Help: AC87U as OpenVPN client for home VLANs/subnets

[blinkyleds]

Greetings,

I'm pulling my hair out and could use some pointers... Thanks in advance!

I'd been using the OpenVPN client on the AC87U with Asuswrt-Merlin to connect to a commercial VPN provider for many months, and everything was great! Traffic for my home devices went thru the one VPN connection, and I was able to use the Policy Rules to exclude certain traffic (e.g. VoIP). My network was very simple:

ISP modem
-> AC87U (OpenVPN client, router, wireless AP, 192.168.2.1)

-> Netgear GS108Tv2 "smart" switch (192.168.2.8)

-> PC & other devices (192.168.2.0/24)​

I've been reading about VLANs/subnetting on SNB and this weekend I decided to set them up with a Cisco SG300 switch in layer-3 mode. Now my network is like this:

ISP modem
-> AC87U (OpenVPN client, router, 192.168.2.1)

-> Cisco SG300 L3 switch (192.168.2.254, VLANs 10.0.10.254, 10.0.13.254)

-> PC & other devices, AC66U in wireless AP mode (10.0.10.0/24, 10.0.13.0/24)​

I've static routes set up on the AC87U that goes:

10.0.10.0/24 -> 192.168.2.254
10.0.13.0/24 -> 192.168.2.254​

So my VLANs work and my PC & devices can access the Internet.

But with this new setup, my PC & other devices simply wouldn't work with the OpenVPN connection. When I've the AC87U OpenVPN client connected, with the route all traffic through VPN option enabled, my PC can't connect to the Internet at all. Traceroute from the PC starts at the Cisco switch (10.0.10.254) and stops at the AC87U (192.168.2.1), not going out to the VPN provider.

Curiously, the L2TP client on the AC87U works fine connecting to the same VPN provider! But with the L2TP client, I lose the Policy Rules that the OpenVPN client offers.

Is this a limitation of the AC87U hardware/firmware (this is consumer gear afterall), that it isn't VLAN aware? Or is this a routing problem (I'm a noob in routing)?

I'm running Asuswrt-Merlin 378.55 btw.