Replacing BT Smart hub with VPN router

gupott

gupott

gupott

Associate
Joined
26 May 2008
Posts
247
Hi there,

I am looking to change my current BT Smart Hub to a router I can use with a VPN.

In addition to the BT Smart Hub I subscribe to BT Infinity broadband, I then use x4 Devolo 1200 homeplugs to move the signal around my house, 2 have wireless capability. I actually don't use the wifi on the BT Smart hub (its switched off) due to some compatibility issues with my music server therefore I rely on 2 x Devolo plugs to create my wireless network. My broadband comes into the front of my house behind the tv, into the Smart hub before going onto a Netgear 16 port switch (TV, games consoles, BT UHD TV box etc plug into that) before going into a Devolo plug and around the house. I am also a subscriber to Private Internet Access (PIA) and generally I use their apps to connect the VPN (PC, Phone, NVidia Shield TV).

I am interested in changing to a router that I can connect directly to the VPN so I don't need to do it at each device individually. Therefore I think I would need to get a separate modem and router and i have a few questions;
  • Netgear DM200 Modem - will this work with BT Infinity, should I consider anything else? BTs own modem perhaps?
  • Netgear Nighthawk R9000 - router x10 AD7200 I have found a vendor who pre-flash with DD-WRT - this router looks good, but its very expensive and it may be overkill. I think I will look at mesh wifi solutions in the medium term, therefore I think I could go quite a lot cheaper as I won't really need the wifi capabilities of the R9000 - does anyone have any suggestions for a cheaper alternative or comments about this?
  • Dual gateway router setup- I think I will need a router that is dual gateway, so some items can connect via the ISP and some via the VPN. Any thoughts or comments on this set-up?
  • DD-WRT or Tomato - any difference, what should I plump for? Is it necessary or even advisable? Should I consider flashing a router myself etc?
As you can tell, my networking knowledge is fairly limited, have I missed anything? Any help or comments are extremely helpful.

Cheers
 
Consumer grade routers without an FPU tend to suck for VPN usage unless you use an insecure encryption standard. Don't pay someone to do something that will take you 5 minutes, especially a significant premium. You don't need a dual gateway router, you do need to understand how to route certain devices via the VPN as for example your consoles and TV box may have issues if routed via VPN. Start by telling us what you want and why (use a little common sense here and stay within the forum rules) and how fast your connection is.
 
Last edited:
Thanks for the reply.

Essentially, I want to use the VPN to keep my comms secure and encrypted, I don’t like the idea of being tracked around the internet and my data being used/sold etc...

As for speed, its an 80mbps BT Infinity fibre line, fibre to the cabinet, copper to the door.

In regard to the dual gateway, this may not be the best solution but I did like the idea of it, because I could keep the likes of my PS4 and Netflix on the ISP connection as I know I would have issues in that regard and have a VPN on the rest.
 
I use 3 gateways with my connection. 1 is my ISP WAN, 1 is a VPN with a UK endpoint and the last one is a VPN with a Netherlands endpoint. It's a nice solution to selectively route different IPs and/or IP ranges to different gateways depending on your needs. I'm currently using PfSense running as a VM (with a hardware box for backup).
 
Why are you assuming that tunneling everything over a VPN is going to make a difference to how companies use your data?
 
rosscouk said:
In regard to the dual gateway, this may not be the best solution but I did like the idea of it, because I could keep the likes of my PS4 and Netflix on the ISP connection as I know I would have issues in that regard and have a VPN on the rest.
Click to expand...

So you don’t need two physical gateways. You want policy based routing to say “this IP/MAC via VPN” and “this IP/MAC not”over the same physical interface (effectively your VPN becomes a virtual gateway).

I can’t say I know the tomato or DDWRT firmwares to know how they do this but I do know that the brand name consumer routers won’t be fast enough to saturate anywhere near your 80Mbit connection while en/decrypting traffic. There’s a Mikrotik router recommended on here that is cheap and up to the job but will require a steep learning curve. A quick search should find it.
 
I believe BigT is referring to the mikrotik RB750Gr3, in regards to a router that can handle VPN traffic It's appropriately £50 but would require the use of a modem either Openreach Fibre, either HG612 or Draytek Vigor 130. You would also need a wireless access point.
 
Mariusz said:
I believe BigT is referring to the mikrotik RB750Gr3, in regards to a router that can handle VPN traffic It's appropriately £50 but would require the use of a modem either Openreach Fibre, either HG612 or Draytek Vigor 130. You would also need a wireless access point.
Click to expand...

That’s the one! Given the OP isn’t using the WiFi on his existing router then there’s no need for APs
 
Silicon Si said:
A Pfsense box is probably the way to go.
Click to expand...

It's a trap!

Technically you are correct, however would you suggest that going to the cost to build/run a pfsense build is the best fit for an op who clearly states his networking knowledge is 'fairly limited'? The RB750Gr3 isn't exactly user friendly, but it's inexpensive and will route way above and beyond what is required by the op.
 
Avalon said:
Technically you are correct, however would you suggest that going to the cost to build/run a pfsense build is the best fit for an op who clearly states his networking knowledge is 'fairly limited'? The RB750Gr3 isn't exactly user friendly, but it's inexpensive and will route way above and beyond what is required by the op.
Click to expand...

This was the conclusion I came to. I use pfSense myself and it'll fit the job perfectly but it's not for the faint hearted. @rosscouk if you want to improve your networking knowledge then it would be a worthwhile investment of your time. About £200 buys you a fanless dual NIC mini-ITX computer with an AES-NI compatible CPU (important for VPN and future pfSense comparability) There's lots and lots of Youtube videos and articles on configuring it and you'll gain a new set of skills that are quite worthwhile. Also your router is agnostic to internet connection so is pretty future proof too. pfSense can also add lots of things like VLANs, ad blocking, proxies and other things that you might find useful in the future.
 
Sounds interesting (pfSense) - I like the idea of knowing a bit more about networking, and perhaps the only way to do that is to get my hands dirty. I will watch a few you tube videos and see how scared i get...
 
pfSense seemed scary to me to begin with. I learnt from YouTube videos (check out Lawrence Systems he's really helpful), I started off with a VM on my HP Microserver, and ended up with a £150 Dell R210ii which is an amazing (and slightly overkill) pfSense machine :D But it's quite low power usage. Since setting up up to get basic internet connection and DHCP, I'm now running a VPN server, VPN client for PIA, Squid proxy, Pfblockerng and various other bits I learnt mostly from youtube vids. It's definitely the best option for full control of your network and the flexibility to do exactly as you want.
 
Another vote for pfsense here. I inherited a PE2950 from work that I put a 4 port Intel network card into (£15 from ebay) and haven't looked back. I've created a lan network for general stuff including wifi and a private network for machines that will connect over VPN. In my case, I am going with NordVpn. Once this is all set up, its just a case of adding certificates and following a few steps from the provider.

I also use the server for hyper-V, so run pfsense in a VM.
 
You're really running a 12 year old server with a Core2 generation processor(s) for this?

For a machine that needs to be on 24/7 the power consumption, noise, and relatively low performance would put me off even if it was free.
 
bremen1874 said:
You're really running a 12 year old server with a Core2 generation processor(s) for this?

For a machine that needs to be on 24/7 the power consumption, noise, and relatively low performance would put me off even if it was free.
Click to expand...

If you don’t pay the power bills or hate the person who does, power may not be a priority.
 
andy_mk3 said:
Plus a C2D is more than powerful enough for pfsense, it doesn't require massive amounts of processing power :)
Click to expand...

That really depends on what you need to route (hint: not gigabit) and how many additional services/rules you have running. It’s likely fine for a relatively slow home connection, but if you’re on Gigaclear or similar, running snort etc. and want near line speed VPN, then it’s unsuitable.

Remember the BSD cogs are turning and later this year we’ll see a stable release, from that point onwards it’s only going to be a matter of months till the next major pfsense release. We’ve already seen very clear notice given that AES-NI will be a requirement by that stage and a C2D will be a non starter. Yes, security updates will still happen, but active development will stop.
 
bremen1874 said:
You're really running a 12 year old server with a Core2 generation processor(s) for this?

For a machine that needs to be on 24/7 the power consumption, noise, and relatively low performance would put me off even if it was free.
Click to expand...

I'm using 9% of a SUA2200 UPS. The server also runs File services, test vms and other stuff.

As for VPN, it is near line speed for a 300Mbp connection, so suits me.

When AES-NI becomes a requirement, I already have a plan in place. I'll migrate over to a Haswell machine I have.
 
You must log in or register to reply here.
Back
Top Bottom