Dave_Anderson
New Around Here
Hi all, first post here so please let me know if this is not posted in the right place.
My network is a bit of an odd duck in that there are three layers of NAT on my main network. I'm not sure if this is relevant, mentioning it just in case. Here is what that looks like:
My primary router is an RT-AX88U Pro running Merlin 3004.388.8_2. I am running in AIMESH mode with a second router extending my coverage footprint; this is an RT-AC68U running 3.0.0.4.386.14_2. I seamlessly connect to and switch between these using my main network SSID.
Regarding NAT, the RT-AX88U connects to a router that is integrated into a point-to-point antenna on a tree behind the house. This may not be the exact model(can find out if may be relevant) but it's essentially this: https://mikrotik.com/product/RBLHG-5nD This in turn connects to a router on a distant ridge that connects the ISP's towers together. Each of these is one NAT layer. "What's my IP" reports this last address on their tower. I have occasionally had issues with employers setting up my access to their VPNs but otherwise this has all been transparent for many years.
On to the problem at hand:
I am in the US. I have Apple TV units that I want to be able easily switch from operating as a peer with all other devices on the main AIMESH network to operating as NordVPN clients, for example using a Canada location. One reason for exploring this approach is that I I quickly found that even if I set the AppleTV to use the NordVPN DNS it still picks up DNS from the router and I am unable to see a particular app that I need in the App store(specifically, "CBC Gem") which should be available once I successfully appear as a user in Canada.
I have a third router, an RT-AX55 which is running ASUS FW 3.0.0.4.386_52332-gfbf3b9c though it did have Merlin RT-AX55_combo_3.0.0.4_386_51598-ge383e0a_puresqubi.w firmware. However it became wedged during my experimentation and I had to perform a hard reset; now I am unable to load the Merlin FW at this time and there is no updated FW for this router..
My thinking was to set up this AX-55 as a wireless router, another network off of the main network with a different SSID, e.g. *_VPN. This is yet another layer of NAT, and I tried several different setups. First series of attempts were WiFi uplink, second series was connecting to the main router via ethernet cable for my uplink. I tried all combinations of DNS Rebind enable/disable, DNSSEC enable/disable, and Auto DoH Auto/on/off. I'm not sure what else might coerce the AX-55 to be the last word on DNS resolution for the VPN network. In wireless DHCP settings I do thave the NordVPN DNS servers configured.
It may be obvious to some from reading the above that I have no PhD in networking. Usually my knowledge is enough to get me by but I feel stuck.
My current theory is that either I am doing something very wrong or the AX-55 FW is too old to support this properly.
I would be grateful for any help either correcting my mistakes or identifying a merlin-supported router model that supports this and is likely to continue to be supported by Merlin.
I can run any traces or config export on the routers, etc. if it will help.
My network is a bit of an odd duck in that there are three layers of NAT on my main network. I'm not sure if this is relevant, mentioning it just in case. Here is what that looks like:
My primary router is an RT-AX88U Pro running Merlin 3004.388.8_2. I am running in AIMESH mode with a second router extending my coverage footprint; this is an RT-AC68U running 3.0.0.4.386.14_2. I seamlessly connect to and switch between these using my main network SSID.
Regarding NAT, the RT-AX88U connects to a router that is integrated into a point-to-point antenna on a tree behind the house. This may not be the exact model(can find out if may be relevant) but it's essentially this: https://mikrotik.com/product/RBLHG-5nD This in turn connects to a router on a distant ridge that connects the ISP's towers together. Each of these is one NAT layer. "What's my IP" reports this last address on their tower. I have occasionally had issues with employers setting up my access to their VPNs but otherwise this has all been transparent for many years.
On to the problem at hand:
I am in the US. I have Apple TV units that I want to be able easily switch from operating as a peer with all other devices on the main AIMESH network to operating as NordVPN clients, for example using a Canada location. One reason for exploring this approach is that I I quickly found that even if I set the AppleTV to use the NordVPN DNS it still picks up DNS from the router and I am unable to see a particular app that I need in the App store(specifically, "CBC Gem") which should be available once I successfully appear as a user in Canada.
I have a third router, an RT-AX55 which is running ASUS FW 3.0.0.4.386_52332-gfbf3b9c though it did have Merlin RT-AX55_combo_3.0.0.4_386_51598-ge383e0a_puresqubi.w firmware. However it became wedged during my experimentation and I had to perform a hard reset; now I am unable to load the Merlin FW at this time and there is no updated FW for this router..
My thinking was to set up this AX-55 as a wireless router, another network off of the main network with a different SSID, e.g. *_VPN. This is yet another layer of NAT, and I tried several different setups. First series of attempts were WiFi uplink, second series was connecting to the main router via ethernet cable for my uplink. I tried all combinations of DNS Rebind enable/disable, DNSSEC enable/disable, and Auto DoH Auto/on/off. I'm not sure what else might coerce the AX-55 to be the last word on DNS resolution for the VPN network. In wireless DHCP settings I do thave the NordVPN DNS servers configured.
It may be obvious to some from reading the above that I have no PhD in networking. Usually my knowledge is enough to get me by but I feel stuck.
My current theory is that either I am doing something very wrong or the AX-55 FW is too old to support this properly.
I would be grateful for any help either correcting my mistakes or identifying a merlin-supported router model that supports this and is likely to continue to be supported by Merlin.
I can run any traces or config export on the routers, etc. if it will help.
