Gfrktyl

In my home network, i am running two Wifi Routers,

• a Buffalo WHR-HP-G300N running DD-WRT v24-sp2 (07/24/13) std (192.168.1.2)


• a Linksys WRT320N running Shibby Tomato 1.28.0000 MIPSR2-121 K26 Max (192.168.1.3)

The Buffalo is providing a 2.4ghz Wifi Network, it maintains the PPPOE connection via my ADSL Line, provides DHCP Adress assignment (192.168.1.*) and has several devices connected to it (VoIP Phone etc.)

The Linksys is connected to the Buffalo through a LAN connection - WAN connection is disabled and the WAN port used as LAN, it provides a 5ghz Wifi Network and the devices supporting GBit Lan (Home Server, NAS) are connected via LAN to it, since the Linksys also does GBit switching.

I recently subscribed to a VPN Provider called Mullvad to enhance general privacy on outgoing connections / geolocation bypassing. Shibby Tomato is configured to establish the VPN connection and as far as i can tell, the connection is up and running - at least the logs don't provide information that anything goes wrong, i got a TUN (tun11) device in the routing tables etc.

I want to achieve the following:

• The Linksys Wifi Network provides access to the internet over the VPN
  connection


• The Buffalo Router provides access to the non-VPN Internet Link


• On the Linksys, some devices on certain LAN ports should route all their internet
  traffic over the VPN


• On the Linksys some devices should route ther traffic over the "normal" DSL
  connection


• On the Buffalo all devices conncted to the LAN ports can use the regular DSL connection (no VPN needed for the LAN ports)


• All devices should be able to connect to each other over the internal
  network (192.168.1.*)

Right now, no traffic is going out over the VPN, my assumption is, that since the Buffalo Router (192.168.1.2) assings the adresses over DHCP, it also announces itself as the default gateway... No matter if i turn on DHCP on the Linksys as well, anything that connects will get a default gateway of 192.168.1.2...

The routing table of the Linksys looks like this:

I have very limited knowledge of networks in this complexity, so i don't know what the best solution is, maybe using VLANs, maybe it involves a manual IPTables config on the router, this is beyond my understanding. Or maybe what i wish to do cannot be done at all?

Edit - In response to the Answer by Iszi:

I was wondering, if VLAN's wouldnt allow this type of behaviour? Both dd-wrt and Shibby's Tomato allow setting up VLAN's on a "per port" basis. I could set up a private Network for the Buffalo - distributing a DHCP adress space of 192.168.1.50-100 and NAT'ting these to the ADSL connection. All the traffic for that Network could be tagged with a VLAN ID, i.e. VLAN1

Then i could set up dual private Networks on the Linksys, i.e. distributing a DHCP adress space of i.e. 192.168.1.10-49 and tagging all the ports / interfaces that should connect with this as VLAN1 as well. From my limited understanding of the purpose of VLAN's, they are supposed to support exactly this use case of networks distributed on different routers, making them being handled as IF on the same network, according to their VLAN tagging.

Then i would set up and a second Network, distributing an DHCP adress space of 10.8.0.* tagging all the traffic on the desired ports / interfaces with i.e. VLAN2 ...

If i can achieve setting up the VPN as a gateway for the 10.8.0.* / VLAN2 network and the PPPOE connection as the gateway for 192.168.1.* / VLAN1 for that, it basically would allow me to assign VPN access per port / interface basis. So, again in theory, i could also set-up a primary 5ghz Wifi Connection routed into the 192.168.1.* network and Virtual Wireless AP routed into the a 10.8.0.* network...

What i dont understand is, how - or if, it would be possible to allow access from VLAN1 to VLAN2 (or if thats impossible).... The other thing is, that this is a purely theoretical consideration, since the necessary iptables setup is beyond my knowledge at this point. If somebody could outline the routing necessities or enlighten me IF and HOW this usage of VLANS make sense, i would appreciate it.

I strongly doubt you'll be able to get the configuration exactly as you want it, while having the router(s) handle the VPN connection. Particular challenges (if not flat-out impossibilities), are going to be:

• Getting some ports on the Linksys to use the VPN, while others don't.


• Getting anything from one router to talk over the LAN to devices on the other, while the Linksys is connected to the VPN.


• Getting devices not on the VPN to communicate internally with devices which are on the VPN.

I'm guessing your VPN provider only allows you to have one connection at a time, which is why you want to use a router to distribute access to that connection across multiple devices. Given that, here's the best I can come up with:

Connect your routers as below.

[Gateway]---WAN:[Buffalo]:LAN---WAN:[Linksys]

Make sure both routers are configured to act as routers - not in a "bridge mode". Both routers should be getting WAN IPs via DHCP, and serving IPs to their respective LANs with DHCP. Make sure the LAN side of each router is on a different subnet (e.g.: Buffalo LAN on 192.168.1.0/24 and Linksys LAN on 192.168.2.0/24).

Connect anything that needs to be on the VPN to the Linksys router, and everything else to the Buffalo router. Then, configure the VPN on the Linksys.

With that configuration, everything behind the Linksys should be sending its traffic out the VPN while everything attached to the Buffalo will not. Depending on whether or not the VPN rules (or the Linksys VPN client itself) allows for split-tunneling, your devices may not be able to communicate internally. If split-tunneling is supported, devices behind the Linksys will probably be able to make outbound connections to devices connected to the Buffalo, but you will need to configure port forwarding for any connections inbound to the Linksys (even then, the VPN may or may not allow it).

In short:

• Subnet 1 to Internet: Direct


• Subnet 2 to Internet: VPN


• Subnet 2 to Subnet 1: Theoretically possible, depending on split-tunneling support.


• Subnet 1 to Subnet 2: Unlikely possible. Will depend on split-tunneling support, and will require port forwarding and/or DMZ settings on the Linksys.

What you should do, if you can, to set things up the way you want is to set up individual clients and connections for each of the devices you want to have on the VPN. That way, regardless of how you lay out your network infrastructure and other devices, those will be the only devices using the VPN and the others should be able to communicate freely between one another. Then, the only local connectivity problems you might have will be between the few devices that are on the VPN and those that aren't. This will also give those devices the ability to use the VPN outside of your local network.