Networking question

[Agent Smith]

I have a Comcast modem that's bridged to an Asus N66u router. I intend on buying another N66u or some other Asus variant with the AsusWRT firmware and using that router with a VPN only. That way I have two WIFI networks; one with no VPN and the other with a VPN. What would be the right way to connect this second router to my primary router? I was thinking about bridging the second router to my first, but I have other devices on the first router using NAT. I also thought about getting a simple switch. What's say you?

 

[beers]

Just one arm it off of one of the LAN ports of the existing router into the WAN port of the new router. Then you don't have to mess with routing policies for that SSID and similar.

 

[Agent Smith]

I don't understand your use of SSID. I plan on having two different WIFI networks using two different WIFI channels. One will say be using channel 11 and is the VPN router and two will be channel 6 and not a VPN router. Each will have its own SSID. Although, I think the VPN router will be AC 5GHZ. I need a fast CPU in the router for Kodi and the Asus routers that have a fast CPU are all AC. So I might as well separate the two WIFI networks by frequency band.

Isn't plugging in the ethernet cable from the LAN port to the WAN port an improper way of doing this? I think it would cut my speed in half? If I can do that without any issues then that's what I'll do.

 

[beers]

Yes, what you defined was already very obvious.

With the usage plan you have and the equipment you plan on using then that's the only real seamless way to get what you want.

If you used the LAN port on each device, all of your hosts would be on the same subnet, so it wouldn't matter which SSID they connected to. You'd have to manually juggle host routes on each PC to flop between the VPN gateway and the non-VPN gateway.

Bridging your current router is also a fail since you will lose connectivity for other hosts out of your non-VPN router as the VPN router will be the only device obtaining a WAN IP.

I don't understand what an unmanaged switch would give you in the context of wireless and SSID segregation.

If you had equipment for VLANs and access points that could broadcast multiple SSIDs (which would actually be preferred), you'd also have to add some PBR policies on the gateway to indicate 'the next hop for traffic from this VPN-secure SSID subnet goes over the tunnel instead of the internet'.

Using the LAN->WAN approach provides your VPN subnet with its own unique subnet behind a NAT of your original network. The router can form the VPN tunnel through the NAT (usually known as NAT-T) and any clients connecting to that SSID can utilize the tunnel as their default gateway is the device with the VPN tunnel that terminates on it, without having to change anything on the client device.

I think it would cut my speed in half?

Please provide a technical reason why you believe this.