Omada Setup with ExpressVPN Router
I just installed an Omada setup in my house with the following hardware and connected in the following order.
WAN -> ER605 -> Switch -> EAPs -> Hardwired Connections
I have a Linksys WRT3200ACM router with VPN Express installed on it that I would also like to run in this setup. Can anyone help me in my configuration? I've tried connecting the setup in the following orders but each time the ER605 disconnects from the setup. The goal is to have most of the traffic on the home network run through this VPN to encrypt the traffic. ExpressVPN offers split tunneling which I would like to keep intact if possible. The ExpressVPN firmware has no means of turning off DHCP that I am able to find. Any help would be greatly appreciated, thanks.
Tried so far.
WAN -> ER605 -> WRT3200ACM (LAN Port) -> Switch
WAN -> ER605 -> WRT3200ACM (WAN Port) -> Switch
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@btx Really appreciate you digging into this the way you have for someone you don't even know.
I think they gave you some bad information because I bought this router exactly because they do support it and it is even shown on their site as being supported. We used this router in our old home where one subnet was all we needed. We now have a much bigger home and more IoT devices, cameras, streaming devices, etc. and that is why I am setting up an Omada system. As I get more into this it is clear like you have been saying a double NAT is not the way to go as it invokes many headaches, especially try to cross subnets. Like you said I think their firmware is base on DD-WRT because of the default name that shows up in the router. The one aspect I am trying to preserve by using ExpressVPN is they offer split tunneling. So if I have to drop one device off from the VPN it is quite easy and I don't have to take the whole network off the VPN.
- Copy Link
- Report Inappropriate Content
EDIT
- Copy Link
- Report Inappropriate Content
Here are the fundamental problems you have.
- The ExpressVPN firmware is made to be very easy to use but as a result is extremely limited. It can't do what you want to do, at least not through the GUI you are being provided.
- Using two routers is a complicated solution and you are still limited by the firmware of that device.
Here are a few of your options:
- Go back to using the WRT3200ACM and live with the limitations
- Replace the firmware on your router with full DD-WRT or OpenWRT as @btx suggests. This will give you the flexibility to do what you want. However, the cost is increased complexity. You will need to more knowledge and patience to configure it. There are plenty of guides out there if you do a search. That will give you an idea of what you would be getting into.
- Replace that both routers/gateways with something that does what you want.
I don't think trying to stuff the WRT3200ACM behind the ER605 is a practical solution.
- Copy Link
- Report Inappropriate Content
EDIT
- Copy Link
- Report Inappropriate Content
@btx I emailed ExpressVPN tech and they told me the DHCP cannot be turned off. Now I don't know about SSHing into it and doing it by command line. Also here are the protocols supported by ExpressVPN and it doesn't look like Wireguard is one of them.
- Copy Link
- Report Inappropriate Content
EDIT
- Copy Link
- Report Inappropriate Content
@Alex789 I am open to other solutions. My criteria would be the following.
- I want a VPN to encrypt all our traffic
- Split Tunneling so I can take clients on and off VPN through a browser or app interface
- Single NAT would be preferred as I am having issues in cross communicating even with ACL permit rules
- If I can get my setup up down to one router without spending a lot of money
Right now my set up goes like this:
ISP (AT&T Fiber 1G) -> ER605 (Wan Port) -> Linksys (Wan Port from ER605 Lan Port) -> Switch (from Linksys Lan Port)
The Linsys Router has it's own subnet and DHCP server which cannot be turned off, at least through the firmware interface.
Cross subnet communication is difficult. Depending on the way the traffic is going I may have to take a device off the VPN or be logged into a subnet directly because of the Linksys router.
The Linksys router also ignores any VLAN you try to setup through it in Omada and will always assign its subnet regardless of the VLAN subnet you are asking it to use.
- Copy Link
- Report Inappropriate Content
btx wrote
@Alex789 for openvpn I guess it will work with separate vlan where linksys stays dhcp server and probably dns server too. From that view he can achieve wished setup without changing the firmware, I think this is preffered by OP.
@btx I am not sure I understand what you are proposing here.
If he puts the WRT3200ACM inside the ER605 I don't see a way to achieve what he wants. There would be no way to move wired clients seemlessly between being on the VPN and off it. He could use the wireless in the WRT3200ACM but then the rest of his internal network will be outside it which will be a mess as clients switch back and forth. Especially give how limited that firmware seems to be. It seems like they reduced the functionality to the lowest possible level.
- Copy Link
- Report Inappropriate Content
Hartman9 wrote
@Alex789 I am open to other solutions. My criteria would be the following.
- I want a VPN to encrypt all our traffic
- Split Tunneling so I can take clients on and off VPN through a browser or app interface
- Single NAT would be preferred as I am having issues in cross communicating even with ACL permit rules
- If I can get my setup up down to one router without spending a lot of money
I think I have a pretty good idea of what you are trying to achieve. I just don't see an easy way as long as you retain that ExpressVPN firmware.
You are actually trying to build something that is somewhat sophisticated. It is totally achievable but it will take the right tools and skill.
Hartman9 wrote
ISP (AT&T Fiber 1G) -> ER605 (Wan Port) -> Linksys (Wan Port from ER605 Lan Port) -> Switch (from Linksys Lan Port)
The Linsys Router has it's own subnet and DHCP server which cannot be turned off, at least through the firmware interface.
Cross subnet communication is difficult. Depending on the way the traffic is going I may have to take a device off the VPN or be logged into a subnet directly because of the Linksys router.
The Linksys router also ignores any VLAN you try to setup through it in Omada and will always assign its subnet regardless of the VLAN subnet you are asking it to use.
As long as you have the WRT3200ACM inside the ER605 like that you will always have LAN communication issues because you are putting a consumer grade firewall on the inside of your network.
- Copy Link
- Report Inappropriate Content
Alex789 wrote
I think I have a pretty good idea of what you are trying to achieve. I just don't see an easy way as long as you retain that ExpressVPN firmware.
You are actually trying to build something that is somewhat sophisticated. It is totally achievable but it will take the right tools and skill.
This may insight a long response. But what type of setup would you suggest? Obviously I am not the most network savvy but I may be able to pull something off if pushed in the correct direction.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 6910
Replies: 59
Voters 0
No one has voted for it yet.