[SOLVED] Routing AP to secondary VPN router?

[padrewill]

Wonder if anyone can advise me on how to configure my network so i can get an AP talking to a (secondary) VPN router in order to use the VPN for external traffic?

Router 1: TPLink C60 connected to ISP. LAN IP 192.168.1.1

Router 2: TPLink C7 with DD WRT. OpenVPN client running. Connected to C60 via WAN port. LAN IP 192.168.2.1. DHCP on. (WAN IP is 192.168.1.2)

House is fully wired; connections all go back to Router 1. Router 2 was added in to this physical set up.

Several wifi APs and Apple Airport Expresses (in bridge mode acting as APs) are located throughout the house to provide wifi access to Router 1. Static IPs in the 192.168.1.5-9 range.

I would like to pipe the Airport Express in the furthest room in the house through to Router 2 (instead of Router 1) in order to access VPN via wifi in that room. Unfortunately, nothing is working. I’ve set up a static route from R1 to R2 that points 192.168.2.1 to 192.168.1.2 and have confirmed it’s working. But I can’t seem to get the Express configured such that it bypasses R1 and uses the R2 VPN for outside connections. A What Is My IP query always returns the ISPs address.

I’ve searched and searched online for solutions, but nothing I’ve found quite fits. (Most queries on dual router setups involve trying to get computers on different subnets to pass files to each other.)

The closest idea i’ve found is perhaps putting both routers on the 192.168.1.x subnet, connecting R2 via LAN (rather than WAN) to R1, and giving them different DHCP ranges. Perhaps for I did that, then would it work to assign an Express with 192.168.1.x (static), subnet mask 255.255.255.0, gateway 192.168.1.2?

In a perfect world I’d like to keep R2 on 192.168.2.x; but I’m pragmatic enough that ultimately i’ll do what works.

Can anyone give me a relatively simple fix? I’m not computer illiterate, but I’m not a networking guru either!

Many thanks.

 

[nigelivey]

The closest idea i’ve found is perhaps putting both routers on the 192.168.1.x subnet, connecting R2 via LAN (rather than WAN) to R1, and giving them different DHCP ranges. Perhaps for I did that, then would it work to assign an Express with 192.168.1.x (static), subnet mask 255.255.255.0, gateway 192.168.1.2

You can not have 2 x DHCP ranges on the same network segment, where would hosts get their IP address from, R1 or R2??

Can you add a static route on either router in the configuration pages?

 

[padrewill]

You can not have 2 x DHCP ranges on the same network segment, where would hosts get their IP address from, R1 or R2??

Well, that's what I was wondering (and, indeed, trying it out, it didn't work). But I thought I'd give it a go, since at least it made the second router visible throughout the whole network.

Can you add a static route on either router in the configuration pages?

I would, happily. Not sure what to add, though.

Both routers allow for static routing. R1 is using stock TP-Link (blue) firmware. R2 has been flashed with DD-WRT.

I've put the following route into R1:
Network Destination: 192.168.2.0 [subnet for R2]
Subnet Mask: 255.255.255.0
Gateway: 192.168.1.2 [static WAN IP for R2]

This has the effect of allowing me to log in to R2 using 192.168.2.1 from any computer in the house. But it hasn't got me any further in terms of routing traffic from a distant AP through R2 for DHCP on the secondary subnet and (therefore) outbound VPN.

All the APs have a static IP, so if there's a formula for AP-side IP and R1-side static route that I can input to coax R1 into routing traffic to R2, that would be amply sufficient.

I'm very open to suggestions.

 

[bill001g]

This tends to be the difference between a actual router and the things you buy in consumer stores called routers.

Routes are concerned with the destination ip not so much the path it takes. If you put in a route for network 192.168.2.x it works but how does the router know that you want to send say 8.8.8.8 to 192.168.2.1. You can of course put in more routes but this does not work in your case since what you really want is based on the SOURCE device taking different paths.

This is not a function of actual routing it only deals with destination.

There are functions that allow you to do source based routing but you are lucky consumer routers even have normal route commands. DD-WRT can do this but this is likely a overly complex solution.

The next issue is the IP in AP mean nothing. They are only used to administer the AP itself. The devices connected to the AP do not actually pass through the IP address used by the AP. The AP is best considered a dumb switch that has magically ethernet cables that talk to wifi. A AP is what is called a layer 2 device it only uses mac addresses.

Your solution all depends on how much control you have over the end devices and how secure you need this to be.

The simplest although kinda of a hack is to connect both lan and wan ports on router 2 to route 1 lan ports. You must be very sure you disable the DHCP on the r2 so it does not give out ip. What you have done is put 2 IP subnets in the same LAN. The devices are stupid so they don't know the other network exists.

What you would then do is manually configure the device you wanted to use the VPN with ip and subnet in the second network.

This is of course not secure because it only requires someone to know how to change the configuration.

The best solution it to run vlans but again consumer equipment does not support it.

 

[padrewill]

Thank you very much. I don't desperately mind a hack solution; it's a home network that I administer, and no one else has the skill or interest, just as long as their gizmos work.

Unfortunately, the hack didn't work.

R2 WAN was already plugged into R1 LAN as 192.168.1.2 and operating its own LAN on 192.168.2.x

Added cable from R2 LAN to R1 LAN.

Set up Airport Express in bridge mode as 192.168.2.10 / 255.255.255.0, with Router/Gateway address as 192.168.2.1 (R2) and OpenDNS servers.

Logged into the Express via wifi, googled "What is my IP", and it came back with the ISP's public IP.

What am I missing?

 

[bill001g]

Again the AP is a layer 2 device the IP address is only used for management. It has no effect at all on the traffic of devices passing through it.

You must set the subnet and gateway on the end devices.

 

[padrewill]

ah. yeah. ok. sorry; failed to spot that. thank you.

 

[failboat]

If the ddwrt router has policy based routing you can tag lan packets based on their source ip.
Then you would have a rule on WAN for tagged packets to use the tun gateway.
pfsense has this and you might want a x86cpu setup anyway. aes is going to run really slow on ddwrt.

 

[padrewill]

Quick google said that DD-WRT can support policy-based routing, so I'll have a look there. In the event, I've solved the immediate problem through a different route, namely by turning a Raspberry Pi into wifi router for use in the room where the AP is/was. That said, I'll have a look at this method, not least so I can learn. As I said, I'm no networking guru ... but I am a quick study, and I don't like to be defeated by these things!