Good Morning,
Currently I use an 'always on' VPN L2TP tunnel for all of my traffic which works fine.

I'd like to make this approach more specific, so I'm looking for some help with setting up a dual VPN to meet the following requirements:
- 2 independent VPN tunnels:
- Tunnel 1 (PPTP) - will only have one local smartTV using it (local ip address 192.168.1.10) through ethernet connection (indirectly via a TP-Link extender)
- Tunnel 2 (L2TP) - everything else goes through that (all other ip addresses 192.168.1.11 onwards) whether on ethernet or wireless
- no leakage or data sharing between the tunnels
- ALL traffic to go through one or other of the VPN tunnels (no leakage outside of the VPN tunnels)

For information, I use the Draytek router behind a standard ISP (no meaningful functionality) router which just acts as a modem/bridge via the WAN2 ethernet connection. The Draytek router handles everything else for me.

I've configured the VPN tunnels, which both work.

However, I can't seem to correctly configure the 'rules' to restrict and control the access to the IP addresses. I've been using the 'load balance/route policy' and used the source ip address fields to control the access to VPN_PPTP but this tends to prevent the individual IP address hardware accessing the internet rather than just acting to restrict access. All of the other IP addresses continue to using the VPN_PPTP as a default even with both VPN tunnels running.

As an aside, I've been using a tablet to test the setting rather than the TV, but still using the tablets local IP address as the source.

I think I'm close but I'm obviously missing some config somewhere. I've been through the Draytek support info but with no success and its now driving me nuts!

Does anybody have the solution to this one?

Regards.

Have you tried putting an extra subnet on and putting your smart TV into that subnet. Then in the VPNs set the appropriate local network for each VPN profile.

You might be using the default route tick box in the VPN profile for the L2Tp tunnel. I've found that if you want to do extra things with routing via the route policy that this tick box shouldn't be used as it tends to override everything.

I think the route policy would then be easier to create rules for if the local subnets are different.

You'd be able to allow inter-LAN routing between the LAN subnets if desired.

Ps thanks a lot phone for the number of incorrect auto-completes during this post.

Thanks for your reply Macavity.

I had been wondering about subnets and had already made a half-hearted attempt at setting them up .. which failed miserably.

I suppose I'll have to read the manual and try again.

I had also tried the VPN default route switch both ways (on and off) to see if that made a difference but it didn't work as I wanted. When off, it allowed leakage through to the net outside of the VPNs. I can see, however, how this might cause a conflict.

Thanks again.

The kb article for policy with 2830's is
http://www.draytek.co.uk/support/guides/kb-policy-routing-guide

For the VLAN it should be possible to set it up without using any tags in most situations.

Something like
1. LAN > VLAN

Enable P4 for LAN2 and keep P1,2,3 for LAN1 and all the SSIDs

2. then go to LAN > General

Enable LAN2 and in details set the IP Address range you'd like.

3. Then if you want communication between the two - in LAN> General > Inter-LAN Routing
allow routing between LAN1 and LAN2 by checking the box

Once the above is done, your VPN profiles might need to be set slightly differently as the Local Network IP should match the VLAN which you'd like to use the tunnel.

Thanks Macavity, I appreciate the link. I've kept my rules simple: 2 rules - Lan1 all to VPN2; Lan2 all to VPN1.

Yup, I got the subnet going yesterday evening with both VPNs now acting as I want. I had some IP address problems at first, so had to sort out the IP bind table but that now seems OK.

I use SSID2 as the new subnet (rather than P4) because I want the TV to use wifi.

I did set up the tags, although I'm not sure whether they're necessary in my setup. I'll read more around this.

So, yes, Lan1 is using VPN2 and Lan2 is using VPN1 as I wanted.

I had to disconnect my TP-Link powerline extender due to connection problems (I think because the wifi was on Lan1 and the port2 ethernet ended up on Lan2 - ? causing a DHCP conflict somewhere) but I'll reconnect it Lan1 via port2 over the next couple of days and hopefully the DHCP will sort itself out.

Looking back, I think it was the 'default route' switch on the VPNs that did for me previously - so thanks for that tip! That really is a key consideration for others having similar problems.

So, whilst everything seems stable, I still can't help feeling I've missed something - probably to do with the TP-Link.

Thanks again and regards.

Some other pointers from my experience which may be of help for those with the same issues:

Macavity was right about amending the VPN profile to set the Local Network IP Address to match the VLAN which uses the tunnel (ie. 192.168.1.1 or 192.168.2.1 etc). This should be point 4 on Macavity's list as the VPN tunnels will still run even with all of them set to 192.168.1.1 (I forgot to change them). I don't know how, but it will work albeit with occasional performance issues.

In addition, I was using both the VPN 'Always on' switch and the 'Enable Ping' switch. I was getting regular disconnects so looked into this. Apparently Draytek recommend disabling the 'Enable Ping' when having this problem.

This Draytek support page was also quite helpful:

http://www.draytek.com/index.php?option=com_k2&view=item&id=5624&Itemid=293&lang=en