I have a WNDR3700v4 in use with LEDE 17.01.2 r3435-65eec8bd5f.
On the WNDR there is a USB modem connected (WAN1).
As I already found out that the WNDR3700v4 can't handle a 30MBit/s down, 10MBit/s up OpenVPN connection I was thinking about a VM with a x86 LEDE running. The VM is running on a Windows server in VirtualBox and should have enough power to handle a VPN client connection like NordVPN.
The server with the VM is one floor under the location of the WNDR3700 so a hardware USB connection isn't possible.
My idea is about this:
Set the WNDR3700 LAN to static 192.168.1.2, DHCP off
Set the VM LAN to static192.168.1.1, DHCP on, WAN: static 192.168.1.99, Gateway 192.168.1.2
Then set on the WNDR3700 the traffic rule that only IP 192.168.1.99 is allowed to send data to the WAN.
Should this work or is there an easier way to share the WAN connection of one router to another?
I tried also the tool usbip, I can share the USB device but not attach on the VM.
Two interfaces with overlapping IP subnets (both, LAN and WAN are 192.168.1.0/24) isn't going to work.
Using a single interface LAN for inbound and outbound traffic (hence dropping the WAN entirely) is going to work in terms of routing, but it completely eliminates zone based firewall rules.
WNDR3700: 192.168.100.1, DHCP off, IPv6 off
VM WAN: 192.168.100.2, DHCP off, gateway 192.168.100.1
VM LAN: 192.168.1.1, DHCP on
You can add a firewall rule on the WNDR3700 to only allow traffic from 192.168.100.2 to be forwared. But to be honest, to me that's only a little sugar but not at all secure. If I intruder your network, I can use the 192.168.100.2 myself and be done.
Using MAC instead of IP for a firewall rule isn't anything better because if I intruder your network, I just tcpdump what's going on, know both your MAC address and your IP address and can fake both.
I think the problem is that you're trying to port forward across subnets. There are probably multiple ways to fix this, but one option would be to forward port 80 to 192.168.100.2 and then forward 80 on the virtual router to 192.168.1.7.
BTW, I helped someone on another forum with a very similar requirement, and we approached it a little differently. We kept a single subnet, but created a vlan on the primary router to connect the WAN port on the VPN router (virtual router in your case) to. Here's what it looked like:
It's essentially a dual gateway setup on a single subnet. Whenever this user wants to send traffic over the VPN, he changes the gateway on that device (which must also have a static address). He mostly just uses the VPN for his NAS, so we have that on at static IP with the VPN gateway set. The nice feature is the single subnet for the LAN.
That was what I was thinking too - but I didn't found out how to fix this.
But your tipp with forwarding to 192.168.100.2 to the VM and then to the right client host fixed it!
thx for this information!
Also really nice is the config you talk about only one subnet.
But my primary rooter is the WNDR3700. When I create a VLAN to what interface should I attach it? LAN is right now attached to eth0.1 and the VLAN of eth0.1 is mapped to the 4 hardware ports of WNDR3700.
Does this router have the ability to create a VLAN on a single Ethernet port? -- because that's crucial to this setup. You may need to ask a new question to the forum about this, as some routers have full "switch" control and some don't, IIRC. The idea is to create a VLAN on one Ethernet port on the WNDR3700 and attach the WAN port of your VM router to it.
WAN-Port (WAN): Uplink to 24 port switch
LAN port 1 (LAN): Uplink to 24 port switch
LAN port 2-4 (LAN): local DHCP clients
USB (WWAN0): LTE modem
I do have internet connection if I use 192.168.1.1 or 192.168.1.2 as gateway.
How to check if the traffic is really running through 192.168.1.2->wan->192.168.2.1?
I do not have a VPN installation right now. This will be the next part on the VM router.