In my home network, i am running two Wifi Routers,
- a Buffalo WHR-HP-G300N running DD-WRT v24-sp2 (07/24/13) std (192.168.1.2)
- a Linksys WRT320N running Shibby Tomato 1.28.0000 MIPSR2-121 K26 Max (192.168.1.3)
The Buffalo is providing a 2.4ghz Wifi Network, it maintains the PPPOE connection via my ADSL Line, provides DHCP Adress assignment (192.168.1.*) and has several devices connected to it (VoIP Phone etc.)
The Linksys is connected to the Buffalo through a LAN connection - WAN connection is disabled and the WAN port used as LAN, it provides a 5ghz Wifi Network and the devices supporting GBit Lan (Home Server, NAS) are connected via LAN to it, since the Linksys also does GBit switching.
I recently subscribed to a VPN Provider called Mullvad to enhance general privacy on outgoing connections / geolocation bypassing. Shibby Tomato is configured to establish the VPN connection and as far as i can tell, the connection is up and running - at least the logs don't provide information that anything goes wrong, i got a TUN (tun11) device in the routing tables etc.
I want to achieve the following:
- The Linksys Wifi Network provides access to the internet over the VPN connection
- The Buffalo Router provides access to the non-VPN Internet Link
- On the Linksys, some devices on certain LAN ports should route all their internet traffic over the VPN
- On the Linksys some devices should route ther traffic over the "normal" DSL connection
- On the Buffalo all devices conncted to the LAN ports can use the regular DSL connection (no VPN needed for the LAN ports)
- All devices should be able to connect to each other over the internal network (192.168.1.*)
Right now, no traffic is going out over the VPN, my assumption is, that since the Buffalo Router (192.168.1.2) assings the adresses over DHCP, it also announces itself as the default gateway... No matter if i turn on DHCP on the Linksys as well, anything that connects will get a default gateway of 192.168.1.2...
The routing table of the Linksys looks like this:
I have very limited knowledge of networks in this complexity, so i don't know what the best solution is, maybe using VLANs, maybe it involves a manual IPTables config on the router, this is beyond my understanding. Or maybe what i wish to do cannot be done at all?
Edit - In response to the Answer by Iszi:
I was wondering, if VLAN's wouldnt allow this type of behaviour? Both dd-wrt and Shibby's Tomato allow setting up VLAN's on a "per port" basis. I could set up a private Network for the Buffalo - distributing a DHCP adress space of 192.168.1.50-100 and NAT'ting these to the ADSL connection. All the traffic for that Network could be tagged with a VLAN ID, i.e. VLAN1
Then i could set up dual private Networks on the Linksys, i.e. distributing a DHCP adress space of i.e. 192.168.1.10-49 and tagging all the ports / interfaces that should connect with this as VLAN1 as well. From my limited understanding of the purpose of VLAN's, they are supposed to support exactly this use case of networks distributed on different routers, making them being handled as IF on the same network, according to their VLAN tagging.
Then i would set up and a second Network, distributing an DHCP adress space of 10.8.0.* tagging all the traffic on the desired ports / interfaces with i.e. VLAN2 ...
If i can achieve setting up the VPN as a gateway for the 10.8.0.* / VLAN2 network and the PPPOE connection as the gateway for 192.168.1.* / VLAN1 for that, it basically would allow me to assign VPN access per port / interface basis. So, again in theory, i could also set-up a primary 5ghz Wifi Connection routed into the 192.168.1.* network and Virtual Wireless AP routed into the a 10.8.0.* network...
What i dont understand is, how - or if, it would be possible to allow access from VLAN1 to VLAN2 (or if thats impossible).... The other thing is, that this is a purely theoretical consideration, since the necessary iptables setup is beyond my knowledge at this point. If somebody could outline the routing necessities or enlighten me IF and HOW this usage of VLANS make sense, i would appreciate it.