Setting up EdgeRouter X with LAN segregation and VPN access

This article is going to show how I redesigned my home network to serve some new purposes.

Objectives

  • Two Networks (both with Wifi and Ethernet).
    • Main Network
    • IoT/VPN Network
  • Segregation for the IoT Network. Devices should not be able to access anything on the Main Network.
  • IoT Network needs to be on a permanent VPN (this is for using geo-restricted services such as BBC iPlayer).
  • IoT Network traffic should go through the VPN.
  • Main Network traffic should go via my normal ISP.
  • No VLANs. I don't want to spend a tonne on new hardware, so I am planning to use existing hardware I have, most of which will not support VLANS etc, so I decided to just avoid them completely. This does mean my setup is simpler (IMO).
  • Have a fail-safe management network for troubleshooting I may come back to this later.
  • Compatibilty with IPVanish

Hardware

I have a tonne of hardware around the house, so ideally I didn't want to buy anything. I will outline what I have used, but most of the devices are standard devices so anything should do.

I did buy a Ubiquiti EdgeRouter X as the central point of the network. This is an inexpensive and highly flexible device that I strongly recommend. It is the only non-generic device used in the guide below.

  • Ubiquiti EdgeRouter X
  • ASUS RT-AC3200 (this was my main router)
  • Netgear DGND3700v2 (This is just a left over router that I had lying around from a previous installation)

Network Diagram

Below is a crude diagram of my desired network. The obvious part that is missing is a modem between the EdgeRouterX and "The Internet", but I don't feel it is relevant to this particular scenario.

I am actually using the router/modem supplied with my internet connection here. All I did was put it in Bridge Mode so I was not double NAT'ing. This means that the Eth0 interface on the EdgeRouter X was given an IP address from my ISP.

Network Diagram

The Steps

Rather than try to set this all up in one go, I decided to break it down into steps and get each part working correctly.

  • Basic EdgeRouter X Setup
  • Main and VPN network setup (Wifi)
  • VPN Network segregation
  • OpenVPN Setup
  • Final Routing of VPN Network to VPN provider

Basic EdgeRouter X Setup

There are plenty of basic setup guides for the EdgeRouter X and I really don't want to repeat them in detail here, so I will just give a rough outline here.

  • Connect Ethernet from Eth0 to your computer
  • Set IP Address of your computer to 192.168.1.10
  • Navigate to https://192.168.1.1

This will load the web interface of the EdgeRouter X.

Make sure you get the latest firmware for the EdgeRouter X

Once logged in, it is useful to start with one of the Wizards. This sets the basics up for you.

Load the WLAN+2LAN2 Wizard and configure it as follows:

Wizard Config

This wizard will result in the following setup:

  • Eth0 is the internet port
  • Eth1 is a DHCP-Enabled Network (192.168.4.1/24)
  • Eth2/3/4 is a DHCP-Enabled Network (192.168.3.1/24)

The wizard has created a switch which joins Eth2, Eth3 and Eth4 together. You can keep this setup, but I am going to remove it.

Summary Video

Here is a a video summary of the previous section.

Remove the generated switch

The wizard has left us with two internal networks.

  • 192.168.4.1/24 running on eth1
  • 192.168.3.1/24 running on eth2/3/4

This setup might be what you want, but I do not want the switch as I want to only use eth2 for the 192.168.3.0 network. This is how we go about removing the switch.

  • Connect to the 192.168.4.0/24 network.
    • Plug the cable into eth1
    • Reset the network adapter on your computer to obtain IP addresses via DHCP
  • Log into the router (192.168.4.1)
  • Edit the configuration of switch0
    • Remove eth2/3 from the VLAN
    • Set the IP address to No address
  • Edit the configuration of eth2
    • Set the IP address to Manually define IP address with the value 192.168.3.1/24

UPDATE

Remember to alter the DNS forwarders to remove switch0 and add eth2. This is done in the services section of the EdgeRouter X config.

Summary Video

Here is a a video summary of the previous section.

Configure the Wifi Access Points for each network

As I mentioned above, I am using two random home routers as Wifi access points for each network. I do not think it would be valuable for me to go through the configuration of each router specifically, but I will outline some key points here.

  • Each router/access point should have a statically defined IP address within the range of the network it is connected to.
    • Main Network Access Point: 192.168.4.2
    • VPN Network Access Point: 192.168.3.2
  • Each router/access point should be in Access Point mode (if applicable). In my case, the Asus RT-AC3200 has an Access Point mode, but the Netgear DGND3700v2 does not. This doesn't particularly matter as long as you configure it correctly.
  • Cables from the EdgeRouter X should go into a normal switch port on the access points (not the internet port).
  • DHCP should be disabled on each of the access points.

Summary Video

Here is a summary video:

Making sure the Internet works

Segregating the networks

Now we want to segregate the networks. The idea here is that I don't want any device on the IoT/VPN Network to be able to access the Main Network.

Requirements

  • IoT/VPN Network should not be able to access the Main Network.
  • IoT/VPN Network should be able to access the internet.
  • Io/VPN Network should not be able to access the EdgeRouter X.

To set this up, we need to configure the following firewall rules:

firewall {  
    group {
        network-group RFC-1918_networks {
            description ""
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    name IoT_IN {
        default-action accept
        description ""
        rule 10 {
            action accept
            description "Accept Established, Related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop local destination"
            destination {
                group {
                    network-group RFC-1918_networks
                }
            }
            log enable
            protocol all
        }
    }
    name IoT_local {
        default-action drop
        description ""
        enable-default-log
        rule 1 {
            action accept
            description DNS
            destination {
                port 53
            }
            log disable
            protocol udp
        }
        rule 2 {
            action accept
            description DHCP
            destination {
                port 67
            }
            log disable
            protocol udp
        }
    }
}

You can see how to set this up in the UI in the following video:

Setting up the VPN (OpenVPN)

In my case I am using IPVanish. They provide an ovpn file which gets us 90% of the way there, but there are some changes we need to make:

  • Edit the ovpn file:
    • Add route-nopull to the file
    • Change dev tun to dev-type tun
    • Change ca xxx.crt to ca /config/xxx.crt
    • Change auth-user-pass to auth-user-pass /config/auth/pass.txt
  • Upload the following to the EdgeRouter X (using a tool such as WinSCP)
    • ovpn file -> /config
    • xxx.crt -> /config
    • Create a file called pass.txt. This file needs to contain your IPVanish credentials. Username on the first line, password on the second line. Upload it to /config/auth/pass.txt

You are now ready to configure the router to use the OpenVpn configuration. For this next step, you need to SSH onto the router. You can see how to do this in the video.

You then need to run the following:

configure  
set interfaces openvpn vtun0 config-file /config/ovpn-filename.opvn  
commit  
save  

Reboot the router and you should now see vtun0 in the dashboard.

Here is a full video showing what to do:

Routing the IoT/VPN Network through the VPN

Now we need to route traffic from the IoT/VPN Network through the established VPN.

  • Create static route table to vtun0
configure  
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0  
commit  
  • Setup firewall rule to modify traffic from IoT -> vtun0
configure  
set firewall modify OPENVPN_ROUTE rule 10 description " Traffic from IoT to vtun0"  
set firewall modify OPENVPN_ROUTE rule 10 source address 192.168.3.0/24  
set firewall modify OPENVPN_ROUTE rule 10 modify table 1  
set interfaces ethernet eth2 firewall in modify OPENVPN_ROUTE  
commit  
  • Create NAT rule for vpn. This is done in the GUI and instructions can be found in the video below.