Router for PPoE + VPN

qbazdz

qbazdz

qbazdz

Associate
Joined
27 Oct 2009
Posts
1,233
Location
West Sussex
Hi,

Finally got myself full fibre connection installed and can run this in a bridge mode with my own router.
Unfortunately the one I had has been re=purposed for another install so need to sort out a replacement, which will offer some extra benefits.
Got plenty of LAN cables routed so Wifi performance is a 2ndary factor.

Ideally would like something that will work easily with VPN on the router, ideally even configurable down to individual connected devices (i.e. permanent VPN for specific devices, with non VPN connection out for others). Don't need gaming functionality etc

Don't want to break a bank with it, so was thinking likes of Asus RT-AX55?

Any recommendations please?
 
qbazdz said:
Any recommendations please?
Click to expand...
Yes, avoid anything made by Asus if you value your privacy since as a company they just ignore security issues.

What's your budget? VPN for specific devices can't be done on the majority of off the shelf routers, you'd need something like opnsense.
 
Ouch, would not expect that.
I was happy to spend about £100ish, but can loose the VPN for specific devices if it's a major issue. I will than toggle entire network to be on VPN for periods of time, when I need a few devices on specific VPN.
Ability to configure and change VPN servers easily would be helpful, and Nord VPN was suggesting Asus routers hence first looking into that.
 
I'd go with a MikroTik, it'll take a little while to get used to the interface, but it's very powerful & pretty affordable too. Can pretty much do everything.
The hAP ac² would probably be the one most fitting to your budget, it's more powerful the the hEX and the hEX S in terms of the throughput it can deliver aswell.
Can't speak on how good the WiFi is so you'd have to try it out, wouldn't surprise me if you have to or become more inclined to stick to AP's for that...
https://mikrotik.com/product/hex_s#fndtn-testresults

If you want to go overkill then I'd go for the RB5009UG or the newer RB5009UPr but that seems well out of your budget.
 
Last edited:
What's your connection speed? You say you have full fibre, and unless that means something like 300Mbps down you're never going to reach your stated aims. A £100 budget, gigabit(?) FTTP, on-device VPN? Fast, cheap, reliable. Pick any two. As ChrisD says, a second hand Optiplex or similar box off eBay with OPNSense, Linux or BSD on it will do what you want within budget, but I get the feeling you wouldn't want to do that...

If you don't mind VPN being slow (think 50 Mbps overall) then any consumer router will 'do' (albeit not with native policy routing per-client). Avoiding x86 and roll your own, you may do well to find a router that will run DD-WRT well and flash that. You will get your WireGuard VPN, accelerated NAT and much more control that way, but without having to do everything from scratch.
 
Rainmaker said:
What's your connection speed? You say you have full fibre, and unless that means something like 300Mbps down you're never going to reach your stated aims. A £100 budget, gigabit(?) FTTP, on-device VPN? Fast, cheap, reliable. Pick any two. As ChrisD says, a second hand Optiplex or similar box off eBay with OPNSense, Linux or BSD on it will do what you want within budget, but I get the feeling you wouldn't want to do that...

If you don't mind VPN being slow (think 50 Mbps overall) then any consumer router will 'do' (albeit not with native policy routing per-client). Avoiding x86 and roll your own, you may do well to find a router that will run DD-WRT well and flash that. You will get your WireGuard VPN, accelerated NAT and much more control that way, but without having to do everything from scratch.
Click to expand...
I've got a 400Mbps down, 200Mbps up link.
My usage is quite simple ;) I don't need to set up an FTTP, would simply like to configure VPN on the router so the internet enabled TV can also run via VPN for some special Netflix content. I have a Nord VPN acc, so this apparently is happy on certain routers more than others.
Certainly don't mind fiddling with the unit to get what I need, had been running Tomato on some ancient 54Mbps router for ages until it essentially died and was well impressed with it.

I have to admit, Im out of the loop on this completely and with so many new companies on the market I had my eyes on mainstream brands.
 
qbazdz said:
I've got a 400Mbps down, 200Mbps up link.
My usage is quite simple ;) I don't need to set up an FTTP, would simply like to configure VPN on the router so the internet enabled TV can also run via VPN for some special Netflix content. I have a Nord VPN acc, so this apparently is happy on certain routers more than others.
Certainly don't mind fiddling with the unit to get what I need, had been running Tomato on some ancient 54Mbps router for ages until it essentially died and was well impressed with it.

I have to admit, Im out of the loop on this completely and with so many new companies on the market I had my eyes on mainstream brands.
Click to expand...

If this is basically to get NordVPN on your TV for Netflix, it'd be faster, cheaper and easier to buy a Fire Stick. Unfortunately you just missed Prime Day where they're typically half the price. The NordVPN app works perfectly on Fire Stick 4k, I know that much...
 
On device VPN at near line speed using anything worth while (OpenVPN/Wireguard) is a job for an x86/64 based CPU that can do the crypto in hardware, you're really going to struggle with anything that does it in software. Policy Based Routing (PBR) will allow you to push certain destinations, devices or ports traffic over VPN. I have a box running in a DC, anything on my network touches it, traffic goes via VPN. Any traffic on a certain port from any client goes via VPN. Any client I have tagged with VPN goes via ... well you get the idea. That brings you to OpnSense/PFSense, Untangle, Sophos, and DDWRT.

PF's development team is the gift that keeps on giving when it comes to personal attacks, poor choices, harassment and pushing awful code outsourced to a convicted felon who jumped bail and were extradited under international arrest warrant, PF then tried to blame the person who pointed out it was awful and re-wrote it because it didn't show them in a favourable light. This is the same team who want to go closed source and are telling people to trust them :eek:

OPNSense is a fork of PF from a previous 'hold my beer' moment, it's been run/managed reasonably well throughout it's existence and to the teams credit avoided retaliating even when the pfsense team registered the opnsense domain and subreddit and put up some pretty vile content as became clear after they took legal action. The UI is better and it's integration with other services and taking appropriate steps to introduce wireguard for example was the way it should have been done safely. Untangle is useful, but certain options are paid (wireguard for example) and while the basic subscription offers a lot of functionality, the upper tier required for wireguard is expensive for what it is/offers to a home user. Sophos are slow to update, but again you get a hell of a lot for free. DDWRT is very light, it's essentially a router build as opposed to the others which either are, or are intended to be capable of being built out to UTM territory.

ASUS are a marketing company, the support/RMA side is an abomination, bordering on illegal - they literally don't want to deal with RMA's and OCUK has had to step in previously to resolve matters, the networking side is worse still, they literally didn't patch known security holes for years because they couldn't be bothered and only started when a large distributor refused to continue to sell product for them if they didn't. Then they were prosecuted in the US, fined, forced to agree to and pay for external auditing for decades oh and then it came out they faked FCC test data. Literally the best thing you can do with any ASUS router is flash DDWRT or OpenWRT to it and hope they finally fixed the dry jointing issues on them.
 
Rainmaker said:
If this is basically to get NordVPN on your TV for Netflix, it'd be faster, cheaper and easier to buy a Fire Stick. Unfortunately you just missed Prime Day where they're typically half the price. The NordVPN app works perfectly on Fire Stick 4k, I know that much...
Click to expand...
Even at £50 for the Firestick (I'd get the WiFi6 Max version personally) this is probably still your simplest option.
 
As others have said, a Firestick or similar would most likely be the easiest solution if it's purely for Netflix/VOD streaming and refurb units can be picked up fairly cheap.

But if you did want to go down the router route then personal preference would be to grab a newish Draytek and create two separate networks for VPN and non-VPN traffic. But it's not a particularly cheap solution and a bit of a learning curve and something like a hAP ac², as @*seven mentions, would mostly likely do what you need albeit have a similar learning curve.
Alternatively, DD-/OpenWRT.

Avalon said:
On device VPN at near line speed...
Click to expand...
I appreciate that's useful for "downloading" but as Netflix UHD is around the 25/30Mbps area, does the OP need line-speed tunneling?
 
visibleman said:
I appreciate that's useful for "downloading" but as Netflix UHD is around the 25/30Mbps area, does the OP need line-speed tunneling?
Click to expand...
I had typed the reply on Monday before that became part of the criteria, sadly i got distracted and came back to the tab 3 days later :eek:
 
Avalon said:
I had typed the reply on Monday before that became part of the criteria, sadly i got distracted and came back to the tab 3 days later :eek:
Click to expand...
I know the pain of multiple tabs.. notoriously bad with it haha.

Thanks all for great inputs.
@Rainmaker , @Avalon I may have simplified this a bit too much so not so sure Fire stick will do here.
Lets be a bit more specific than:

Wireless devices:
Mobile phones
Tablet
Switch
Laptops

Out of above, both the tablet and laptops may have the need for VPN use as I would access the video streaming services (not just Netflix) 'from' at least 2 countries. On both occasions NordVPN app is present and usable so at least the problem is somehow removed.

Wired devices:
PC(s)
Smart TV (old, nearly 10y now, will soon be replaced for new one, with this one likely given an upgrade with Tv Box, was thinking of Xiaomi Mi Box)
Sat TV Box

All would potentially use VPN connection. Sat TV Box could have a permanent push to a single non UK server so it allows online content (otherwise servers detect out of UK access and don't let this to proceed).
PC can always use Nord VPN app - no biggie.
Smart TV would occasionally (30% running time) use VPN and not and this link without additional way to manage the VPN connection is not possible.

Oh, and currently don't expect to use max available bandwidth with VPN servers, don't believe they would even be able to offer that kind of speed.
 
Untangle will do what you want. When client X uses traffic Y then use VPN Z. That might not be included in the free version though.
 
Untangle, MikroTik RB4011 or MikroTik RB5009 but as @ChrisD. points out, only Untangle gives you the option in a straightforward way. I believe you would need the $50/year Home licence to use the VPN features, or the $150/year version if you wanted WireGuard but you say you're using Nord so the cheap one should do it.



whereas the process is a little more involved with MikroTik.

support.nordvpn.com

MikroTik IKEv2 setup with NordVPN

These instructions are based on a tutorial written by MikroTik. You can find the original article here. MikroTik routers support many VPN services, including NordVPN. In particular, MikroTik router...
support.nordvpn.com support.nordvpn.com
 
As long as you are willing to accept OpenVPN or similar rather than WireGuard, the free version of Untangle will do what you want easily. For example:

All traffic from a specific device goes via VPN
All traffic with a specific destination via VPN
All DNS traffic for everything goes via VPN
All traffic on a specified port goes via VPN
All devices tagged with XYZ goes via VPN1, all traffic tagged with 123 goes via VPN2

You can have multiple different VPN tunnels with different end points (handy as you mention geo-restriction on the sat side). The other obvious advantage with this is you can do the encryption on the router, so the client doesn’t need to manage the encryption overhead and you can do VPN on devices that wouldn’t normally support it while leaving everything else to go out normally - this prevents orders being flagged as potential fraud which is both annoying and problematic and things like iPlayer etc. will still work. You can do the same on OPNSense and PFSense, but Untangle is very easy to work with. The trade off is you will need a PC with AES-NI to get near line speed. You can virtualise it if you have a suitable environment.
 
Last edited:
Avalon said:
As long as you are willing to accept OpenVPN or similar rather than WireGuard, the free version of Untangle will do what you want easily. For example:

All traffic from a specific device goes via VPN
All traffic with a specific destination via VPN
All DNS traffic for everything goes via VPN
All traffic on a specified port goes via VPN

You can have multiple different VPN tunnels with different end points (handy as you mention geo-restriction on the sat side). The other obvious advantage with this is you can do the encryption on the router, so the client doesn’t need to manage the encryption overhead and you can do VPN on devices that wouldn’t normally support it while leaving everything else to go out normally - this prevents orders being flagged as potential fraud which is both annoying and problematic and things like iPlayer etc. will still work. You can do the same on OPNSense and PFSense, but Untangle is very easy to work with. The trade off is you will need a PC with AES-NI to get near line speed. You can virtualise it if you have a suitable environment.
Click to expand...

You are correct (as usual). I just checked and OpenVPN and TunnelVPN are both included in the free version of Untangle.

The $50 version gets you IPSEC and the $150 version adds Wireguard.
 
You must log in or register to reply here.
Back
Top Bottom