I’m interested in making a setup where most devices are on a VPN and a select few aren’t. I have an ERX and basically want to have 2 switches plugged into eth1 and eth2. One would be for all the devices I want to be on the VPN, the other no VPN. If lets say eth1 will be the VPN switch, is it possible to push OpenVPN on the ERX to that port only? I can’t find any info on this, maybe because it isn’t possible?
Also this isn’t Ubiquiti related, but if the above is possible, I wonder if devices that use Syncthing that are on eth1 and eth2 will have a problem syncing?
This is totally possible, I wouldn’t recommend doing it though. The comment about VLANs is completely useless though. That has absolutely nothing to do with what you’re looking for. Unfortunately there’s a ton of people on this subreddit who want to be helpful but have no clue what they’re talking about.
Any time you have a routing decision based off of anything other than the destination IP address you need to use policy based routing (technically you could have multiple virtual routers but that’s just being pedantic). Rather than have this on two physical ports on the router I’d recommend rethinking this in terms of source MAC addresses or have those hosts in a different subnet entirely.
Either way if you wanted to do this you either need to learn quite a lot about the subject (no offense, but your post makes it sound like you have a basic understanding of networking).
To expand further since obviously my original comment couldn’t be fully deciphered by some, here it goes. First a quick Google search for VLANs will show you this is exactly what you want. VLANs are used to segregate network traffic based on ports. One port with a switch will have all VPN devices, and another port with a switch will have all non VPN devices. You can use VLANs to segregate network traffic between the ports. Here’s something to get you started https://help.ubnt.com/hc/en-us/articles/222183968-Intro-to-Networking-Introduction-to-Virtual-LANs-VLANs-and-Tagging. All you have to do then is make sure your VPN connection is only routing through the one interface that you want to have a VPN connection on.
Before you go around throwing “That has absolutely nothing to do with what you’re looking for. Unfortunately there’s a ton of people on this subreddit who want to be helpful but have no clue what they’re talking about,” I’d do a little research if I were you and maybe try to understand OPs post. OP doesn’t want complicated routing rules based off of MAC addresses. He wants to plug devices in one switch to route them through the VPN and another switch to not route them through the VPN. See my new comment on the details (basics) of how VLANs work and how they apply in this situation.
He wants to plug devices in one switch to route them through the VPN and another switch to not route them through the VPN.
He wants the routing decision to change based off of something other than the destination IP address. This by definition requires policy based routing.
VLANs are used to segregate network traffic based on ports.
Spoken like someone who has no clue what VLANs are or why they’re irrelevant here. Also, to add to this, he’s talking about a separate interface entirely, that’s not a separate VLAN and if you had actually read your own link you would know this. The segregation they’re talking about is moving things into a separate subnet so you can use firewall rules on the router to block certain traffic.
You can’t change routing decisions with a firewall rule alone though, it’s fundamentally not how a firewall works. You need PBR to change the routing table based on a firewall rule, there’s no getting around that.
Personally I manage the networking for 8 separate locations all joined together via a VPN all on Ubiquiti hardware. We have ~60 different VLANs and 15 different VPN links using a mix of IPsec VPNs and OpenVPN like OP was asking about. We also have multiple WANs at a couple locations and use PBR to do something very similar to what OP is requesting. I’ve actually done this, you clearly have almost no exposure to even something as simple as VLANs. If you’re not a networking professional, stop misleading people with your moronic suggestions.
But if you still think you’re even close to correct why don’t you post some actual configuration. You claim that VLANs are somehow the answer here, so prove it. Post the actual config needed for an EdgeRouter to route traffic through a VPN based on the physical port sometime in the next day. When you can’t do that in a day I’ll post the actual solution, with all the commands necessary to do exactly what he’s asking for. /u/surf9012, If you want me to give you commands specific to your existing configuration on the ports and subnets that you’re already using, you’ll need to post your config. You can do this by logging into the CLI and typing
Ugh, you’re very right about me having basic networking knowledge. This project is way above my head. I’m gonna try and learn about policy based routing as you suggested. Thanks for your time to respond.
Oh hey, I never got the reminder for this. Do you still want the config for it? It is a bit complicated but there may be a way to simplify things a bit. You could ditch the idea of using the physical port and just have a block of IP addresses in your main subnet that route to the separate routing table. It should make the throughput loss negligible for non-VPN traffic and the VPN isn’t going to be fast anyways so you might not even notice the impact on it.
For devices that you wanted to go through the VPN you would just assign a fixed IP address for them on the DHCP server separate from the rest of your devices. I.E. your DHCP server would hand out addresses from 192.168.1.64 to 192.168.1.127 and any IP from 192.168.1.128 to 192.168.1.159 would be routed through the VPN.
The rough commands needed would be something along the following lines.
set protocols static table 10 route 0.0.0.0/0 next-hop 1.2.3.4
set firewall modify VPN_ROUTE rule 10 destination address !192.168.0.0/16
set firewall modify VPN_ROUTE rule 10 source address 192.168.1.128/27
set firewall modify VPN_ROUTE rule 10 modify table 10
set interfaces switch switch0 firewall in modify VPN_ROUTE
The VPN would of course be separate and that 1.2.3.4 would need to be changed to whatever the default route for the VPN was but you get the drift. In order to add a device to the VPN route you would just go to the services tab in the GUI, open up the DHCP server for your LAN, go to the lease for the device and click on “Map Static IP” and just give it the next open IP address in 192.168.1.128/27.
This also has the advantage that stuff like Syncthing will work just fine as all of the devices are in the same subnet, just different parts of it. If you post your config we can tailor that to how you already have your network setup. Either way though, this kind of stuff can make troubleshooting harder in the future if you don’t understand it, but do you actually have an interest in learning this kind of stuff? More important than understanding it now is having a passion for learning more about this kind of stuff, you can learn PBR, but you need to actually want to learn it first.
I finally got around to dumping some time and effort into this and ended up figuring it out. Thank you for pointing me in the right direction.
After dumping 11 hours of time into countless trial and error, what I ended up doing is creating 2 LANs and routing VPN traffic through only one of them. I tried doing what you suggested above, but probably because I missed something, I couldn’t get an internet connection on the non-VPN range, but the VPN range worked fine.
The only downside is in order to use Syncthing I have to physically plug one of my devices into a different switch. Maybe there’s a work around, I’ll look into it later, but at this point after the amount of time I dumped into this I’m just happy it woks as intended. Thanks for the help again.