Networking Newbie - Routers, VPNs and Access Point - Help

[TimL]

Hi Guys,

I'm the first to admit that I know absolutely zip about networking really. Sometimes I think I kinda get it, then I have days like today when I realise that I really dont.

Dilemma: Me and the missus have moved into a new house. This new house has an outside detached double garage that has been transformed into a man cave/games room/home theatre. There is also a single underground Cat6 cable that runs to said garage.

What I would like to possibly be able to achieve is to have:

The House Modem/Router to run my PC, NAS, Printer without any VPN access.
The Garage Home Theatre SmartTV to run off a VPN router to access the US Netflix that I've grown accustomed to.
The Garage Phones, Tablets, Consoles, etc to run via most likely an Access Point without VPN.
The NAS is currently used for Plex Streaming via the PC (as the Plex server) to broadcast via Roku4 Plex App on to the TV.

My current devices are:

House - Modem/Router is a Netgear AC1200 D6200 10/100/1000 WiFi Router http://www.netgear.com.au/home/products/networking/modem-routers/D6200.aspx?cid=gwmng
House - NAS is a WD MYCLOUD 2.TB http://www.wdc.com/en/products/products.aspx?id=1140#Tab3

Garage 'Access Point' - is a Netgear N300 WNR2000v5 WiFi Router http://www.netgear.com/support/product/WNR2000v5.aspx?cid=gwmng

Not Currently in Use:

Garage - Modem/Router Netgear AC1450 AC1450 DD-WRT Flashed Router https://www.flashrouters.com/routers/router-types/dd-wrt/netgear-ac1450-ddwrt-router
Garage - Network Switch Netgear ProSAFE GS105 5 Port Gigabit Switch https://www.wireless1.com.au/netgear-prosafe-gs105-5-port-gigabit-switch?gclid=CM_-sfqgmM0CFYaXvAod-rQP8w

I dont know if what I am asking for makes sense or is even possible?
What would be the best way to do/achieve or get as close as possible to this sort of set up do you think?


 

[TimL]

My Theoretical Setup 1

House Modem/Router

|
|
Netgear Switch
|                                  |
|                                  |
VPN Router     Access Point Router
|                                  |
Smart TV             Everything Else

[TimL]

Theoretical Setup 2 would involved digging in a second Cat6 Cable across to the Garage.

[+BudMan MVC]

why do you have other routers connected via their internet ports.  They are going to be doing nat that way.. Unless they have some mode that bridges their internet connection port to lan/wifi ?

 

You can for sure use wifi router as just AP.  As to what devices have vpn access or not.  You should be able to do that on your edge/internet router via policy based routing.  If that devices supports 3rd party firmware you can do that with say dd-wrt

 

 

[TimL]

Wow, thanks for the quick reply!

Should I take the Access Point router OUT of internet and INTO one of the lan positions?

In the theoretical pictures - Is one design better than the other?

The VPN Router is flashed to DD WRT. I was planning on using just the Samsung SmartTV Netflix App via the VPN. This way I can continue to use the Roku4 on the 1st (non VPN) network with Plex and the Access Point?

Can I use the ethernet switch for both Routers (albeit one is being used more as Access Point than a router)? Or do I have to dig out another trench to the garage for another ethernet cable to support the VPN router?

Edited June 8, 2016 by TimL
Clarity

[+BudMan MVC]

if your going to use them as AP then yes you connect via lan port and disable its dhcp server.

 

Not talking about some downstream router.. Talking about5 the device that is actually connected to the internet..  This is where you would do your policy based routing.  Guess you could do it downstream but your going to be double natting.

 

In your 2nd drawing you have 2 lines running to the garage?  Is that easy to do?  You only need 1..

[TimL]

Doing a second line down to the garage would be horrendous to be honest!

My terrible newbie-ness takes over here - is there an easy explanation on policy based routing for just a smart TV app or even the roku4? The only device I want on the VPN in the garage would be Netflix either via SmartTV App or Roku4 App.

I do use the Plex App on Roku4 though which I think would suffer if its not on the local network and has to download via the internet.

Double natting is what makes the internet connected consoles spit the dummy?

[TimL]

I just switched the Garage WiFi Router out of the Internet port and into LAN 1 and what-do-you-know, it still works haha. Solid advice.

[TimL]

This would be wrong then? I discovered this picture on another forum while doing some research.

[+BudMan MVC]

that setup is double nat, that is one way to skin the cat when your edge router can not do policy based routing.  But now its very difficult for computer 1 to access computer 2 without port forwards.

 

With policy based routing at your edge router, you can have multiple segments on your network.  And then firewall between them if you want, etc.  Or just have 1 flat network internally but route specific traffic out your vpn connection based either on source IP, dest IP or dest port, etc. etc..

 

To be honest if you want to get fancy with your internal network.. While 3rd party firmware goes a long way into making use of the hardware with features the native firmware normally doesn't support like vlans and vpns.. Its very primitive and limited to what it can do compared to say a firewall/routing distro like say pfsense, or ipcop or smoothwall or m0n0wall, etc. etc..

 

I personally run pfsense on a VM on my esxi host this provides all my firewall/router/vpn needs and I have multiple networks internally and can route anything I want to any vpn connections I make in pfsense.

[TimL]

It's really nice of you to put me on the straight and narrow but honestly I have no idea how to use pfsense or esxi host. I've never needed to do networking this complex in the past.

I will have to research further over the weekend. Is there a good place or link to somewhere for some reading material or advice?

[+BudMan MVC]

well you can do it the way your looking at doing it.  You can skin the cat that way if you must.  Any box can be a esxi box pretty much, or you could just use it direct on the hardware.

 

Do you have  spare PC laying around?  Doesn't have to be a rocketship.

 

esxi is free, and pfsense is free.  Just need the hardware to run it on.. which can be put together for a couple of hundred, or even some hardware off ebay for like 50-75, etc..  If you have a old pc you can rock this in a real short time.   I think it will be much easier for you to get a handle on since pfsense is uses a nice web gui to manage.

 

Using a downstream router that ends up being the vpn client really isolates the devices behind it from the rest of your network, which may not be a bad thing?  Your setup 1 will work.  Just make sure that the networks behind your garage routers are different than your man router.  So for example if your main router is using 192.168.0.0/24 then your other routers networks should be say 192.168.1.0/24 and 192.168.2.0/24

 

But your setup1 will work.

[TimL]

Okay for the mean-time I will use setup 1 -- except have the 2 garage routers put into LAN ports?

But I am definitely going to investigate pfsense because it will bug me that I'm not doing it the correct way and I am a stickler for wanting to know more haha.

Thank you for your time, educating the idiots like me.

[TimL]

As my quick-fix until I work out how to Policy Route all of this together

Would it make more sense to go through the Netgear Switch (as is Theoretical Setup 1) or below going through the WiFi Router Access Point?

 

[+BudMan MVC]

If you want to leverage the switch ports on your wnr2000 sure you could do it like that..  But if your wanting the stuff to be on vpn behind your vpn router you would have to connect to its internet connection and let it nat..

[TimL]

Thank you. Exactly the answer I was looking for.

[TimL]

Okay, I'm just capping this thread off in case any other newbies come along with similar ideas. As this forum (and +BudMan) were extremely helpful for me.

The project is complete and successful, but I did want to note that in my instance the WiFi connection from the VPN Router to the Smart TV was insufficient and forced me to run an extra LAN cable direct from the Router to the TV (which was a little (BIG) pain in the ass but got there).

Although I get good internet speeds and fast streaming normally and through the Access Point WiFi - The server my particular VPN Router (ExpressVPN) uses must be over-crowded with people like me wanting to stream US-only content.

The VPN Router speed test via wired LAN was down to 5.2mbps! Not amazing.

So here's the final drawing of my home network. In hope that it might help other newbies like me.

[xendrome]

The house to garage, CAT6? Are they physically connected? Are you in an area prone to lightning?

[TimL]

Prone to lightning? Same as anywhere else i suppose, 2 or 3 storms a year. 

 

The cable is run underground, it looks to be about 2 feet deep and run through conduit. I found it after digging up my driveway. 

 

I unplug my house router when I can during thunderstorms. I had one blow up on me about 6 years ago in a different house, so make the conscious effort now-a-days. 

[+BudMan MVC]

Are we going to start this group loop discussion again?? Connecting 2 buildings with cooper discussion again?

 

All ethernet connections are transformer coupled so the possibility of a groundloop between guys house and garage is just unfounded.  As to lightening strikes..  Good idea to to have copper your running grounded..  Was this conduit metal and grounded?  Did you get a permit for the dig?    If so your city would of brought up any codes and safety concerns.  Since you prob just did it without letting the local authorities know, etc.  Then any possible lightening would be on you.. Are you running power in the same conduit?

 

I would hope since you were running the line that you had looked into the safety/code requirements for your area?  The normal easy solution when connecting buildings is to use fiber.. That way you don't have to worry about any of the possible issues of connecting to buildings with a run of copper.

[TimL]

I did not dig it, the cables were there when I moved in. (its not on the plan however).

The ethernet and electricity are run in different conduits because I can see both exit and enter the house and garage.

The electrical is grounded to a copper rod nailed into the ground just outside the garage and has a sub-board of RCD breakers inside the Garage.

I can't see any grounding for the ethernet.

The garage and the house at closest corners are 17 metres (55 feet) away from each other.

Edited June 19, 2016 by TimL
Clarity

[TimL]

So, I just looked into the ethernet couple transformers. I learn something new everytime I come on here.

Edited June 19, 2016 by TimL

[TimL]

Now that you got me thinking, would it be worth, putting an optic section with converters between the garage and house routers as a safety precaution to the service suppliers hardware?

It wouldnt really be protecting any of my equipment in the garage which I am okay with.

[+BudMan MVC]

as I said your gound loop issue is none existent with how ethernet connects..  The conduit is grounded it sounds like to me..  Sounds like your fine.. If your concerned check with your local building codes.

 

But if you want to run fiber then yes that is the normal method of connecting buildings so any discussion of a possible problem is not needed.  Using fiber just in your house would not be the point, the fiber would be between your house and the garage.. Not seeing the point of tiny fiber run just in your house.  As stated your not actually making direct connection anyway with how ethernet connects.

 

[T3X4S]

Wait - the thing Im confused about is the question about lightning...WTF ?

Isnt every building in the US built within the last 50 years or so, grounded ?  Or is there some other reason for the question ?