@michealmyers 

 

Hi, 

 

Split tunneling option is used to something else and configured on VPN Server.

 

Since you want to connect to NordVPN's server, you wont have this option available.

 

If you want to decide, which services are using NordVPN and which are not, I believe you will have to create two VLANs on your ER605. Then in client's NordVPN configuration on that router you specify which of those 2 VLANs will go got NordVPN. The other VLAN will go directly to the Internet.

 

Then you have to establish which device/client can use which VLAN.

 

Cheers.

hmm ok so create 2 vlans, then have the one go straight to the internet. that can be done on the er605? also how do you determine which devices go straight out?

  @michealmyers 

 

When you configure VPN client on your ER605 you define the local network that will utilize that VPN:

 

Standalone Mode:

 

Controller Mode:

 

So one of your VLANs you are providing there.

 

In terms of how to manage which computer/mobile phone goes to NordVPN VLAN or not, you have few possibilities. Everything depends on what you want to achieve, what features you are utilizing as well as what conenction type your clients use (wired/wireless).

 

if that's only one computer that should skip NordVPN - the easiest solution IMO would be to set everyone in NordVPN VLAN's DHCP and this one specific computer IP-MAC bind to the second (open) VLAN.

 

Or you can set up a DHCP from NordVPN's VLAN, and manually set static IP on this one PC from the open VLAN.

 

Or (if those are WiFi clients), you can create 2 SSIDs (networks) where one is assigned to NordVPN VLAN, and 2nd one is assigned to open VLAN.

 

Of if this one PC is connected via cable to dedicated port in your ER605, you can assign this particular port to this open VLAN only (or as untagged)... I bet you could think of few other solutions :)

 

There are FAQs here how to work with VLANs. There is even Youtube video directly from TP-Link explaining how to use VLANs.

  @RaRu 

OK so it'll be just 1/2 laptops that will need to get straight out to the internet without going through nordvpn.  so I could assign another SSID I guess to the 1/2 laptops that need to get straight out.  They will be wireless only so that is probably the easiest solution.  

 

I pretty much have google wifi which doesn't allow for the vpn so thats where the tplink er605 comes in, so I'll put that in front of the google wifi.  I was planning to let google wifi still handle all the stuff which I've read I'll need to put the tplink in bridge mode.  With bridge mode can I still create the 2 ssid's?  

  @michealmyers 

 

Ummmm, this getting complicated. The SSID thing I was mentioning would work if you would use a standard WiFi Access Point (like something from TP-Link - EAP225, EAP650 or whatever) and configure there which VLAN will those networks use.

 

I have no idea how Google WiFi works, never used their devices but I guess this is just a router... Which will get one network from your ER605...

 

Moreover, I don't think you can set up ER605 in Bridge Mode. Even if you can, then I believe VPN client functionality may be lost.

 

Maybe there is someone more experienced in such configuration on this forum and could help.

 

Cheers.

 

  @michealmyers 

 

VPN Split Tunneling: Only specific Traffic goes over the VPN, some traffic stays local.

• Example: Working from home - Employee connects to the company VPN - Company data is routed over the VPN, Public data goes over the Internet

VPN Tunnel All: All traffic is routed over the VPN

• Example: Working from home - Employee connects to the company VPN - All data is routed over the VPN

 

If you have not connected your ER605 to Omada you can use the additional switch ports to create a seperate network VS. creating VLANs. If it is adopted to Omada you will need VLANs. This is my NORDVPN (OpenVPN) configuration. 

 

After you have your neworks (VLANs) setup, just specify the local subnet (*.*.*.0) for the Remote Servers in the VPN configuration. /24 is submask 255.255.255.0

 

If those separate networks need to talk to each other you will need Firewal>Access Control rules. ID 1 above is my Guest network and has a rule to so Guest can connect to my network printer on my Private LAN. ID 2 is a network I setup when a house guest needed to do something for work, but would only allow access if they were local to Miami.