Using two routers, not the way you think....

F

Flea77

Limp Gawd
Joined
Nov 9, 2004
Messages
143
So I have this TP link business class router I really like, but unfortunately it is too slow (my internet connection is 400Mbps and the TP link business router wont quite hit 300). I also have this TP link home router (archer c7) which does the speed just fine, but does not provide VPN (I really really like the IPSec VPN in the business class router).

This brings me to my question:

Can I take the home TP link router (called router1) and put the business class router (router2) in its DMZ to provide VPN capabilities?

So I would have modem -> router1 -> switch -> PCs and router2.

Router2 would have DHCP off and have no WAN connection, only LAN. I have done this before to convert a router into a WAP but did not know if the IPSec VPN part would work (I am no VPN expert).

Anyone try this?
 
You don't want to configure this as a DMZ. Home routers don't really have true "DMZ" functionality. Home router DMZ implementations are there so you can forward and open all ports to another NAT device or endpoint, except any other ports with explicit rules.

Does the Archer C7 not have a built-in L2TP VPN?
 
Then it sounds like the DMZ would be perfect, keeps me from having to open/forward ports to a device that will just run the VPN.

No, the C7 does not have VPN built in.
 
Flea77 said:
Then it sounds like the DMZ would be perfect, keeps me from having to open/forward ports to a device that will just run the VPN.

No, the C7 does not have VPN built in.
Click to expand...

This will be fine as long as you don't need to open any other ports or other NAT rules. Otherwise, just have Router2 connected via it's WAN/Internet interface to Router1's LAN interface and port forward only the necessary ports for L2TP/IPsec to the WAN interface of Router2.
 
I don't believe you'll be able to setup a VPN connection on the router in AP mode. It has to have routing enabled and an IP on the WAN interface to be used for a VPN. It also won't to leave routing on and hook the WAN side of router2 to the switch, as the WAN and LAN will be on the same subnet.

Also, once setup, you won't be able to reach the VPN from computer on the internal network without adding a static route pointing to router2 as the gateway for VPN subnet. Otherwise they will attempt to use their default gateway (router1) which does not know how to route traffic to the VPN subnet.
 
Yup, that makes sense. I just hadn't thought that far through. Kinda stinks, but oh well.

Thanks for the push in the right direction, much appreciated.
 
I do think you could actually do this, but know that with the device you're talking about you'll probably end up with a double NAT.
Flea77 said:
Then it sounds like the DMZ would be perfect, keeps me from having to open/forward ports to a device that will just run the VPN.

No, the C7 does not have VPN built in.
Click to expand...

Do you have an old version of the C7? I'm looking in the manual right now and on Page 63 it mentions OpenVPN being built in:

https://static.tp-link.com/1910012218_Archer C7_V4_UG.pdf


It is definitely possible to put the TP business behind the Archer and port forward the necessary ports to make the VPN work. After you VPN in you'll be in a double NAT and everything you need to access will just be forward one hop. If your archer is giving 192.168.1.x/24 and the business is giving 192.168.2.x/24, a 2.x IP can go out the 2.x gateway to reach a 1.x IP. The reverse however does not work. It's completely ugly and butchered, but it definitely should work. (MTU is going to be super cranky with you though) So even though technically it would work I wouldn't recommend it. If you're doing NAT once, you really need the VPN device to dump you out onto the same network the traffic came from.
 
bman212121 said:
I do think you could actually do this, but know that with the device you're talking about you'll probably end up with a double NAT.


Do you have an old version of the C7? I'm looking in the manual right now and on Page 63 it mentions OpenVPN being built in:

https://static.tp-link.com/1910012218_Archer C7_V4_UG.pdf


It is definitely possible to put the TP business behind the Archer and port forward the necessary ports to make the VPN work. After you VPN in you'll be in a double NAT and everything you need to access will just be forward one hop. If your archer is giving 192.168.1.x/24 and the business is giving 192.168.2.x/24, a 2.x IP can go out the 2.x gateway to reach a 1.x IP. The reverse however does not work. It's completely ugly and butchered, but it definitely should work. (MTU is going to be super cranky with you though) So even though technically it would work I wouldn't recommend it. If you're doing NAT once, you really need the VPN device to dump you out onto the same network the traffic came from.
Click to expand...


That would require any computer that needs to use the VPN to be plugged into the second router directly. Then all machines on router2 are back to the reduced WAN speed (even slower with VPN overhead) that the OP is trying to solve with this setup.

The only way I can see this working correctly is if the OP can plug router2 into a second lan port on router1, and give it a IP on a different subnet. Then plug the LAN of router2 into the switch with router2's DHCP server turned off. Give the LAN side of router2 a static IP on the same subnet as router1 LAN, but outside of the DHCP range. Port forward VPN ports from router1 to router2s 'WAN' IP to create the VPN tunnel. Last step is adding a static route on any machine needing to use the VPN tunnel, so all traffic destined to VPN subnet uses router2's LAN IP as the gateway.
 
bman212121 said:
I do think you could actually do this, but know that with the device you're talking about you'll probably end up with a double NAT.


Do you have an old version of the C7? I'm looking in the manual right now and on Page 63 it mentions OpenVPN being built in:

https://static.tp-link.com/1910012218_Archer C7_V4_UG.pdf


It is definitely possible to put the TP business behind the Archer and port forward the necessary ports to make the VPN work. After you VPN in you'll be in a double NAT and everything you need to access will just be forward one hop. If your archer is giving 192.168.1.x/24 and the business is giving 192.168.2.x/24, a 2.x IP can go out the 2.x gateway to reach a 1.x IP. The reverse however does not work. It's completely ugly and butchered, but it definitely should work. (MTU is going to be super cranky with you though) So even though technically it would work I wouldn't recommend it. If you're doing NAT once, you really need the VPN device to dump you out onto the same network the traffic came from.
Click to expand...
Yes, I have a V2, the V4 has both OpenVPN and PPTP built in. I may just upgrade the router although I still wont get the IPSec VPN that I wanted in the business grade TP Link router.
 
Flea77 said:
Yes, I have a V2, the V4 has both OpenVPN and PPTP built in. I may just upgrade the router although I still wont get the IPSec VPN that I wanted in the business grade TP Link router.
Click to expand...

If you're upgrading your router anyway, look into something like the Mikrotik or possibly the ubiquiti (Not my choice, but others have no problem with them), or something like a pfsense appliance (best option). I'm using pfsense on a VM, but have used a hardware setup with an intel atom 1U. It can handle your WAN speeds easily and has the VPN features you want built in.
 
Easiest for me would just be to get a V4 TP link. Bulletproof, easy to set up and very fast. Not a fan of Mikrotik (got 10-15 of them laying around I have yanked and replaced from client sites already), Ubiquity is nice but a tad over the top for what I need, not to mention still doesn't work with what I really want which is Greenbow VPN software. PF Sense I have at the office and hate hate hate because even when we turn it off, it still somehow makes it a nightmare to set up (not use) VOIP systems. I have had to bypass the PF Sense unit every time I need to provision a new VOIP phone or system, and funny enough, I bypass it with a TP Link Archer C7 V2, heh.

Thanks for all the info guys, at least now I know what I wanted to do wont really work and the simple solution is just to get a newer version of the router I already have, switch to either OpenVPN or PPTP and be done with it.
 
You must log in or register to reply here.
Back
Top