Hi, I am using my AC3200 running latest 384.4 beta as as secondary router. In router mode so I can use goodies like guest network, IPv6 tunnel broker and OpenVPN server not available in access point mode. Here is my topology:
Fios router to Internet, 192,168.0.1/24, does DHCP.
AC3200 connected via LAN port, 192168.0.2/24, DHCP server off, Upnp off. Must be on same subnet so LAN discovery works for all devices on my LAN. Do not want separate subnet for AC3200.
WAN port on AC3200 not used.
OpenVPN server running on its own subnet 192.168.3.0/24. Static route in FIOS router indicating that 192.168.3.x is reachable via 192.168.0.2. Static route on AC3200 to 0.0.0.0 br0 gateway 192.168.0.1 for internet access from ac3200.
Also port forwarding of UDP 1194 from FIOS router to AC3200. So I can log into OpenVPN server. Now to the question:
I do not want to set up routes on each LAN pc to the VPN subnet. Too much trouble becuase many Android and other devices such as printers. Now the issue is that traffic from VPN to 192.168.0.x goes directly from ac3200 to LAN. Traffic from 192.168.0.x back to VPN is routed via 192.168.0.1 before arriving back to VPN @ 192.168.3.x. This is a problem because HTTP does not like it if packets do not travel back the same way they came. So cannot access some hosts on the LAN from VPN clients!
How to solve it? I would like a rule saying all traffic from 192.168.3.x to 192.168.0.y where y>2 goes via 192.168.0.1.
If I do brute force and make a route forcing all LAN traffic from AC3200 to go via 192.168.0.1 the VPN clients are happy but on my LAN I can no longer access the web GUI at 192.168.0.2 because packets go straight from LAN to 192.168.0.2 but back via 192.168.0.1. So the route I want needs only apply to VPN subnets.
Hope I explained it clearly. The topology is non-negotiable because the ac3200 is centrally located to serve the house whereas the FIOS quantum router is in the basement where the internet comes in.
BTW all of this used to work when I was on 380.x and my main router was a Fios Rev.I Actiontec. Now I upgraded to 384.4 and the router to a G1100 quantum router. Only explanation I can think of is that the actiontec sent out ICMP routing broadcasts to everyone saying 192.168.3.x is reachable via 192.168.0.2 directly. Maybe the G1100 does not do it. So I need to explicitly address the issue.
Fios router to Internet, 192,168.0.1/24, does DHCP.
AC3200 connected via LAN port, 192168.0.2/24, DHCP server off, Upnp off. Must be on same subnet so LAN discovery works for all devices on my LAN. Do not want separate subnet for AC3200.
WAN port on AC3200 not used.
OpenVPN server running on its own subnet 192.168.3.0/24. Static route in FIOS router indicating that 192.168.3.x is reachable via 192.168.0.2. Static route on AC3200 to 0.0.0.0 br0 gateway 192.168.0.1 for internet access from ac3200.
Also port forwarding of UDP 1194 from FIOS router to AC3200. So I can log into OpenVPN server. Now to the question:
I do not want to set up routes on each LAN pc to the VPN subnet. Too much trouble becuase many Android and other devices such as printers. Now the issue is that traffic from VPN to 192.168.0.x goes directly from ac3200 to LAN. Traffic from 192.168.0.x back to VPN is routed via 192.168.0.1 before arriving back to VPN @ 192.168.3.x. This is a problem because HTTP does not like it if packets do not travel back the same way they came. So cannot access some hosts on the LAN from VPN clients!
How to solve it? I would like a rule saying all traffic from 192.168.3.x to 192.168.0.y where y>2 goes via 192.168.0.1.
If I do brute force and make a route forcing all LAN traffic from AC3200 to go via 192.168.0.1 the VPN clients are happy but on my LAN I can no longer access the web GUI at 192.168.0.2 because packets go straight from LAN to 192.168.0.2 but back via 192.168.0.1. So the route I want needs only apply to VPN subnets.
Hope I explained it clearly. The topology is non-negotiable because the ac3200 is centrally located to serve the house whereas the FIOS quantum router is in the basement where the internet comes in.
BTW all of this used to work when I was on 380.x and my main router was a Fios Rev.I Actiontec. Now I upgraded to 384.4 and the router to a G1100 quantum router. Only explanation I can think of is that the actiontec sent out ICMP routing broadcasts to everyone saying 192.168.3.x is reachable via 192.168.0.2 directly. Maybe the G1100 does not do it. So I need to explicitly address the issue.
Last edited: