Adding router for DHCP with VPN

[Candan]

Hi All.

I'm currently using the ISP provided Modem/Router as my DHCP. But I'm also using an AP for upstairs since my ISP Modem/Router is hidden in the basement. Coverage is OK, and it works, but I want to use my VPN, and my ISP provided modem/router won't support a VPN.

My current setup... (All connections are CAT6 hardwired)

ISP Modem/Router (as a DHCP) ---> Switch ---> Router (as an AP)

I want to setup as below, but cannot configure it. This is where I need help please

ISP Modem/Router ---> New Router as DHCP instead of ISP Modem Router (so I can apply my VPN here) ---> Switch ---> Router (as AP)

Thanks in advance! Networking gives me a headache!

 

[bill001g]

It should be as simple as plugging the new router WAN port into the ISP router LAN port. Ignoring the vpn setup it should just work like this. The thing that sometime causes issues is if the ISP router is using the same subnet block as the new router. You need to change the LAN ip to something else on the new router so the wan and lan are on different subnets.

 

[Candan]

Sorry I'm a bit dim on networking.

So potentially if the ISP modem is 255.255.255.0

I should set the router I want to use as my DHCP 255.255.254.0 for example?

Would I then need to set the other router I'm using as an AP the same 255.255.254.0 subnet?

Thanks

 

[nigelivey]

Sorry I'm a bit dim on networking.

So potentially if the ISP modem is 255.255.255.0

I should set the router I want to use as my DHCP 255.255.254.0 for example?

Would I then need to set the other router I'm using as an AP the same 255.255.254.0 subnet?

Thanks

No that is changing the subnet mask not the subnet from a /24 to a /23

If your ISP router is 192.168.1.1 a different subnet would be to change 192.168.x.x still using the 255.255.255.0 mask.

Easier still would be if your ISP modem/router could just be turned into a simple modem only and let your router handle all functions except the connection itself.

As you are connecting a router to another router you will double NAT the connection which is undesirable, your router will be expecting the internet on it's WAN port but will actually be on another internal network until its routed via the the ISP modem/router to the outside world.

 

[failboat]

Make sure the 3rd number in the ip range isn't the same as the first router to nest them.
It would be ideal to not have NAT or DHCP on the modem but if you can't get that to work then nesting them shouldn't be too difficult.

Router 1: 192.168.1.1/24
Router 2: 192.168.2.1/24

 

[Candan]

Sorry I'm a bit dim on networking.

So potentially if the ISP modem is 255.255.255.0

I should set the router I want to use as my DHCP 255.255.254.0 for example?

Would I then need to set the other router I'm using as an AP the same 255.255.254.0 subnet?

Thanks

Easier still would be if your ISP modem/router could just be turned into a simple modem only and let your router handle all functions except the connection itself.

This is what I want to do. Just use my ISP Modem/Router as a modem into a simple modem and use the new router to handle all my functions.

So I'll allow my modem to route one ip - say 192.168.1.1 into the WAN of my new router, and let my new router function everything using a range of say 192.168.2.1 and on?

 

[failboat]

Sorry I'm a bit dim on networking.

So potentially if the ISP modem is 255.255.255.0

I should set the router I want to use as my DHCP 255.255.254.0 for example?

Would I then need to set the other router I'm using as an AP the same 255.255.254.0 subnet?

Thanks

Easier still would be if your ISP modem/router could just be turned into a simple modem only and let your router handle all functions except the connection itself.

This is what I want to do. Just use my ISP Modem/Router as a modem into a simple modem and use the new router to handle all my functions.

So I'll allow my modem to route one ip - say 192.168.1.1 into the WAN of my new router, and let my new router function everything using a range of say 192.168.2.1 and on?

Start your other router at 192.168.2.0/24.
The modem will give you a public ip.
If your second router gets a 192.168.x.x ip then it's been through a NAT. Double NAT is better to avoid if possible. Just adding in extra latency.

 

[boosted1g]

Best thing to do is see if your ISP modem/router has a "brdige mode" or "modem only mode" so that way it only acts as a modem.
This will eliminate double DHCP, double NAT and all other "double router" issues completely.

 

[Candan]

Ok. Thanks for everyone's patience

Here's what I've learned so far... But I haven't been able to fiddle as the wife has been using the net for work and I dare not pull the plug then!

 

[Candan]

ISP modem/router. I can turn off the DHCP, but I can't turn off NAT. IP is 192.168.1.1/24

Router 1 WAN connected to the modem LAN. Router 1 ip 192.168.2.1/24. I want to apply VPN here since this will be my DHCP as well as the ethernet feed to all TVs, receivers, PCs, etc

Router 2 (main floor) will be connected to router 1 WAN as just an AP since router 1 is in the basement and signal isn't great, for all wifi. AP/bridge on subnet 192.168.3.1/24

In theory, this should work then correct?

What disadvantage is there that I can't turn off NAT on ISP router/modem? Is there a workaround?

Is there anything else I'm missing?

Thanks!

 

[boosted1g]

An access point should not be using WAN port at all. You connecter router 1 LAN to router 2 LAN port.

what model is the ISP modem/router, I can lookup if there is some sort of modem-only option on it.

Does the modem/router allow you to put the router 1 in the DMZ?
This will allow your router to operate outside of the NAT of the modem/router and thus not need to forward ports to router 1, and should provide slighly better throughput. The modem/router will still do some unnecessary processing vs being able to have it modem mode only.

If you are using a coaxial cable internet connection, I would just get your own modem. Most DSL and most Fiber carriers unfortunatly require specific modems (that are usually always combo boxes)

 

[failboat]

If you can't turn off the NAT then you may as well leave DHCP on or your 2nd router might not get an ip address. Anything with a NAT should have a different 3rd digit in the ip on the LAN side available ips and you should be fine.

The WAN/LAN are two different interfaces. The NAT changes the ips from the WAN into the ones for the LAN. The DHCP server assigns ips to anything connected to the LAN. If you setup a router as an access point don't use the WAN port because it won't do anything (some will let you reassign the port to LAN, but that's not a common feature)

ISP modem/router (only has LAN ports, leave dhcp/nat on)------>plug into WAN of 2nd router (dhcp/nat on)---> connect LAN to switch-> connect any device or AP to switch (dont plug a WAN interface into the switch)

double NAT will make port forwarding very complicated. running a VPN client on your router shouldn't be an issue. Running various services might be complicated, vpn server, minecraft server, etc.

 

[Candan]

An access point should not be using WAN port at all. You connecter router 1 LAN to router 2 LAN port.

what model is the ISP modem/router, I can lookup if there is some sort of modem-only option on it.

Does the modem/router allow you to put the router 1 in the DMZ?
This will allow your router to operate outside of the NAT of the modem/router and thus not need to forward ports to router 1, and should provide slighly better throughput. The modem/router will still do some unnecessary processing vs being able to have it modem mode only.

If you are using a coaxial cable internet connection, I would just get your own modem. Most DSL and most Fiber carriers unfortunatly require specific modems (that are usually always combo boxes)

Got it on Router 1 to Router 2 using LAN. Thanks for this.

The modem/router is Bell Canada Home Hub 3000 which is a proprietary unit manufactured by Sagemcom. It's an optic fibre AIO for voip phone, tv and internet. Fortunately though all 3 are controlled individually, so I'm not stuck by using it as my DHCP.

The routers I'm using are both Asus, and I plan to run Merlin FW on them. The modem has a DMZ setting as does the Merlin FW. But I'm not sure if the modem will allow me to set DMZ on router 1. I have not tried as of now. I guess just trying will determine this.

Thanks as we go!

 

[Candan]

If you can't turn off the NAT then you may as well leave DHCP on or your 2nd router might not get an ip address. Anything with a NAT should have a different 3rd digit in the ip on the LAN side available ips and you should be fine.

The WAN/LAN are two different interfaces. The NAT changes the ips from the WAN into the ones for the LAN. The DHCP server assigns ips to anything connected to the LAN. If you setup a router as an access point don't use the WAN port because it won't do anything (some will let you reassign the port to LAN, but that's not a common feature)

ISP modem/router (only has LAN ports, leave dhcp/nat on)------>plug into WAN of 2nd router (dhcp/nat on)---> connect LAN to switch-> connect any device or AP to switch (dont plug a WAN interface into the switch)

double NAT will make port forwarding very complicated. running a VPN client on your router shouldn't be an issue. Running various services might be complicated, vpn server, minecraft server, etc.

Thanks to you too for the info.

I have tried as you've suggested. Modem/router DHCP on (no NAT option) 192.168.1.1/24. LAN to WAN on Router 1 with DHCP/ NAT on. 192.168.2.1/24. This worked as I believed it should. All wired connections from router 1 and all wifi connections from router 2 (in AP mode.)

I was also able to control all my wired connection components on router 1 with my wifi tablet, phone, etc connected to router 2 with no issue.

I hadn't applied my VPN on router 1 yet though...

But where I ran into problems though was my home media server (Plex) running on a PC on router 1. It wouldn't see the server at all on any media player (I have 2 Roku3 and Nvidia shield) even though they are all wired connections to the same router 1, behind switches. But Netflix, Amazon, etc, all work fine on the same media players. This I couldn't figure out at all.

 

[failboat]

If you can't turn off the NAT then you may as well leave DHCP on or your 2nd router might not get an ip address. Anything with a NAT should have a different 3rd digit in the ip on the LAN side available ips and you should be fine.

The WAN/LAN are two different interfaces. The NAT changes the ips from the WAN into the ones for the LAN. The DHCP server assigns ips to anything connected to the LAN. If you setup a router as an access point don't use the WAN port because it won't do anything (some will let you reassign the port to LAN, but that's not a common feature)

ISP modem/router (only has LAN ports, leave dhcp/nat on)------>plug into WAN of 2nd router (dhcp/nat on)---> connect LAN to switch-> connect any device or AP to switch (dont plug a WAN interface into the switch)

double NAT will make port forwarding very complicated. running a VPN client on your router shouldn't be an issue. Running various services might be complicated, vpn server, minecraft server, etc.

Thanks to you too for the info.

I have tried as you've suggested. Modem/router DHCP on (no NAT option) 192.168.1.1/24. LAN to WAN on Router 1 with DHCP/ NAT on. 192.168.2.1/24. This worked as I believed it should. All wired connections from router 1 and all wifi connections from router 2 (in AP mode.)

I was also able to control all my wired connection components on router 1 with my wifi tablet, phone, etc connected to router 2 with no issue.

I hadn't applied my VPN on router 1 yet though...

But where I ran into problems though was my home media server (Plex) running on a PC on router 1. It wouldn't see the server at all on any media player (I have 2 Roku3 and Nvidia shield) even though they are all wired connections to the same router 1, behind switches. But Netflix, Amazon, etc, all work fine on the same media players. This I couldn't figure out at all.

Check the ip of each and make sure they are on the same intended subnet. Try to ping each computer. You can find your device ips possibly in your router or running a scan on the LAN using ipconfig or nmap.

I would recommend having everything possible on the switch if it's next to the router. It's ideal to have all your stuff on the same switch. On a level 2 switch LAN traffic won't go through your router and potentially slow down WAN traffic to another device.

What's the OS you are running plex on? Internet issues shouldn't impact LAN connectivity. Plex on linux can have some issues with file permissions that are easy to sort out.