Hello, I was curious if I could place a GL-AXT1800 in AP mode and still have VPN function to the devices that connect to it? ISP router(DHCP) > GL-AXT1800 > Devices
I’d rather do this than have the 1800 create a different subnet if it’s technically possible.
I ask because I also have a ASUS router on Merlin that can’t do this. The router has to be in routing mode to run the VPN.
The short answer is “not really”. It’s less of a limitation of either piece of hardware, more the way IP routing in general works.
Try the following “LAN-only” procedure that I have tested (with slight differences) on my GL-MV1000W and GL-A1300 routers (may also work on Asus routers):
Log into the GL.iNet router LuCI UI over Ethernet LAN (preferred) or Wifi WLAN
Unplug the Ethernet WAN and/or disable the wifi Repeater WWAN, but leave the wifi WLAN enabled
Go to LuCI → Network → Interfaces → LAN → General Settings and assign a static IP address and netmask on the same subnet as your ISP router and assign default gateway to the IP address of the ISP router
Go to LuCI → Network → Interfaces → LAN → Advanced Settings and assign Use custom DNS servers to the DNS servers that you want (e.g, your ISP’s DNS, Google DNS 8.8.8.8, Cloudflare DNS 1.1.1.1)
Go to LuCI → Network → Interfaces → LAN → DHCP Server → General Setup and assign the DHCP Start, Limit, Lease time values that you want
Go to LuCI → Network → Interfaces → LAN → DHCP Server → Advanced Settings and assign DHCP-Options to the same DNS servers as previously assigned, using format 6,DNS1,DNS2 (e.g., 6,8.8.8.8,1.1.1.1)
Click Save then Save & Apply and power off the GL.iNet router after the saves are completed successfully
Log into the ISP router and disable its DHCP server because the GL.iNet will handle all the DHCP, then reboot it if necessary
Plug in the GL.iNet router Ethernet LAN (not WAN) to the ISP router LAN
Power up the GL.iNet router and log into the Admin Panel UI over Ethernet LAN or Wifi WLAN at the same static IP as previously assigned
Test that you can access the Internet by opening some websites (e.g, whatismyipaddress.com should show your ISP public IP address)
Configure and connect to a VPN server as normal
Test that you can access the Internet by opening some websites (e.g, whatismyipaddress.com should show your VPN public IP address)
I do not work for and I am not directly associated with GL.iNet
Of note, wcs’s solution will (I’m pretty sure) forward all of your lan traffic over the VPN, not just the devices connected to the AXT1800 (since if it’s handling DCHP for the entire network, it will also be giving out itself as the primary gateway for the entire network).
If you’re going to do that, IMO it is functionally equivalent to running the entire setup through the Slate AX (and will eliminate an unnecessary hop).
Yeah, I’d rather not route all of my traffic through the 1800. I only have a few dedicated devices I want on the VPN at all times. I appreciate the replies! I get the unit Tuesday, can’t wait to get it set up. I guess having another subnet won’t be the end of the world, most of the devices I want running through it are TVs.
Yeah, you could maybe get creative with VLANs and get something functional, but I’m not sure how well consumer grade hardware would take that, or if your ISP router would even allow it. You could basically create a separate VLAN on one port of the router and connect the AXT to that, but if your goal is to also do stuff like cast/airplay to the TVs from your local network, that makes things more challenging.
You could potentially set up the AXT manually as the gateway on each of the TVs, and I’m guessing you’d need to mess with some firewall rules, but honestly that’s more of a project than I’ve ever cared to undertake.
I took your question to be, “Is there an easy way to do this?” I think it’s technically possible, but every solution I can imagine is kind of jank.
I thought you wanted to have everything go through VPN because the Gl-AXT1800 is a powerful device and is a bit of overkill for a few TV’s (unless you have many TV’s).
Actually, if you have smart TV’s, the procedure would even simpler:
Skip Steps 5 and 6 that configures DHCP server on the GL.iNet router
Skip Step 8 that disables DHCP server on the ISP router, leaving it to handle all the DHCP
On each smart TV (I have 3 LG WebOS TV’s), manually configure the network settings with a unique static IP address, the netmask, the DNS servers and the default gateway to the same static IP address of the GL.iNet router as previously assigned
Just make sure that all the static IP addresses are unique and not within the scope of the DHCP server on the ISP router. Technically, only the default gateway on the TV needs to be assigned to the GL.iNet router, but may depend on the TV brand/model … this is similar to how the SmartDNS feature that a number of commercial VPN providers offer is set up on TV’s.
This was my original use case for my GL-MV1000W to be a LAN-based VPN appliance, so some PCs/client devices access Internet over VPN and some PCs/client devices access Internet directly (not over VPN), but all can access LAN resources. The free Windows NetSetMan utility allows each PC to flip between VPN and non-VPN on demand.
Since wcs decided to block me for reasons unknown (note that he repeated my “manually assign the TV’s to the glinet gateway” suggestion), you (@Forever) might ask him whether he is able to do casting/Airplay in that setup, if you care about that sort of thing. Having traffic go out on one gateway (gl-inet) and come in on another (ISP router) has a tendency to mess stuff up, especially for TCP traffic.
Just my personal experience, but every time I’ve tried to do something like that I spend some amount of time getting it “working”, then I go on my merry way for six months to a year when all of the sudden something breaks. Then I spend forever debugging it, eventually ending up doing tcpdump traces and asking why I’m sending packets but not receiving ACKs and … Oh yeah, I manually assigned that gateway over here and that’s the problem.
Admittedly I have more than the average number of networks and devices to keep up with, but whenever I try to do something cute that’s non standard it eventually comes back to haunt me, generally at 2am when I’m on the phone with a client’s network engineer trying to figure out why all of their stuff just stopped communicating.
I’ve got loads of stories… “Why did that stop working? Oh yeah, because we had to manually assign the DNS to an internal server and somebody decided to migrate that without telling us and all of our https verification broke. Awesome.” Or “We had to manually assign an on prem NTP server and then somebody unplugged the GPS clock so we are in sync to a thing that is now 5 minutes behind the universe and JWT calls are failing.”
Every. Single. Time.
I wanted to follow up, I got the 1800 up and going a few days ago. First off, love this things capability, exactly what I needed. As to my original post, having the device as a second router has caused no issues. All of the devices on it still can communicate with the devices on the original subnet(cast,Airplay, Logitech Harmony, etc.)
My only issue is the VPN I’m using is loosing it’s certificate every 24 hours. I used the phone app to set up a Wireguard VPN I subscribe to, not sure if this is my problem by not inputing everything in a manual set up. I’m not sure if this is the VPN’s fault or if I can configure something on the GI-AXT1800?
Thanks for the followup.
I seem to recall reading posts by GL.iNet that using the app saves VPN configs on the smartphone (not sure if they changed it now), not on the router. Maybe that causes the problem, so I suggest you set up the WireGuard configs directly on the GL-AXT1800 using the Admin Panel web UI, on which I did not encounter that problem.
When you use casting, AirPlay and Logitech Harmony to a smart TV that is connected to the wifi on the GL-AXT1800, did you connect your client device to the same wifi SSID of the router, or were you still connected to the LAN subnet of the ISP router?
With WireGuard turned on and running, is your client device able to access devices on the LAN subnet of the ISP router, or have you set up a VPN policy to exclude your device from also going through WIreGuard?
Do you have a DLNA media server on the LAN subnet of the ISP router for video streaming? In my case, I have a NAS as both file server and DLNA media server on the LAN subnet of the main router, but video streams are not able to get to a smart TV behind the GL.iNet router WAN firewall.
Probably need more details on the VPN. I self host on a dedicated server, so I’m not super familiar with the various providers, sorry.
I have TorGuard, wasn’t sure if I was allowed to name it here 
. I don’t mind configuring it in the admin panel manually, it was just convenient to do it in the app by logging in.