Posted: Tue Sep 28, 2021 0:25 Post subject: [SOLVED]Two router config, two subnets, NordVPN
My goal:
I have two routers in my setup. I want to make all PCs and devices visible to each other regardless of what IP address is assigned or what router the PC or device is plugged into. I also want to allow a device to connect to the primary or secondary router by manually changing the default gateway setting on the user's PC. This allows the user to use the OpenVPN client (NordVPN) connection in the secondary router or not use NordVPN. I don't want to have to unplug a PC from one router and plug it into the other. I don't want to use WiFi. I don't want to install and use the NordVPN app on any PC.
What I have setup at the moment:
My primary router is an Archer C9 v2 running stock firmware, this is the router that connects to the WAN (cable modem) for internet service. Its address is 192.168.1.1, with DHCP serving 192.168.1.2 to 192.168.1.200. There are a few PCs connected to this router, as well as a print server. All connections are wired. I don't want to change the firmware to DD-WRT on the primary router.
My secondary router is running DD-WRT build 47474, on an Archer C7 v5 with static WAN IP 192.168.1.145 (the 192.168.1.145 address is reserved for it in the primary router). This router serves DHCP addresses 192.168.2.2 to 192.168.2.200. The WAN port on the Archer C7 (secondary router) is connected to the LAN port on the primary router.
In the primary router there is a static route to network destination 192.168.2.0, the default gateway for this route is 192.168.1.145
In the secondary router I added this to the Administration services startup, firewall and custom script fields, not knowing which one would make the config work properly:
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
I can't do a similar iptables command in the primary router, since the stock Archer C9 firmware doesn't have that feature.
The operating mode of the secondary (DD-Wrt) router is 'Gateway', with the dynamic routing interface set to 'Both'
The secondary router is running NordVPN (OpenVPN client) and it is working. A PC connected to a LAN port on the secondary router can browse the web. But it can't see the print server or any PC on the 192.168.1.x subnet.
Also, PCs on the 192.168.1.x subnet can't see the PCs on the 192.168.2.x subnet.
My questions:
Is this the best configuration? What if the secondary router didn't have DHCP enabled? Could the secondary router still run NordVPN with all PCs be in the 192.168.1.x address space?
What do I need to do to open up the two subnets to each other? Would a LAN to LAN connection help?
I tried 'router mode' with the SPI firewall off, and that didn't work.
Unless you need 2 subnets for some reason, only use 1. For WAN connection type on the C7 select "disabled". Set the router IP to 192.168.1.145 & disable DHCP. Make sure the NTP client is enabled & the region is set. Leave the NTP server box blank. Save settings after each change & apply settings at the end. The C7 is now an AP for the C9 & everything is on one network. You can access the user interface for the C7 at 192.168.1.145.
With this setup all devices should be on the 192.168.1.x subnet. Changing the gateway on a device to 192.168.1.145 will connect it through the VPN.
Let's put the OpenVPN client aside for the moment, because what I'm hearing from your description is basically daisy-chaining routers, WAN to LAN. That's about as basic and easy a configuration you can create w/ two routers. From a factory reset on the secondary router, the *only* change required is to make sure its IP network is different from the primary router (which it seems you did; 192.168.2.0/24).
That's it! No messing w/ the Operating Mode, dynamic routing, no firewall rules, nothing! Any client on the 192.168.2.0/24 network should be able to reach any client on the 192.168.1.0/24 network (barring personal firewalls), and of course, the internet.
Once that's working, making the 192.168.2.0/24 network accessible from the 192.168.1.0/24 network requires a) a static route on the primary router that points to the WAN ip of the secondary router as the gateway to the 192.168.2.0/24 network, and b) firewall rules on the secondary router (which belong in the firewall script) to get past the secondary router's WAN.
I followed mwbuss8's post and it is working well. One other setting I made made was to change the operating mode from 'gateway' to 'router' but that may not have been necessary.
I followed mwbuss8's post and it is working well. One other setting I made made was to change the operating mode from 'gateway' to 'router' but that may not have been necessary.
Thanks for your help
Changing from "gateway" to "router" mode is completely irrelevant in your setup. The C7 is acting as a simple AP. The OpenVPN client creates its own tunnel out.