LAN To WAN second router

alex_boothby

In Runtime
Messages
317
Hi there,

Hope you all can help.

I am wanting to add a second router to to my network so I can set up Express VPN via PPTP.

My primary router is some Generic Sky ER115 thing.

My second router (the one thats support PPTP) is a Draytek Vigor 2110.

- Putting them both on the same subnet and connecting LAN to LAN I can get then internet working through connecting to the second router. The problem is with this, I can't get the VPN to work, as I believe the VPN settings only allow for LAN to WAN setting.


- So, now I connect a cable from the LAN on router 1 to the WAN port on router 2. And I make sure they are on DIFFERENT subsets (Router 1 on 192.168.0.x Router to 192.168.1.x) With DHCP enabled on both.

The problem is now the internet will not work when I connect to router 2. I probably doing something silly, but most guides seems to stop there and not ask for any other steps.

Does anyone have an idea what I am doing wrong? Is there some sort of rule I need to allow for traffic to pass between the two?

Many thanks in advance!
 
By connecting the WAN port of the second router to the LAN port of the first, you are creating a "Double NAT" situation. Meaning that the source IP address on packets from your client computers will get translated twice before going out onto the internet.

In my experience this can make problems for PPTP. Also, the first router has to be forwarding any ports needed for PPTP to the second one. Some routers also have a "VPN Passthrough" setting that has to be on. It might be called something else similar.

You're probably better off using L2TP or OpenVPN, and running it on just one router that is connected to your internet.
 
What about turning of dchp & nat on the 2nd router, and letting it all be handled on the primary?
 
Well as you said in your first post, the second router probably needs to route VPN traffic from its WAN port over to the LAN clients. This would require using NAT. And if you are using NAT, you'll probably need DHCP as well otherwise the clients on the second router can't get IP addresses.

I don't know for sure that running PPTP behind a second NAT router won't work, but I think it could cause some headaches.
 
hmm, i thought the primary router would handle the dhcp if it's turned off on the 2nd. but now that i'm thinking of it, the 2nd router would have to be on the same subnet...
 
hmm, i thought the primary router would handle the dhcp if it's turned off on the 2nd. but now that i'm thinking of it, the 2nd router would have to be on the same subnet...

I agree i think the second router should be on the same subnet.
 
this is actually kind of complex...

you have router 1, that has the public IP, the private range, and does NAT and DHCP.

then you have router 2, that does VPN, and to do VPN probably needs to accept connections on the public interface and NAT to the private network.
and very few routers will enable you to configure the same network on the public and private sides.


you already tested whether router can 2 accept connections to, and establish VPN connections on the same network (i.e LAN to LAN, ignoring WAN) - the answer was no. the VPN has to be seen on the WAN interface, and packets must be translated also.



I think that the only thing left is:
Does your router 1 have a DMZ mode?

if it does on router 1:
set the LAN network to whatever you currently have, (192.168.1.0/24)
set the DMZ network to a different private network (192.168.2.0/24)

on router 2,
set the WAN network as 192.168.2.0/24
set the WAN network as 192.168.1.0/24

Forward the VPN ports to the DMZ network device (router 2) on the DMZ network.


then test and see if it works. - you may find that having DHCP only on router 1 doesn't work, as some VPN servers like to maintain a pool of addresses them self.

not an issue, change router 1 so instead of service 192.168.1.2 - 192.168.1.254 in it's DHCP scope is has 192.168.1.2 as the start address and 192.168.1.128 as the end address,

then give router 2 192.68.1.129 as its start address and 192.168.1.254 as its end address. then they can both serve addresses in the same network, from independent DHCP pools.
 
Back
Top Bottom