[SOLVED] Router question about my Asus RT-AC68U concerning VPN

Toggle sidebar Toggle sidebar
Network Learner

Network Learner

May 8, 2020
10
0
10
I just bought the Asus RT-AC68U and it is a very capable router with many features, even with just the stock firmware. But Tomato and Advanced Tomato can be flashed onto it if needed. I do not know much about those firmwares though. I would be willing to upgrade the firmware and flash to the Tomato or advanced tomato or whatever else there is to flash onto it that people may know about, if it would allow me to do what I am trying to do.


Situation:

I set up a VPN on this router to cover my network devices that are connected to the switch-ports mainly. But what happens is that when I have the VPN activated; it allows me to connect to servers back in the United States and use sites and stream content that I would otherwise not be able to. But family members connecting to the network via the WiFi with their phones experience a major slowdown due to their activity being sent to the other side of the world and back before it gets loaded onto their phones or other WiFi devices.

Question:

Does anyone know a way to configure the settings in the router so that I can be selective as to what goes through the VPN and what does not? For example, is there a way to make it so only the switch-ports use the VPN but data flowing to or through the WiFi bypasses the VPN? Or is there a way to be selective as to what devices use the VPN or not? For example if a device is assigned a certain MAC address, then it uses the VPN. If the MAC address is in a different grouping, then it does not go through the VPN?
 
Sort by date Sort by votes
B

bill001g

Titan
Aug 9, 2012
28,277
2,741
125,640
Not sure what the factory image has it might now have that feature. In any case the best third party firmware for a asus router is the merlin image. One of the key features was advanced VPN. Asus has taken many of the merlin features into the main firmware and I only run merlin so I can't say what is on the base.

The merlin firmware definitely has the option to allow traffic to bypass the vpn tunnel. You can use IP addresses I am not sure if your can use mac addresses. There are other feature that you can only access via the command prompt. Been a while since I messed with this so I don't know if there are any limitations. Other third party firmware you can do whatever you want to the iptables. I started to use merlin because of instability in other third party firmware and did not use a lot of the extra features merlin does not have.
 
Upvote 1 Downvote
Network Learner

Network Learner

May 8, 2020
10
0
10
bill001g said:
Not sure what the factory image has it might now have that feature. In any case the best third party firmware for a asus router is the merlin image. One of the key features was advanced VPN. Asus has taken many of the merlin features into the main firmware and I only run merlin so I can't say what is on the base.

The merlin firmware definitely has the option to allow traffic to bypass the vpn tunnel. You can use IP addresses I am not sure if your can use mac addresses. There are other feature that you can only access via the command prompt. Been a while since I messed with this so I don't know if there are any limitations. Other third party firmware you can do whatever you want to the iptables. I started to use merlin because of instability in other third party firmware and did not use a lot of the extra features merlin does not have.
Click to expand...

So the Merlin software has the ability to bypass an actively running VPN? You said it does it via I.P. address. Well the router may dish out I.P. addresses that are different each day as long as they are within the specified range I previously set, which means I would probably have to go into the settings and let the router know which I.P. address I would like to bypass the VPN. It is a bit of a hassle. But if it can do that; it is better than nothing. Do you know if Merlin could limit access to the VPN by exit type. For example switchport vs wifi or wifi band? Do I have to use some script or is it easy to handle in the Gui interface?
Is it your opinion that Merlin is better than Advanced Tomato? I have never used either.
 
Upvote 0 Downvote
B

bill001g

Titan
Aug 9, 2012
28,277
2,741
125,640
I don't know of any consumer router that can tell what port things come in on unless you get very fancy and use vlans. You can use DHCP to static assign mac to a particular IP so in a way you can filter by mac not just in 1 step.

The key to merlin is stability. I am mostly using merlin on a 86u because it has a hardware vpn accelerator and only the merlin and factory firmware support it. There are some other things like the hardware NAT assist that you generally lose when you do not use factory firmware. Merlin is one of the very few that have support. Without the nat assist on a router will cap out at 200-250mbps.

In your case the NAT stuff does not matter because as soon as you run a vpn all traffic must pass the cpu. That is the reason for the vpn assist feature. On most routers you will be lucky to get 30mbps of vpn traffic. The models like the 86u can get over 200mbps with the proper vpn encryption acceleration.

Detailed merlin question are best searched for and asked on the smallnetbulder forum. The author of merlin firmware posts there and others are very knowledgeable.
 
Upvote 0 Downvote
Network Learner

Network Learner

May 8, 2020
10
0
10
bill001g said:
I don't know of any consumer router that can tell what port things come in on unless you get very fancy and use vlans. You can use DHCP to static assign mac to a particular IP so in a way you can filter by mac not just in 1 step.

The key to merlin is stability. I am mostly using merlin on a 86u because it has a hardware vpn accelerator and only the merlin and factory firmware support it. There are some other things like the hardware NAT assist that you generally lose when you do not use factory firmware. Merlin is one of the very few that have support. Without the nat assist on a router will cap out at 200-250mbps.

In your case the NAT stuff does not matter because as soon as you run a vpn all traffic must pass the cpu. That is the reason for the vpn assist feature. On most routers you will be lucky to get 30mbps of vpn traffic. The models like the 86u can get over 200mbps with the proper vpn encryption acceleration.

Detailed merlin question are best searched for and asked on the smallnetbulder forum. The author of merlin firmware posts there and others are very knowledgable
Click to expand...

I looked at the Merlin website and I saw a way that may be possible. With Merlin you can assign a static I.P. address to a particular devices mac address. So I could look at the phones' mac address and assign it a static I.P. address. Then I could go and supposedly tell the router not to allow that I.P. address through the VPN. But the screenshot they show on the Asus Merlin site looks like it is a section for specifically allowing certain devices through the VPN. So I would assume that would mean that any device not listed in that part of the GUI would be automatically excluded from going through the VPN. But would it block the device from the Internet or would it allow the device to still get non VPN access? That is what I don't know.
 
Upvote 0 Downvote
Network Learner

Network Learner

May 8, 2020
10
0
10
Network Learner said:
I found the link. Just waiting to be approved to use the site.
Click to expand...
bill001g said:
I don't know of any consumer router that can tell what port things come in on unless you get very fancy and use vlans. You can use DHCP to static assign mac to a particular IP so in a way you can filter by mac not just in 1 step.

The key to merlin is stability. I am mostly using merlin on a 86u because it has a hardware vpn accelerator and only the merlin and factory firmware support it. There are some other things like the hardware NAT assist that you generally lose when you do not use factory firmware. Merlin is one of the very few that have support. Without the nat assist on a router will cap out at 200-250mbps.

In your case the NAT stuff does not matter because as soon as you run a vpn all traffic must pass the cpu. That is the reason for the vpn assist feature. On most routers you will be lucky to get 30mbps of vpn traffic. The models like the 86u can get over 200mbps with the proper vpn encryption acceleration.

Detailed merlin question are best searched for and asked on the smallnetbulder forum. The author of merlin firmware posts there and others are very knowledgeable.
Click to expand...


I was told there is a way to make certain devices either use or bypass the VPN via their respective I.P. address in the Asus Merlin firmware. If anyone could elaborate on that; it would help me.



I just upgraded to the Merlin Firmware. It allows me to assign an I.P. address to each persons phone or respective device based on their mac address. I was advised before to post in the small net builders forums. I joined but it says I have insufficient privileges to post there. Apparently they know a lot about the Asus Merlin firmware there. But if I cannot post, then that is no help.
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom