Router level VPN and VLAN setup

[jkirkcaldy]

So this is the situation as it stands. I live in the UK and they have just passed some really questionable laws on data privacy and data collection/hoarding meaning your ISP has to log all your data. So I go out and immediately subscribe to a VPN service because it just doesn't sit right with me.

 

I am moving house in a couple of weeks and I will be redesigning our network infrastructure to make it more reliable and robust and whilst I am at it I have been looking into setting up the VPN on the router level to protect every device in the house. Now whilst this is great for privacy etc as a household we all have subscriptions to Netflix and Amazon Prime etc. 

 

Netflix doesn't like you using a VPN to access their servers, even if you access it from the same country that you live in, so my question is:

 

Is it possible to create two separate VLANs one for devices that people want to be protected by the VPN and then another one that we can connect things like games consoles and apple tv type devices to so they can reach netflix without issues. 

 

I'm fairly certain that it is possible but what sort of equipment will be needed to make it work. I'm assuming that it will be a managed switch and a couple of access points for wireless devices. But will I need a separate router for each VLAN?

 

Or am I just making this really complicated and I should just resign to using the VPN on a per device basis?

[Falconevo]

It is completely possible, but you will not likely find a residential based router/firewall to allow for this kind of functionality.

 

What ISP are you going with and what router platform are you planning on implementing?

 

Managed/Smart switches will be an obvious requirement here, but if you can give me a little more info I may be able to advise further.

[jkirkcaldy]

The plan long term is to replace all the networking gear with more of a pro-sumer level kit. 

 

ISP will be Origin Broadband who provide an Asus router, https://www.asus.com/uk/Networking/DSL-N16/ which will likely just be used as a modem.

 

my plan once I'm settled is to get something like the Ubiquiti USG along with a matching POE switch. (Probably this one) I already have the Unifi Access points and would manage the whole network through the cloud controller software.

 

But if this isn't necessarily the best way to go then I am open to other options. But I ideally will be looking at spending £100 - £150 on a router and around £200 on a switch. I am also scouring ebay to look for a decent used switch on ebay to save a few ££ but they can be as expensive as buying new because of enterprise features that are way more advanced than I would ever need.

 

I'm also open to the idea of buying a router to flash with DD-wrt or buying a pre-flashed WW-DRT router. 

 

I have also been looking at this switch with the possibility of adding 10gbe to my server https://www.broadbandbuyer.com/products/25396-tp-link-t1700g-28tq/

 

[Falconevo]

The router supports (PPTP/L2TP) which is a client side VPN as its unlikely you will purchase a site-2-site from VPN providers.

How you get the devices to route all traffic via the VPN connection will either need to be done on the client with a modification of the routes and/or management in the Asus device (I'm unsure if it even supports this but it claims pass-through so maybe?)

[jkirkcaldy]

I will have to look into it deeper when I get my hands on the router. Like I said though I will probably replace it with some more heavy duty gear as that router alone won't cut it for our usage anyway. Not unless I can persuade everyone in the household to be hard wired.

[leadeater]

Purchase a local VPS Linux server and setup a VPLS connection to that using something like a Ubnt ERLite? VPLS is a bit nicer than a standard VPN tunnel as it's any-to-any so you can purchase multiple VPS servers in different locations and setup rules to route traffic out to different places.

[jkirkcaldy]

I already have a VPN subscription so i would ideally use that. I'm not necessarily fussed about which country the VPN goes to just as long as whatever the government is logging now has nothing to do with my identity. So I am not worried about getting US netflix, I just want it to work whilst protecting as many devices as I can in the network. 

[leadeater]

You'll need a router that supports Policy Based Routing so you can make devices use the paths you what i.e. VPN or standard. Do have a shop around for VPS providers though, see what the pricing is like as it might be cheaper plus you'll have total control meaning only you will have your VPN logs.

[jkirkcaldy]

I will keep VPS in mind for when my subscription comes up for renewal.  

 

 

[NZLaurence]

Any Cisco ios router or mikrotik unit can do what you are asking (basic vrf or acl's would work). I have done something similar with a basic Cisco 800 series using a VDSL and 3G connection. Some devices would route over a VPN some over the VDSL based on source Mac address and traffic type. The tricky part of that was failing the VPN over to the 3g and then only allowing a small subset of of devices to use that tunnel.

 

When you start to play with these devices to do this sort of thing it is normally in the CLI so you will need to play.