1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

vpn client connects, but nothing routes through it

Discussion in 'Tomato Firmware' started by Psyklopz, Aug 12, 2017.

  1. Psyklopz

    Psyklopz Serious Server Member

    Hi.

    I think likely I have set up the router wrong, but here's the situation:

    1) I set up a VPN client connection to PIA using their guide (https://www.privateinternetaccess.com/pages/client-support/tomato-vpn)

    2) I know the connection works. If I ssh into the router, while the VPN client has started, I can run:
    wget -qO- http://ipecho.net/plain ; echo

    This gets my external IP address, and it's not the one provided by my ISP. So from the router, the VPN client is working.
    (If I stop the client, and re-run the wget command, I get a different IP address)

    3) I connect to the router over wifi on my tablet.

    4) My external IP on the tablet is still my ISP provided one.

    I conclude form this that although the *router* is operating over the VPN, anything connected to it is not routing through the VPN client.

    Some notable settings:
    Running Toastman Tomato Firmware v1.28.7483 MIPSR2-Toastman-RT K26 VPN
    [it's an older version, but it's small enough to fit on the router I'm using]

    This router is actually acting like a switch, I think. My ISP-provided modem/router combo is running the DHCP server. That device is at 192.168.2.1

    So my Tomato router is running at 192.168.2.3

    Under Basic > WAN I have it set to 'Disabled', and 'Use WAN Port for LAN' is enabled.
    Other than that, in the LAN section:
    Router IP Address: 192.168.2.3
    Default Gateway: 192.168.2.1
    DNS servers: 8.8.8.8 / 8.8.4.4



    My suspicion is I haven't configured my Tomato router as a switch/repeater correctly, so connections coming into it actually immediately route to my ISP's modem/router. I actually have always set up routers this way, which always felt strange. I am trying to avoid double-NAT which is why I'm letting the ISP router do DHCP, but I may not know what I'm doing :) I have always thought that I need to keep the ISP router as the "main" router since it's the one connecting to the internet, but I may be totally wrong on that,

    Thanks for reading.
     
  2. Psyklopz

    Psyklopz Serious Server Member

    Got it working...

    I ended up putting the VPN'ed router on a subnet (192.168.1.1).

    [configured at Basic > Network, WAN/Internet]:
    So, the way it works, its WAN address is static at 192.168.2.3, with its gateway at 192.168.2.1 [which is the IP address of my ISP's router, which is running DHCP for the 192.168.2.x subnet]

    Then its LAN address is 192.168.1.1, and it's running a DHCP server for the 192.168.1.x subnet.

    This isolates everything connected to it to this new subnet-- and everything connected to it goes through the VPN client.

    Now, this is what I meant before about not wanting to "double-NAT". It's possible that I don't truly understand the meaning of that term, but I know it's not a good thing.

    I figured the best configuration for a home network was to have all devices on the same subnet-- the one provided by the "main" gateway, whatever that happens to be (in my case, it's the piece of junk the ISP gave me). I know of course I could go from my crappy ISP gateway straight into a Tomato router on a different subnet and have everything connect to the Tomato router.

    Is that actually a correct/good configuration? In my mind, the ideal world would have a Tomato router as my main Gateway, but obviously, it can't make the Fibre connection to the internet my ISP's modem/router can.

    So, to boil this all down-- is it possible to have a Tomato router as the "main" router on a network (running DHCP and all), and have the ISP modem/router act as another connected device to the Tomato router? Would everything still get internet that way? What if I then connected devices to the ISP router (because it has extra ethernet ports I'd like to use). Would those devices still be able to see everything else on the network?

    EDIT:
    This post...

    http://www.linksysinfo.org/index.php?threads/tomato-as-a-switch.29667/#post-145264

    ...seems to describe the situation I just discussed. So, have I been doing it wrong all these years? Perhaps I need to put the ISP modem/router in bridge mode, and just have any other router on the network act as the main Gateway?

    Thanks
     
    Last edited: Aug 13, 2017
  3. Sean B.

    Sean B. LI Guru Member

    Yup, you've been doing it wrong.. you've been double NATing yourself the entire time :) . What you called your "outside" IP of 192.168.2.1 is a local-only "inside" address and cannot be routed globally ( routers on the "internet" side will drop the packets, as the destination and source IPs would be invalid ). That IP is coming from the router side of your router/modem combo, no different than if you stacked another tomato router onto the LAN side of your current tomato router. The router/modem combo must be put into bridge mode in order for the tomato router to have proper routing and filtering control.

    Or, what I would recommend over bridging your ISP's unit, is to just purchase your own cable modem. High quality non router combo, modem only units can be purchased anywhere between $40 - $80 and are often much more stable and consistent in their performance than ISP leased router/modem combos. The purchase cost is often recoup'ed within the first year via not paying the equipment lease fee most ISP's charge monthly for their unit.
     
  4. Psyklopz

    Psyklopz Serious Server Member

    Awesome, thanks for the confirmation. Now to reconfigure my network :)
     

Share This Page