TekSavvy → [DSL] Need help configuring DSL connection with DD-WRT router

Two weeks ago I signed up for a new 6mbps DSL connection with the ZyXEL VSG 1432 modem included.

Everything finally came yesterday. I bought an additional router and flashed it with DD-WRT to use it for VPN.

My setup looks like this:

DSL-->ZyXEL-->Secondary Router (DD-WRT)-->[all wireless clients]

Now, if I set the ZyXEL in "Bridge" mode and then enter the PPPoE information into the DD-WRT router, everything works fine. But since I need to run a PPTP VPN through the DD-WRT, I can't have the DD-WRT router act as the main DSL modem. Hence, it can't be in "bridge mode". It has to be in "routing" mode.

But for the life of me, I can't figure out the configuration needed to get the DD-WRT working with ZyXEL in Routing mode.

I have DD-WRT WAN Connection Type set to "Automatic Configuration - DHCP", as per the tutorial on here:

»wiki.hidemyass.com/DD-WR ··· shooting

But it doesn't connect. All the tutorials I've found so far have to do with using the ZyXEL modem in "bridge" mode. Can somebody point me in the right direction for getting this set up working with the ZyXEL set up in "routing" mode?

I can provide whatever information is relevant, just ask. I'm pretty anxious to get this set up so I'll be monitoring the thread for any replies and get back to you quick.

Thanks guys

I think you're mixing up some things.

You definitely want to have the DD-WRT in PPPoE Mode, which in order to work, requires the ZyXEL in "Bridge" mode. For 95% of cases, the is the only setup that makes any sense.

If In understand correctly, you want to have all your traffic sent over VPN?

Basically, your DD-WRT still needs to use PPPoE as its internet connection.

So your path is:

1) ZyXEL in bridge mode (or hybrid mode)
2) DD-WRT in PPPoE mode

3) Figure out how to get DD-WRT to use the VPN connection you purchased. (1&2 should not change...), The DD-WRT tutorial for #3 that you might be looking for could be this:

»www.dd-wrt.com/wiki/inde ··· P_Client

Or alternatively you could try the same thing with tomato (ideally Toastman or Shibby) if you have problems.

If you're not trying to route all your traffic to a VPN service you purchased, then disregard #3. Then I haven't figured out what your VPN objectives are.

The only other interpretation I can think of is OP doesn't want all his traffic through the VPN, only from some devices...so wants to have the DD-WRT router as the VPN client, and that's it, letting the ZyXEL handle the rest of the routing for the network...

This is pretty much it. I only want the DD-WRT router as the VPN client.

I've been trying to follow the tutorial on PureVPN for the setup:

»www.purevpn.com/config/router/

After having some troubles, I got in touch with their tech support guys. They all told me I *CANNOT* have the ZyXEL in bridge mode because the ZyXEL has to be the modem dialing the PPoE information, and the DD-WRT has to be routing VPN traffic through that.

Tha's why I'm trying to figure out how to connect the DD-WRT with the ZyXEL in routing mode.

Scycotic's got it right. I only want the DD-WRT router as the VPN client.

I've been trying to follow the tutorial on PureVPN for the setup: »www.purevpn.com/config/router/ back when I had the ZyXEL in bridge mode.

After having some problems, I got in touch with their tech support guys. They all told me I *CANNOT* have the ZyXEL in bridge mode because then then DD-WRT essentially acts as the DSL modem, and is incompatible with a VPN set up.

So, now I've put the ZyXEL back in routing mode and am trying to get the DD-WRT to connect to it.

OK. Tricky stuff. The easiest thing is to put the DD-WRT in the DMZ of the ZyXEL. That way you don't have to worry about port forwarding on the ZyXel. Get the DD-WRT DHCP assigned address and configure the ZyXEL to have that address in the DMZ.

On the DD-WRT router configure the VPN client to connect to your VPN service when the DD-WRT WAN port is established. The DD-WRT client will have a check box for this.

Now you will have a some other problems.
1. If the DD-WRT WAN goes down your "protected" machines will go straight to the internet and not through the VPN.
2. The VPN client will open the router for remote access so don't enable remote login. Most people love to test their new anon IP address by going to a "what is my address site". Most of them are attached to hacking robots that will try to gain access to your router. Beware.
3. A VPN service is not an invisibility cloak. Are you sure this is the right path to follow?

At this point...

I would say your Modem (Zyxel) would need to handle the internal network DHCP. Which unless someone else can clean up the idea would be:

A double NAT which your Zyxel Ethernet port plugs into the WAN port of the DDWRT.

Anything directly connected to the Zyxel would be say 192.168.2.0/24 - So the WAN port on DHCP would get something like 192.168.2.124.
The DDWRT would have a second network for the clients that would go for the items that would end up using the VPN - ie 192.168.5.0/24

Inet ----- DSL modem --192.168.2.0/24 Network -- DDWRT --192.168.5.0/24 --

that is how I read their guide...

As »www.purevpn.com/upload/c ··· ep-3.jpg
makes no sense to me... it has been a while since i had a non bridged DSL modem...
but why would you block out the WAN IP since that would be the internal IP the modem gave you unless they are doing a really different config... anyone?

Anon: If I put the DD-WRT into the DMZ, can I set up firewall rules on computers accessing the internet through the DD-WRT via VPN so that the connection is blocked if the VPN goes down?

I'm not looking so much for invisibility, rather I need specific geo-locations at certain times.

I'm trying the configurations both you and oxfordwhite suggested right now. Will get back as soon as I have any progress to report. Thanks heaps for the help

One more q for Anon's suggestion: If I configure port-forwarding instead of a blanket DMZ rule, is that in any way "safer" in regards to the concerns you brought up?

You don't need to do either (dmz or port forwarding). The zyxel should support pptp pass through where it detects someone on the inside making a pptp connection and dynamically opens and forwards the right ports.

The guide at purevpn looks correct. Maybe there is some other issue.

First test your vpn pptp account by:
1) setup the zyxel in router mode with dhcp
2) connect your pc/mac to it and configure a pptp vpn connection
3) test to make sure this works first before touching the ddwrt router
4) replace your pc/mac connection with the ddwrt router

As an aside, are you really sure want all your traffic routed through the vpn?

fxs: Yes, I need to route all traffic through VPN.

The problem with the steps you listed is that you assume that when I hook my DD-WRT into the ZyXEL, I get internet access. I do not. Right now, I'm not even *attempting* to configure the VPN... I'm just trying to get internet access if I connect to the wireless network being broadcast by the DD-WRT

Yes. DMZ is not the issue. The ppp0 tunnel endpoint established by the VPN sometimes is a problem.

When you are running I can help you look at the iptables used by DD-WRT. Some implementations add an INPUT rule that accepts everything from the VPN (ppp0) interface. You need to disable that rule and replace it with something that blocks LAN (br0) to WAN (vlan0) forwarding.OK. Understood. Sounds achievable.As mentioned the DMZ may not be needed. It doesn't hurt. L2TP or PPTP has NAT traversal issues. Can't recall which but the DMZ will overcome firewall problems with less fiddling on your part so keep it in mind.

What is shown in the guide will work but local LAN configuration on the DD-WRT wasn't fully described. I think the procedure outlined by oxfordwhite may help. You need a separate network with DHCP on the DD-WRT LAN (sometimes vendors choose the same default address space and this will cause you grief). The DD-WRT LAN network has to be separate from the XyXel LAN network.

If you have Teksavvy with Dynamic IP, you can login twice with PPPoE, and have two routers that have public IP address, with no port forwarding issues.

I think your ideal setup would consist of 2 routers, which both connect to the modem and each dial in with PPPoE. One for everything else, and one for your VPN setup.

Anyway my main issue with your setup is using a modem to handle routing for your other machines. Modems don't usually make great routers, they lack a lot of options and are sometimes unstable.

Theoretically you can put in your modem in simultaneous routing/bridge mode if it supports it, which allows you the flexibility of changing your setup as you please