Brume MT2500 - Router VLANs DNS/Adguard + VPN

Hi there,

Hopefully someone can point me in the right direction (or will tell me it can’t be done :stuck_out_tongue: )

I bought the Brume 2 - MT2500 with the main reason to have a better VPN solution but because I saw it also runs AdGuard by default I thought, great I can get rid of my PiHole setup!

Based on an Edge Router (SFP) setup I’m struggling to get the MT2500 working just behind it, connected to the ERX (via LAN port on the MT2500). I have 2 VLANs configured for the main LAN and IoT, so the drop-in gateway function will not help me running DHCP servers on both VLANs, also not really fund of the principal.

Will try to explain my setup and current challenges.

ERX (with SFP module) configured as a router + switch → MT2500

Scherm­afbeelding 2024-04-22 om 17.09.35

Main VLAN = 192.168.2.x
IoT VLAN = 192.168.5.x

ERX router =
MT2500 =

DHCP servers on both VLANs pointing DNS to the MT2500
ERX Firewall rule to accept DNS server (this works also with the current PiHole in the main VLAN) within IoT VLAN.

The MT2500 is currently configured with de LAN port static IP within my main LAN, running AdGuard. The DHCP server(s) on the ERX point DNS to the MT2500 and that works just fine for the main LAN (having internet + AdGuard filtering), but the IoT VLAN doesn’t work.

Further configured an OpenVPN server (allowed via the ERX NAT), which connects with my client (via 4G) from outside, but no internet + LAN access when the tunnel is up. I can access the Brume itself when connected via VPN, but further nothing is accessible + no internet.

How can I use the MT2500 behind the ERX router/switch just with my LAN? Is the Brume firewall blocking this and/or can I disable this blocking DNS traffic, VPN issues?

Could you please draw your network using

Done :slight_smile: ERX has a SFP module for the fiber connection.

Can you confirm which port of MT2500 connect to the ERX, wan or lan?

Connected to the LAN port. When connected to the WAN port configuring static IP within my main LAN (192.168.2.x), I can’t connect to the MT2500.

You should connect the WAN port to your ERX, not LAN port.

This is one key reason that your vpn does not goes to the Internet.

To connect the MT2500’s web panel from your ERX network, you should go to the security settings and enable access remote access.

Okay sounds logical. Great! Will test that, did not think about making the web gui reachable via WAN (still in LAN).

Do I need to use the WAN port as LAN? No right?

NO. If you do that, then it will be the same as your current setup.

1 Like

Yes! Now I have a working situation with DNS working via Adguard after allowing some ports to be opened up;

OpenVPN server also works now, but only with local internet breakout! When I add the “redirect-gateway def1” + “dhcp-option DNS”, internet is broke on the client. LAN access still works.

Next stop;

  • how to get DNS working for the 192.168.5.x VLAN, because this is still not functioning.
  • how I get my internet traffic through the tunnel, loading websites + using my own DNS/Adguard server

DNS is now working in the 192.168.5.x VLAN, based on a port forward rule 53 to 3053.

I also tested Wireguard now. WireGuard does work as it should and Adguard is triggert (not seeing advertisements).

OpenVPN still does not want to go over AdGuard pushing DNS.

And OpenVPN also working now. Same port forward rule, only now from OpenVPN interface to WAN.

Strange thing is, that this is not needed for WireGuard.