Router for VPN and an Open SSID?

ssmacc · 9 Oct 2018 at 08:38

Hello,

My Sky deal is up and although I've been happy with the Broadband 65/19 speeds I'm thinking of joining Virgin. However, I know virgins WiFi is abysmal so I'm toying with the idea of getting a decent Router, the Sky Q router has been fine. I'd like to set up a couple of SSID on my Home network, one running Private Internet Access (VPN) and one open. I assume if I do this I can pick what devices connect to which.

I'd get the 350meg with virgin, mu house is more or less fully wired,although phone tablets etc are on WiFi.

Any tips on which router I should go for, as you can tell I'm no expert but am comfortable flashing the router if required.

Cheers

BigT · 9 Oct 2018 at 11:11

Are you tied to a one box solution? I can tell you how I would (and indeed do) do this:

Separate routing, modem and wifi duties between a low powered PC running pfSense, the Virgin superhub in modem mode and Ubiquiti Access Points. You wouldn't need to have seperate SSIDs to have different devices routed to VPN or an open connection. On pfSense you would ensure each device you cared about running behind a VPN was reserved its own IP address. You'd then take these IP addresses and create an alias, say 'VPN devices'. You'd have two gateways on your pfSense, one for the striaght Virgin connection and one for your PIA over the Virgin. You create a firewall rule up top that says route 'VPN devices' via the PIA gateway and the default rule below that will route anything not matching that to the open Virgin conneciton.

If you want to separate out the traffic, the UAPs will support up to 4 SSIDs. You can tag each as a VLAN and the pfSense router will have its own DHCP server acting on the tagged VLAN and you can create block or allow rules between the VLANs to segregate or integrate traffic as you need. For example I have a 'Guest' SSID, it is tagged as VLAN #2 and the pfSense box allocates via DHCP addresses in the 192.168.10.x range and the firewall rules block traffic to the 192.168.1.x range which my network uses. There is a firewall rule that routes VLAN traffic out via the non-VPN gateway and additionally I have the UAPs rate limit traffic to 5Mbps so my guests can't saturate my bandwidth.

It's not cheap though unless you have an old PC you can use and throw in a NIC or parts you can reuse. A micro PC with dual+ NICs, small SSD and 4Gb RAM will run to about £250-£300 and a UAP is about £80.
You can do this with one box solutions and custom firmware I believe and I'm sure someone will be along to offer a good solution. Just bear in mind that nearly all consumer routers will not have anywhere near the horsepower to saturate your Virgin connection running a VPN.

ssmacc · 9 Oct 2018 at 11:30

Thanks for the advice BigT. I'm only streaming over the VPN so I guess 7-10meg will be plenty? I'll research what you've said when I get time (fairly new to this) but I'm hoping a £150-£200 router will do what I require.

Thanks again,

BigT · 9 Oct 2018 at 11:42

7-10Mbps behind a VPN can be done on consumer routers. I wouldn't know how to configure them but casual reading over the years suggests things like DD-WRT and Tomato firmware can achieve what you want.

In your research just be mindful of how you will do the policy based routing (the bit that says these devices via VPN and those not). What you don't want is a blanket 'everything behind the VPN' which might be all some routers can do as that causes all sorts of problems. iPlayer stops working on devices you want it on, sites stop being served to you because they think you're somewhere else, you get the wrong eCommerce stores, Google maps goes all whacky etc.

Caged · 9 Oct 2018 at 12:38

Why do you want to run an open network?

ssmacc · 9 Oct 2018 at 15:54

Caged said:
Why do you want to run an open network?

Never really thought about it!

Just assumed it was better to have the option, I was thinking:

VPN (PIA)
Open
Guest

I access Plex a fair bit remotely if that makes any difference.

ssmacc · 10 Oct 2018 at 10:38

OP - Anyone recommend a router for me?

Cheers

bledd · 10 Oct 2018 at 13:07

Open means ANYONE can connect. Bad idea for 99.9% of places.

ssmacc · 10 Oct 2018 at 14:32

bledd said:
Open means ANYONE can connect. Bad idea for 99.9% of places.

I see, I'm using the wrong terminology, by open I've meant not behind a VPN, it'll be secured with a password (I'll update my terminology!)

BigT · 10 Oct 2018 at 14:35

Yeah I took open to mean straight WAN connection not behind a VPN rather than an Open SSID with no password.

bledd · 10 Oct 2018 at 15:07

Apologies, misinterpreted what you meant

ssmacc · 10 Oct 2018 at 17:41

Now the terminology is sorted, anyone recommend a router for me?

ssmacc · 23 Oct 2018 at 18:43

I'm switching to Virgin BBand on Friday and would like a router that meets my needs before then...the more I read the less I know!!! Anyone recommend a Router that supports VPN (PIA), I'd like to have the option to log into at least two WiFi's, one via a VPN and one behind a password, and ideally the same wired.

Thanks,

Caged · 23 Oct 2018 at 19:46

If you want one box then the Mikrotik RB4011 would probably do it. I can't vouch for the Wi-Fi performance and I've had issues with Mikrotik wireless performance before so I won't go near it, but someone else who posts here has one and says it's good.

ssmacc · 23 Oct 2018 at 20:26

Thanks for the response would a Netgear, ASUS or other mainstream router not meet my requirements?

BigT · 23 Oct 2018 at 20:56

ssmacc said:
Thanks for the response would a Netgear, ASUS or other mainstream router not meet my requirements?

Not without flashing with a custom firmware as a minimum I suspect. However I can’t think of anyone who posts on here regularly who has such a setup to recommend. Either we have quasi-enterprise type kit or mainstream but don’t use anything in the sort of advanced configuration you’re after. I hope someone hops on who does have a setup like you desire who can offer their experiences.

You may get a wider range of responses on consumer routers here: https://www.snbforums.com/forums/asus-wireless.37/

ssmacc · 23 Oct 2018 at 21:32

Thanks for the link, must admit I'm a bit shocked a commercial router can't sustain a VPN and a normal WiFi / LAN connection I can't be the only person who wants this (with limited Network experience). Will keep researching.

Anymore advice appreciated .

gizmoy2k · 23 Oct 2018 at 21:47

answered here https://forums.overclockers.co.uk/posts/32215693 the other day, you wont find a better mainstream commercial router for VPN

I have the rt-ac86u and use it exactly as you want to, though not with everything behind the router just some boxes and my phone.

Just done a speed test and my 200Mbps virgin line still gives me 50 through the VPN so not bad.

I looked into it a lot and got this router as it's multi core and doesn't max out the CPU with the VPN encryption. Asus also great with the Merlin firmware.
You can add/remove devices that you want to use the VPN in 30 seconds.

They may have other models out now that are even better. I didn't have time for the learning curve of the pfsense and Mikrotik boxes though they did look interesting.

ssmacc · 24 Oct 2018 at 08:53

gizmoy2k said:
answered here https://forums.overclockers.co.uk/posts/32215693 the other day, you wont find a better mainstream commercial router for VPN

Looks spot on cheers! Appears I can connect via the WiFI or LAN to either a VPN connection or "normal" one with the Merlin firmware (fairly easily), is that correct? If so it's the one for me...

gizmoy2k · 24 Oct 2018 at 10:47

Yes, there is a list where you can filter by device if you want it to use VPN or not.

Most VPN providers tha support OpenVPN have a guide for setting up VPN on asus routers