Edgerouter-x VPN on a specific port

VPN
1

I currently have eth0 as the Internet connection. My patch panel connects to an unmanaged switch, and this switch is plugged into eth1, eth2 and eth3 are currently plugged in to two devices directly, but I’ll be installing another switch behind the eth1 switch so that those ports can be freed up.

This leaves me with eth2, eth3 or eth4 which I can use to set up a VPN connection. I will be plugging in an unmanaged switch (most likely eth2, but I could us any of them), and this switch will have my device that requires VPN access.

What I would like to do:

Setup a VPN connection on only this port so that devices that are connected to the switch on this port have VPN access and not give them access to any other devices on my other switch.

Would this be possible with the edgerouter-x?

3

What… What are you attempting to achieve here? What is the purpose of this VPN? Do you want to set up a server or a client? Are you sure, you didn’t mistake VPN for subnet? What you wrote down is a “little” confusing.

4

The VPN is for the device (so, I guess a client) to connect to the work network.

I’ve updated the post a little to clarify.

5

Ok, let’s take it in steps. In order to isolate the device from your current network, do this.

  1. Remove desired interface from ER-X’s internal switch and give it an address from new IP range. Then, go to services > DHCP server and copy your current DHCP server, then edit it, so that it service’s the newly created network (set it in same range as the address of the port, by editing second octet from right to match)

  2. Go to firewall/NAT > Firewall policies and create a new firewall rule. Default action will be drop, pick interface to apply this rule to as the port you gave new IP address and chose direction local. Save the ruleset, then edit it, by adding two rules. One will be action accept, destination port 53, protocol UDP. Then copy this rule and change port number to 67. This allows newly created network to access the Router for DHCP and DNS.

  3. Go to firewall/NAT > Firewall policies and create a new firewall rule. Default action will be accept, pick interface to apply this rule to as the port you gave new IP address and chose direction In. Save ruleset, then edit it. Add rule as follows. action accept, all protocols, under advanced tick “established” and “related”, save the rule. Second rule to create here is action drop, all protocols, under destination fill in address bar with network IP of your main network. For instance, if your main network were 192.168.4.0, then you wold put this network range in this field followed by /24 to specify subnet mask, resulting in this entry 192.168.4.0/24. Your settings will of course vary.

Since you already have multiple switches on your network, I would advise buying new managed switches to take advantage of VLANs. Their isolation is the same as stated above, only you’d select that switch0.x as interface, instead of the port on the router. Next step would then be setting the switches up. I use GS1200 series from Zyxel on the count of their well made GUI.

Now, there are two basic types of VPN, site-to-site and client-server. In order, to determine which need’s to be used, I need to know, what device do you want to connect to your work network and what is it’s purpose. Also, if you have UniFi APs and the client is a laptop, there is more elegant way to achieve what you want. Go ahead and implement what I wrote so far, as it would be used anyway.

6

If the desired device has a fixed IP set from the device itself, do I still need to set up the DHCP server?

Just realized I’ve got a ZyXEL GS1900, which I didn’t realize was managed, so that means I can plug in the current unmanaged switch into the ZyXEL, and set up a second switch, which will also plug in to the ZyXel. The ZyXEL plugs in a single wire into the Edgerouter-X. Does this change any of the instructions anywhere?

Also, how would I set up the ZyXel, now that I have basically the same switch as you?

7

Very little and this is why I’ve stopped here. We’ll create a VLAN.

Undo first thing I told you, keep the DHCP. Then, click add interface and select VLAN. In newly opened window, set VLAN ID as any number but 0 or 1 (as these tend to identify base VLAN), select interface as Switch0, and manually give it an address. The last field is clickable and option to do just that is the lowest of them all. Preferably use the same address, that the port used to have. The address must be from the same address range, but outside the range of DHCP server! This will create interface switch0.x

This will turn all ports on that switch in to trunk ports. Any nic connected to the router will receive address from your native VLAN, but VLAN aware nics can be configured to access other VLANs too.

Finally, as stated above, you need to change firewall rulesets created earlier, to apply to the VLAN. Simply go to Firewall/NAT > Firewall policies and edit the two created rulesets, which at this point apply to the port, you have selected earlier. Edit each of the two rulesets created, go to page intercfaces and change interface from port to interface switch0.x, where x stand’s for number you’ve put in, when you are creating a VLAN and serve’s to identify the VLAN in the network.

You’re in luck, I happen to also have that switch, but make no mistake. GS1200 series and GS1900 series are completely different categories. Their GUIs are nowhere near similar and I actually think, that GS1200 has it better, simpler.

The easiest way to set up VLANs is through “getting started” menu, there is an icon in wizzard section. Click the VLAN icon and a dialog window will appear. Put in the same number, you’ve selected in your Router, this will tell the switch to look for that ID, then click next. In second step, the switch will want you, to specify, which ports should be which for this VLAN.

There are two options. Tag and Untag. Untagged ports are access ports, in to which you connect devices, traffic over these ports doesn’t carry the idintifier and is tied to the VLAN you want to use on that port. Tagged ports carry this identifier and are used in two scenarios, one, connecting to the router or to upstream switch, and when connecting a VLAN aware device, such as a server, which would serve multiple VLANs, or VLAN aware WiFi AP, such as the UniFi line. You’ll notice, that there is one field, I haven’t spoken about yet, and in this field are icons of all the ports. Drag ports you want to use in the VLAN, one should be selected as tagged and will connect to the rotuer. The other should be untagged and will connect to the device.

In the third step, the wizzard will ask you to confirm the changes. Simply confirm.

Finally you need to exclude the untagged port from VLAN1 (which is default VLAN in these Zyxel switches. That is why you must not use it as VLAN in the EdgeRouter, where default VLAN is 0). Click the wizzard icon again and select vlan ID from drop down selector in the right half of the window, then find the port you’ve selected as untagged for newly created VLAN and drag it to the left most field. This way, you’ll exclude that port from base VLAN and the port will now only work for that one VLAN you’ve created earlier. And with this, you’re done.

I don’t recall now, whether the switch permits same untagged port on multiple VLANs (some vendors allow that, some don’t). If the switch refuses to apply the changes, you’ll need to do this in reverse order, because the untagged port need’s to be excluded from native VLAN first, in order to be untaggable in any other.

Finally, connect the device to that specific port you’ve chosen to be untagged for VLAN X on your switch and check the DHCP server in your EdgeRouter. If everything was done correctly, you’ll see that guest DHCP server has issued a new lease, meaning connected device has IP address and can access the router and through it the Internet.

I recommend to always use DHCP servers. The reason is, with devices moving so much these days, it’s the default setting for everyone. In this tutorial, we used it as a quick check, whether the device connected and the switch is set up correctly. Furthermore, if you were to move with this device and work from somewhere else (like a kafé or something), your device wouldn’t work, because most places don’t do due diligence and don’t change default settings of their WiFi routers, leaving you with about 50-50 percent chance, your device would work on their network, plus there is a chance of IP address conflict in the network.

Static addresses should really be used only on devices, which are to be connected to through the network. Things like routers, switches, print (or other) servers, cameras or VoIP phones fall in to this category, but not things like work stations or phones. Plus, you can always reserve an address for any device within the DHCP server itself. There is really no reason not to use it.