevh

Distinguished Member
A dedicated VPN "appliance" inside your LAN is certainly do-able with the right kit - I'm just cautious about whether a typical SOHO router can avail it connected router-behind-router. Maybe if you looked at an after market firmware such as DD-WRT, though I'd be reluctant to install such on a new router as it'll invalidate the warranty and I'd want to be really sure it was going to "work" and do what I wanted before trying it.

If you've got something in your LAN already that is "always on" such as a home server or a NAS, you might look to see if there's an VPN app available to add the functionality. Then "all" you've got to do is port forward the VPN traffic through the (TPLink) router to it (and hope your ISP doesn't restrict it) which should be relatively simple. You'd probably want to sign up to a Dynamic DNS (DDNS) service also so that you can always "find" your router's external IP address from the Internet (many ISP's don't provide fixed external IP addresses.)

I guess your ideal scenario would be that the VPN end point is presented onto your LAN as if the remote client was connected locally, thence it'll look like any other locally connected NIC and special IP routing wouldn't be necessary - effectively the VPN endpoint is functioning as a "proxy NIC." I don't doubt that there's "something" out there that functions in such a way, but I've never set such a thing up myself (all my VPN's are corporate site-to-site type offerings which use a somewhat different operating paradigm.)
 
Last edited:

newcomers

Active Member
I have ddwrt installed already, i have an htpc thats on all the time and i have dynamic dns running too :)
 

newcomers

Active Member
R7000. Cant be installed on the tplink, would save all the headaches if ot could be done!!
 

mickevh

Distinguished Member
Pity. Ho Hum. You might want to look at whether you can find an app for your HTPC then - what's it's O/S? I won't be able to recommend any particular software, but someone else might.

Equally, you might try joining the DD-WRT forums and see whether there's someone there that can help you getting the R7000 working.
 

newcomers

Active Member
Yeah ill try the ddwrt forums, thanks for trying tho
 

starfarer

Well-known Member
You need to look into policy based routing in VPN and add Plex server to use wan.
 

bernado

Well-known Member
I spent way too much time trying to get external Plex access through my secondary VPN router. After reading and trying countless technical configurations, although being reasonably technical, I gave up.
Whilst this is no use to you at least you'll know you're not alone, just don't ho chasing rainbows would be my advice :)
 

starfarer

Well-known Member
I've linksys router flashed with Asuswrt-merlin fw and enabled policy rules on VPN's redirect internet traffic.
1) My Network: All traffic to use VPN
2) Nvidia: shield TV running plex server and to use ISP's IP (wan)
3) MyCloud: WD MyCloud bought from classified here and holds media files for plex server. Syncthing, webdav, FTP and transmission services running.

No problem accessing either plex server or MyCloud's services remotely.
 

Attachments

  • policyRouting.png
    policyRouting.png
    42.9 KB · Views: 46

The latest video from AVForums

Paramount + UK launch: Halo, Star Trek and Beavis, and all the latest 4K + Movie/TV News
Subscribe to our YouTube channel

Full fat HDMI teeshirts

Support AVForums with Patreon

Top Bottom