Is it Possible to use diff subnet's gateway with static routes?

Discussion in 'Tomato Firmware' started by Emmet, Mar 11, 2014.

  1. Emmet

    Emmet Reformed Router Member

    Please excuse me if my title to this thread is not using proper networking grammar/language. I am self-taught by only reading networking stuff online. I will try my best to explain the situation with the language I think I know.

    Router1 WAN gets real-world IP address from Cable Modem.
    Router1 LAN is:

    Router2 WAN is set to PPTP using VPN Hosting Provider
    Router2 LAN is:

    Router2 WAN port is plugged into Router1 LAN port.

    I have success when a computer is plugged into Router2 LAN port. Their outside IP is of the VPN hosting Provider and not the ISP cable modem. yay! (I only got this work work after getting help on these forums here).

    Is it possible to use static routes on either (or both?) Router1 and Router2 so that a computer connected to Router1 LAN port can utilize the PPTP VPN from Router2? I hope this can be done if a static route is put in place, AND I configure the network interface's gateway to on client/computer who is connected to Router1's LAN port. Im not sure if this is even possible, but I am hoping it is.

    I was thinking I could use a static route on Router1, but do not really know the syntax to do this. Router1's static route configuration asks for: Network/Host IP, Netmask, Gateway, Metric, and Interface.


    Im not sure what to put in the fields to make this work. Or even if what I am trying to do is possible.

    Not sure if this is relevent, but Router1 is a Asus RT66NU using the standard Asus firmware. Router2 is a buffalo router using TomatoUSB.

    I am also not sure if any static route would need to set on Router2.

    NOTE: I understand there are likely many many ways to configure what I am trying to accomplish. I know Router2 could be setup to use PPTP on the LAN. The reason I have chose to setup PPTP on the WAN is because during my testing/configuration, I found that when the PPTP link goes down, network traffic defaulted to my ISP cable modem IP address. During testing when I configure PPTP on WAN, if link goes down then there is no network access at all, and that is the behavior I prefer.

    Please note I truly appreciate the time people on here take to read/understand/reply to my technical questions. I plan to write all my information/configuration up on a blog in the near future to help others who want to setup a similar network configuration. I always give credit to those who help me.
  2. eibgrad

    eibgrad Network Guru Member

    Yes, it can be done. I used to do it myself some time back when I had a spare router that only had a PPTP VPN available on the WAN, no LAN option. But it was tricky.

    Obviously you need to open the firewall on the WAN side to let traffic into the second router. But you typically have to add a NAT rule for the new source network as well since many routers, by default, will only NAT the network behind the router! So it can leave many ppl stumped as to why it’s not working if they merely adjust the firewall.

    So it’s pretty simple once you realize what’s going on. The router really doesn’t care where you enter from, WAN or LAN, in terms of access to services. It’s really just a matter of setting up the firewall and NAT appropriately.

    As far as static routes, it really depends on the nature of the VPN. For example, in my case the PPTP client connection was to another home using a known network (let’s assume my local network is 192.168.1.x, and the other home is 192.168.2.x). I had to add a static route to the primary network of 192.168.1.x that pointed to the WAN ip of the VPN router as the gateway to the 192.168.2.x network:

    Subnet Mask:
    Gateway: <wan-ip-of-vpn-router>

    But if your VPN is to some VPN provider and you’re only using it as a default gateway for certain clients, then a static route is not the answer. You need to change the default gateway of those clients to the WAN ip of VPN router for this to work. You can either do that manually, or policy based routing on the primary router. Of course, if the primary router is running stock firmware, that typically limits your options.

    All that said, it shouldn’t be necessary to use the PPTP WAN option if the only reason is to prevent access to the WAN should the VPN fail. That’s entirely controllable using firewall rules on the primary router (you just block certain IPs from being allowed to FORWARD over the WAN). Or you can configure the VPN router’s firewall so that traffic is never allowed to FORWARD both to and from the br0 (default bridge) interface.

    IOW, it’s just about firewall management, nothing more to it.

    I find the PPTP LAN option generally better if you can pull it off since it keeps everything on the same network. And keeping everything on the same network greatly simplifies access between local devices. It also means that network discovery works. I would only use PPTP WAN in very special cases, or if I just didn't have any other option (as was the case for me).
  3. Emmet

    Emmet Reformed Router Member

    I admit I have a hard time understanding a lot of the language here.

    With TomatoUSB, is it possible to configure the VPN router firewall "so that traffic is never allowed to FORWARD both to and from the br0 (default bridge) interface" using the Web GUI? In the "Firewall" section, I dont see anything remotely to doing what you describe. Here is what the Web GUI firewall looks like:

    (note if image disappears it is hosted at )
    Last edited: Mar 14, 2014
  4. eibgrad

    eibgrad Network Guru Member

    For this kind of work, you need to use the command line (telnet, ssh) and iptables. Test it there first, and if works, add it to the firewall script of the VPN router.

    iptables -I FORWARD -i br0 -o br0 -j DROP
  5. Emmet

    Emmet Reformed Router Member

    eibgrad, I think I actually figured it out before reading your post above!!!! I found this thread which talks about a the same(almost same) iptables command:


    Specifically, user psko posts the following to the thread above:
    For information in case anyone reads this thread in the future, the way I test to see if its actually working as intended is by keeping 2 tabs open on my web browser. Tab1 is on the Tomato Web GUI admin page. Tab2 is on I make sure I first do a google search of "what is my ip" so I get the result page loaded. The google search result page tells me what my IP is. Then I Goto tab1 in my browser, and tell Tomato to reboot. I then immediately goto tab2 and hit f5 to refresh the page. I keep hitting f5 every 2-3 seconds. At some point during the boot up process, the google page will refresh and tell me my IP.

    Before making the iptables rule, I would see Google's search result page showing my ISP's external IP address. Only after 20 seconds would the VPN IP address then start showing up. This shows that there is a time period during the router bootup that it was using my ISP address instead of the VPN. But now after adding the iptables, I only ever see the VPN external IP address during this test process.

    Last note: eibgrad's iptables command has -o br0 while the ones Im using are -o vlan1. I only tested -o vlan1 after testing that -o vlan2 did not work for me. I am testing this on a buffalo 54g router which is quite old. I think if I had my PPTP connection setup on the LAN interface then I would need to use -o br0. But because my PPTP connection is on the WAN interface, I need to use -o vlan1.

    Anyhow it appears to work now. Thanks eibgrad for your reply! Youre the mother-fn-man on these forums! Youve answered my questions so many times. I owe you a case of beer :)
  6. eibgrad

    eibgrad Network Guru Member

    So how did you finally configure the routers (physically)? WAN to LAN, or LAN to LAN? That determines the correct network interfaces to use in the iptables command. I used -i br0 -o br0 assuming it was LAN to LAN.

    Also, the command only belongs in the firewall script.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice