Networking Help Required between ISP Router and VPN Router

[alphadog123]

Hi Guys,

First time posting here after a lot of research online, hopefully someone here can help with the issue:

I have an ISP router which is cabled physically to a Linksys router I am using with ExpressVPN firmware installed (OpenWRT). Everything connects fine but I am not able to ping across networks. I realize this is because they are separate networks and to that end I have added static routing to the ISP router, and the Linksys router but it got me no where.

Router details are below, can bridging interfaces in the VPN router help?

Router 1 (ISP Router):

ZTE F668
IP: 192.168.1.1
DHCP Enabled

Router 2 (Linksys WRT3200ACM):
Running ExpressVPN Firmware ver 1.4.7
IP: 192.168.42.1
Lan IP from Router 1: 192.168.1.11
DHCP Enabled on VPN interface.

ZTE Router lan port is connected to Linksys routers WAN port.

I need VPN clients to have VPN IP, Local clients on ZTE to have local IP, but both networks should be able to ping each other.

Please help, I am a novice in networking, so please explicate any solutions you can offer.

Thanks a lot!

 

[bill001g]

Ignoring the VPN your machines on the ZTE router will not be able to access the machine behind the linksys router because of the NAT. This is the same issue as if you tried to access your neighbors machines from the internet. You can only partially fix this with port mapping.

Then in addition to the NAT problem the VPN will force all the traffic into the VPN tunnel. From its viewpoint the 192.168.1.x network is on the internet and it will not allow direct access unless you put a rule the vpn that allows it.

Pretty much you are going to have issues with this and there is limited things you can do about it. These devices are not actual "routers" which is why your static route did nothing. They are better called gateways that translate a lan network to a single WAN IP.

 

[alphadog123]

I am not certain that is the case, please see the link below (solution did not work for me, but worked for others): http://www.patrikdufresne.com/en/multiple-subnets-routing-with-dd-wrt/

 

[bill001g]

Your problem is your ZTE does not have dd-wrt on it. You can make the second device run as a ROUTER but even if the ZTE can do simple routes it will not NAT the second subnet going to the internet. In the example they give they may have solved the problem of sending traffic between the subnets but did not add the line in the primary router that allows it to accept the second subnet for nat.

You are likely much better off using the ZTE as a modem letting the linksys run both subnets....not sure why you have 2 subnet anyway. The linksys can easily allow traffic to pass between the networks and send some traffic to the vpn and allow other to bypass it. It is much simpler having to configure only a single device.

 

[alphadog123]

Your problem is your ZTE does not have dd-wrt on it. You can make the second device run as a ROUTER but even if the ZTE can do simple routes it will not NAT the second subnet going to the internet. In the example they give they may have solved the problem of sending traffic between the subnets but did not add the line in the primary router that allows it to accept the second subnet for nat.

You are likely much better off using the ZTE as a modem letting the linksys run both subnets....not sure why you have 2 subnet anyway. The linksys can easily allow traffic to pass between the networks and send some traffic to the vpn and allow other to bypass it. It is much simpler having to configure only a single device.

Okay, let me try to answer and clarify why I require two subnets, I am in the US Armed Forces posted in Jordan, I require the ISP IP (local IP) to access local files etc, I cannot do that out of network, and I need the VPN for my son, to get US Channels and US Version of Netflix. ISP supplied ZTE (Model F668) does not allow modem only mode, so am not sure how I would achieve this?

I plan on adding a NAS to the ISP router for work files, and media for my son to access via plex and infuse, this is why access between subnets is required.

Any help in this matter will be appreciated.

 

[bill001g]

The network behind the second router can always get to things on the first router....again ignoring the vpn for now. All traffic will appear to come from the router IP address. It is as thought the second network did not really exist, this is how a default internet connection works.

The thing that is a pain is if for example you put the NAS behind the second router and wanted to access it from machines on the first. With a single device you can use port mapping to solve it.

When you have VPN you need to add an option that allows traffic to the main subnet to by pass the vpn tunnel.

If at all possible you need to not have a "server" type of function behind the second router.

 

[alphadog123]

The NAS I ordered has not yet arrived, so I am unable to test it, but I plan to put it behind the ISP router, not the VPN router. From what I understand, you are saying that if I place it behind the ISP router then the VPN router should be able to access it since the VPN router is receiving its lan IP from the ISP router? That sounds logical, however, I am unable to ping the ISP router from the VPN router when VPN is connected. Is there a way to solve this? Like, the VPN router NATs the local lan IP of the ISP network while other connections go via VPN?

Thanks!

 

[bill001g]

You need to tell the vpn to allow you to bypass the vpn tunnel for the ip addresses related to the network between the 2 routers. Some you must list all the ip individually most you can put in a subnet.

This is not just used to allow access to the local network it is also used for things that do not like vpn. Netflix for example blocks most vpn sites so you must put in the list of netflix servers so they go directly rather than via the vpn.

 

[Saga Lout]

Just a word to the wise; we're under a Spam attack which emenantes from different VPNs virtually changing every minute.

Today, the address you used to start this thread is being banned to stop the Spam but I hope you can find your way back here.