With my now employer comes the requirement connect via OpenVPN, where they're not doing split tunneling and working from home sometimes crawls to a halt. So, I've been building my own split tunnel, without having any control over the corporate hardware.
The setup works alright, I have setup dnsmasq to scope their dns correctly and the uplink works most of the time, but I'm getting random connection stalls, which seem to get worse a lot of DNS requests get served. (Edit: The stalls seem to be related with the policy configuration of that corporate laptop and only occur there, don't mind then) In general I'm not happy with having my entire DMZ connected to the employers network, even when doing strict routing and all.
I'm fine with buying both a new router and maybe a new intermediatary link (I was looking maybe for both a R4S and a R6S) to do that. I want to primarily separate the corporate laptop out of the network and have a system inbetween to do all the VPN connection buildup and split tunneling, while the corporate laptop just gets a simple, boring LAN DHCP link.
One annoying factor is that I want to reach the NAS from the laptop, too.
My internet uplink is just 100mbit/s, no fiber. My network devices here all roll with 1gbit/s network cables, I don't have super high performance stuff.
Additionally, I'm prefering low power consumption and eMMC or similar hard storage devices. I had poor experiences with failing Raspberrys and such.
I'm based in EU, in terms of sourcing parts.
The R6S is overkill and in any case not supported by OpenWrt. I would stick with the R4S. The R4S has more than enough CPU to seamlessly handle OpenVPN on your 100 Mbs connection (it will easily handle OpenVPN at even twice that throughput). The CPU in the Archer C7 is just too slow to run OpenVPN.
You are using un-managed switches in your design. Could you segregate your networks with VLANs (using the R4S to manage the VLANs and run OpenVPN) and use managed switches instead? Perhaps add a single R4S, and then "buy" your first managed switch for free (you already have it) by configuring your Archer C7 as a managed switch (and dumb AP)?
One of the VLANs configured on the R4S could be reserved for the corporate laptop, and you can configure other VLANs on the R4S for home, Guest, IOT, etc. networks. On your WiFi AP's you can configure SSID's dedicated to each VLAN - assuming the AP's are VLAN capable, which yours are if you are running OpenWrt on them. If your corporate laptop connects to a wired Ethernet port, you can similarly dedicate a managed switch port to the corporate VLAN.
For the corporate OpenVPN link, there are ways to use policy based routing to run all traffic on the corporate VLAN through an OpenVPN client on your R4S. Check out this thread.
Hi there, that is close to home what I was thinking.
I would stick with the R4S.
The R4S only has two LANs, I need one to go to the ISP box and two for separation. Maybe I'm missing something? I'd prefer something with an enclosure if possible, that's why I've eyed the R6S.
Could you segregate your networks with VLANs (using the R4S to manage the VLANs and run OpenVPN) and use managed switches instead?
Yes, totally! I'm looking for hardware suggestions and eventually retire the ArcherC7 and hand it down or keep it as backup.
On your WiFi AP's you can configure SSID's dedicated to each VLAN - assuming the AP's are VLAN capable
I don't really know, I have that Unifi AC Lite and just configured it once for WiFi - works for me, didn't care much beyond that.
use policy based routing to run all traffic on the corporate VLAN
I don't want that explicitly, hence why I moved on with my VPN setup. I'm doing split tunneling on an intermediatary device between the corporate laptop and my ISPs modem while separating it out of my network (beyond maybe reverse proxying / allowing connections to the NAS).
VLANs provide as many virtual LAN ports as you need. One R4S port (WAN port) physically connects to your modem/ISP service. Many VLANs (as many as you like and have the patience to configure on the R4S) travel out the other R4S port (LAN port) to a managed switch, which can then split the different VLANs out to whichever physical switch ports you like on the managed switch, singly or in combination.
With VLAN's, packets carry a tag identifying which VLAN the traffic belongs to. Managed switches use those tags to identify which VLAN the traffic belongs to, and send each VLAN's traffic to whichever port(s) you tell the managed switch to send it. Same with WiFi interfaces - you can attach a WiFi interface (SSID) to a single VLAN. If you have a device on your network that does not understand VLANs, that is fine too. Send just the VLAN for that device to a single managed switch port, and plug the device into that switch port and the device remains isolated to just that VLAN. VLAN's are very flexible.
If that is working for you, no reason not to stick with it since you already have the device; however, a VLAN based design might allow for a simpler network design with fewer devices. And if OpenVPN runs faster on an R4S, that might also be beneficial.
Oh, thanks for the information! I'll have to do some reading how this is being done.
So, with that in mind, your suggestion is
[R4S] --- [Managed Switch] --- [All Devices]
Where the managed switch VLANs the corporate laptop onto its own network?
Do you have a suggestion for a suitable 4-8 Port managed switch in that case? I will probably keep the unamanged switch where it is and connect it to the maanged swithc, as it's basically just a single cable to where most of my private hardware is connected to..
This also currently sounds like it's generally possible with my Archer, however, I was trying to keep the corporate VPN entirely seperated out of my network. I'm mostly worried that my misconfiguration sends private traffic over to the corporation by accident as well as noodling all that corporate DNS stuff by accident. I've been monitoring how dnsmasq has been routing queries, it works for now, but in the end I'm a self-aware dumb user.
Also thank you for your patience and advice, very much appreciated!
I use the 8 port Netgear GS308T with my R4S and have been happy with it. It is also supported by OpenWrt if you prefer to use the same OS on all your devices. However, if I already had a spare Archer C7 and especially if I wanted an AP in the same location as the managed switch, I would use the Archer C7 as a combined dumb AP and managed switch.
What you will be doing if you go this route is very similar to setting up a separate guest or IOT network. This, its linked posts and various posts around them in the threads may help get you started.
Finally, keep in mind that most (nearly all) of the network management will take place on the R4S. You do not want to have more than one device on your network running a DHCP server and handing out IP addresses on the same subnet for example.
That sounds good! I could source two R4S for "free" from a friend and bought a GS308T, which should arrive by next week.
I'm planning for now the following and then incrementally upgrade it as I go:
[ISP] -- [R4S #1] -- [GS308T] -- [My Devices]
-- [Ubiquiti AC Lite]
-- [R4S #2] -- Corpo Laptop
R4S #2 will do a hard network isolation to do the VPN peering and PBR routing + DNS and all that. Just a short patch cable + USB port and it will live as a "dongle" on the corpo device. R4S #1 will replace the Archer C7 and will later be handed down to someone.
I think I keep the Ubiquiti AC Lite for now, as it does its only job well. But thanks to you, I'll keep in mind that it can also be made to another OpenWrt system.
Thanks for all your input and leading me through the forest of options.
The best source! If they do not already have enclosures, FriendlyElectric should offer excellent machined all metal enclosures for the R4S. They are offered as an option on the R4S when purchased direct from FriendlyElectric.