FAQ
TL;DR: For Netia fiber + Huawei HG8245Q users, whole‑home NordVPN works by adding a VPN‑client router. In July 2019 MikroTik gained IKEv2 EAP support; "ike2 - added support for EAP authentication methods..." Use router‑on‑a‑stick to avoid double NAT. [Elektroda, szwagros, post #18295640]
Why it matters: You’ll secure every device without per‑app installs and sidestep gaming/DLNA issues from double NAT.
Quick Facts
- You need a router with a VPN client, not just an access point. [Elektroda, KOCUREK1970, post #18292932]
- Router‑on‑a‑stick uses one port and avoids multiple NAT that disrupts consoles, DLNA, and VoIP. [Elektroda, IC_Current, post #18293281]
- On MikroTik, connect Netia LAN to any port; roles are configurable, not fixed WAN/LAN. [Elektroda, IC_Current, post #18294141]
- MikroTik works with NordVPN via IKEv2; NordVPN even publishes a setup guide. [Elektroda, IC_Current, post #18294514]
- Router‑based VPN reduces throughput; low‑end routers may struggle with encryption. [Elektroda, KOCUREK1970, post #18289167]
What gear do I need to run NordVPN on my whole home network?
You need a router that can act as a VPN client. Put it behind the Huawei HG8245Q. MikroTik routers fit because they support IKEv2. Do not buy only an access point. It lacks routing features you need. "It must be a router with a VPN client." After setup, every device connected to that router uses the VPN automatically. You can also keep the original Netia Wi‑Fi for non‑VPN devices. [Elektroda, KOCUREK1970, post #18292932]
Does my Huawei HG8245Q support a VPN client?
The HG8245Q, as supplied by Netia, does not provide a built‑in VPN client. Add a downstream router that supports VPN. Keep the HG8245Q as your ONT and primary gateway. [Elektroda, sapporo1985, post #18287217]
Should I buy a modem‑router combo or only a router?
Buy a router, not a modem‑router combo, for this setup. The HG8245Q already handles access to the fiber network. Your new router must include a VPN client. It sits behind the HG8245Q and handles encrypted traffic. [Elektroda, KOCUREK1970, post #18292932]
How do I wire the new router—LAN‑to‑LAN or LAN‑to‑WAN?
Connect a cable from a LAN port on the Netia router to one MikroTik port. MikroTik assigns roles by configuration, so ports are not fixed as LAN or WAN. That single port can act as your LAN access and WAN uplink. This approach is called router‑on‑a‑stick. [Elektroda, IC_Current, post #18294141]
Do I need to disable routing or Wi‑Fi on the Netia device?
You can leave routing enabled on the Netia device. Use a router‑on‑a‑stick design to steer only selected clients through VPN. Give the MikroTik an IP in the same subnet as Huawei and clients. Point VPN devices to the MikroTik gateway and others to the Huawei gateway. This avoids double NAT and keeps consoles, DLNA, and VoIP working. [Elektroda, IC_Current, post #18293281]
Can MikroTik actually run NordVPN?
Yes. MikroTik supports IKEv2 with EAP, which NordVPN uses for routers. "Even NordVPN gives you an official guide." Follow that guide to create the tunnel and routes. Use your MikroTik as the VPN endpoint and gateway for selected devices. [Elektroda, IC_Current, post #18294514]
Is this configuration hard for a beginner?
It can be challenging. If "router on a stick" feels abstract, expect a steep curve. "Configuration will be difficult (very difficult)." Consider preconfigured gear or help from a specialist to reduce errors. [Elektroda, IC_Current, post #18294712]
How do I set up router‑on‑a‑stick for selective VPN routing?
Use this quick flow to build selective VPN via router‑on‑a‑stick:
- Cable Netia LAN to one MikroTik port, and set that port’s IP within Huawei’s pool.
- On devices needing VPN, set the MikroTik address as their default gateway.
- Create the VPN tunnel on MikroTik and route those devices through it. [Elektroda, IC_Current, post #18293281]
Which VPN protocol should I use on MikroTik?
Use IKEv2 with EAP on MikroTik. RouterOS added EAP methods for IKEv2 in July 2019. "ike2 - added support for EAP authentication methods" enabled NordVPN authentication. Update RouterOS, then configure IKEv2 for your tunnel. [Elektroda, szwagros, post #18295640]
How much should I budget for a VPN‑capable router?
A practical budget is about $200, as the original poster planned. That sum can cover a capable consumer router with VPN client support. Confirm features and expected throughput before buying. [Elektroda, sapporo1985, post #18292720]
Will a router‑based VPN reduce my Internet speed?
Yes. Running VPN on the router reduces throughput compared to raw fiber speeds. "The VPN itself is already cutting bandwidth, and cheap toys are too weak." Choose hardware with enough CPU to handle encryption. [Elektroda, KOCUREK1970, post #18289167]
Can I keep two Wi‑Fi networks: one through VPN, one direct?
Yes. Keep Netia and MikroTik Wi‑Fi enabled with separate SSIDs. Join the MikroTik SSID for encrypted traffic. Join the Netia SSID for direct traffic. This split keeps services stable while letting you choose per device. [Elektroda, IC_Current, post #18293281]
What happens if I use LAN‑to‑WAN and create double NAT?
Double NAT can break services and complicate port forwarding. It often affects consoles, DLNA, and VoIP. Router‑on‑a‑stick avoids this by keeping a single NAT edge. Use the MikroTik as a selective gateway instead of nesting routers. [Elektroda, IC_Current, post #18293281]
Where can I find compatible router models for NordVPN?
NordVPN highlights compatible router models through its partner list. Use that list if you prefer preconfigured hardware and support. It can reduce setup time and troubleshooting. [Elektroda, KOCUREK1970, post #18292932]
Can I use an access point instead of a router?
No. An access point cannot terminate and route a provider VPN for all devices. You need routing and a VPN client in the device. "It must be a router with a VPN client." [Elektroda, KOCUREK1970, post #18292932]
