@btx Really appreciate you digging into this the way you have for someone you don't even know.

I think they gave you some bad information because I bought this router exactly because they do support it and it is even shown on their site as being supported. We used this router in our old home where one subnet was all we needed. We now have a much bigger home and more IoT devices, cameras, streaming devices, etc. and that is why I am setting up an Omada system. As I get more into this it is clear like you have been saying a double NAT is not the way to go as it invokes many headaches, especially try to cross subnets. Like you said I think their firmware is base on DD-WRT because of the default name that shows up in the router. The one aspect I am trying to preserve by using ExpressVPN is they offer split tunneling. So if I have to drop one device off from the VPN it is quite easy and I don't have to take the whole network off the VPN.

EDIT

  @Hartman9

Here are the fundamental problems you have.

• The ExpressVPN firmware is made to be very easy to use but as a result is extremely limited.  It can't do what you want to do, at least not through the GUI you are being provided.
• Using two routers is a complicated solution and you are still limited by the firmware of that device.

Here are a few of your options:

• Go back to using the WRT3200ACM and live with the limitations
• Replace the firmware on your router with full DD-WRT or OpenWRT as @btx suggests.  This will give you the flexibility to do what you want.  However, the cost is increased complexity.  You will need to more knowledge and patience to configure it.  There are plenty of guides out there if you do a search.  That will give you an idea of what you would be getting into.
• Replace that both routers/gateways with something that does what you want.

I don't think trying to stuff the WRT3200ACM behind the ER605 is a practical solution.

EDIT

  @btx I emailed ExpressVPN tech and they told me the DHCP cannot be turned off. Now I don't know about SSHing into it and doing it by command line. Also here are the protocols supported by ExpressVPN and it doesn't look like Wireguard is one of them.

EDIT

  @Alex789 I am open to other solutions. My criteria would be the following.

• I want a VPN to encrypt all our traffic
• Split Tunneling so I can take clients on and off VPN through a browser or app interface
• Single NAT would be preferred as I am having issues in cross communicating even with ACL permit rules
• If I can get my setup up down to one router without spending a lot of money

Right now my set up goes like this:

ISP (AT&T Fiber 1G) -> ER605 (Wan Port) -> Linksys (Wan Port from ER605 Lan Port) -> Switch (from Linksys Lan Port)

The Linsys Router has it's own subnet and DHCP server which cannot be turned off, at least through the firmware interface.

Cross subnet communication is difficult. Depending on the way the traffic is going I may have to take a device off the VPN or be logged into a subnet directly because of the Linksys router.

The Linksys router also ignores any VLAN you try to setup through it in Omada and will always assign its subnet regardless of the VLAN subnet you are asking it to use.

btx wrote

  @Alex789 for openvpn I guess it will work with separate vlan where linksys stays dhcp server and probably dns server too. From that view he can achieve wished setup without changing the firmware, I think this is preffered by OP.

  @btx I am not sure I understand what you are proposing here.

If he puts the WRT3200ACM inside the ER605 I don't see a way to achieve what he wants.  There would be no way to move wired clients seemlessly between being on the VPN and off it.  He could use the wireless in the WRT3200ACM but then the rest of his internal network will be outside it which will be a mess as clients switch back and forth.  Especially give how limited that firmware seems to be.  It seems like they reduced the functionality to the lowest possible level.

Hartman9 wrote

  @Alex789 I am open to other solutions. My criteria would be the following.

 

• I want a VPN to encrypt all our traffic
• Split Tunneling so I can take clients on and off VPN through a browser or app interface
• Single NAT would be preferred as I am having issues in cross communicating even with ACL permit rules
• If I can get my setup up down to one router without spending a lot of money

 

I think I have a pretty good idea of what you are trying to achieve.  I just don't see an easy way as long as you retain that ExpressVPN firmware.

You are actually trying to build something that is somewhat sophisticated.  It is totally achievable but it will take the right tools and skill.

Hartman9 wrote

 

ISP (AT&T Fiber 1G) -> ER605 (Wan Port) -> Linksys (Wan Port from ER605 Lan Port) -> Switch (from Linksys Lan Port)

 

The Linsys Router has it's own subnet and DHCP server which cannot be turned off, at least through the firmware interface.

 

Cross subnet communication is difficult. Depending on the way the traffic is going I may have to take a device off the VPN or be logged into a subnet directly because of the Linksys router.

 

The Linksys router also ignores any VLAN you try to setup through it in Omada and will always assign its subnet regardless of the VLAN subnet you are asking it to use.

As long as you have the WRT3200ACM inside the ER605 like that you will always have LAN communication issues because you are putting a consumer grade firewall on the inside of your network.

  @Alex789 

Alex789 wrote

I think I have a pretty good idea of what you are trying to achieve.  I just don't see an easy way as long as you retain that ExpressVPN firmware.

 

You are actually trying to build something that is somewhat sophisticated.  It is totally achievable but it will take the right tools and skill.

This may insight a long response. But what type of setup would you suggest? Obviously I am not the most network savvy but I may be able to pull something off if pushed in the correct direction.