NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
BR200 site-to-site IPSec
I've selected BR500 in model form because there isn't BR200. I need to create a site-to-site VPN over internet connection. I've attached a image of the layout. The PCs of network 192.168.10.x m...
It would be best if both BR200 on both sites A & B will be set as the main router. Also, the WAN IP Address on both sites A and B should be a Public IP Address.
Regards,
DaneA
NETGEAR Community Team
DaneA wrote:It would be best if both BR200 on both sites A & B will be set as the main router. Also, the WAN IP Address on both sites A and B should be a Public IP Address.
That's wishful thinking. Reality in a world of triple-play CPE, especially when paired with a top quality phone service or where XGS-PON is deployed, ISP CPE can no longer be replaced.
....continue here...
Further on, when ISP are feeding the IPTV on a dedicated VLAN, no Netgear router (including the BR200/500) has the basic services allowing to NAT and multicast route to the customers normal internal network and IP subnet. The 1990 style "Enable an IPTV bridge for a port group or VLAN tag group" feature does always require a dedicated port or a dedicated subnet. Utterly useless in a world where STB became highly sophisticated media devices and IoT controllers, including the ability for Airplay or Google Cast - what requires the mobile devices to be on the same network (even if Bonjour resp UPnP SSD are multicast based) of course,
ISP provided CPE are lightyears ahead. And most customers hare are not willing to drop the VoIP based "fixed network" service (voice is also on a dedicated VLAN, there is a BGP session for each CPE just for VoIP for reliability and redundancy, and further on the CPE does also offer SIP for the local [W]LAN so customer supplied VoIP devices can be added beyond of the POTS lines on the CPE, too.
These are the reasons why the classic consumer router market is virtually dead here.
Re-thinking the OP bertocar set-up and config, the BR200/500 does real IPsec site-to-site - this is difficult because of the additional NAT, the classic IPsec required ESP protocol which is neither NAT friendly (and in many case simply not allowed by the ISPs here again!), probably lack of NAT-T support on the BR200/500 and well possible limited "IPsec pass-through" on the ISP CPE (typically for IPsec sessions initiated on the LAN side only).
For this kind of deployments, L2TP IPsec is required and the de-facto standard for IPsec connections between consumer/SOHO Internet connections.
Look DaneA ... I have offered my know-how several times - Netgear was not interested in my 20+ years experience of VPN and security appliance design and consulting, nobody with NTGR had the but to send me two BR500 back then to test, again no BR200 - so there you go. Oh and the BR500 units I bought with my own hard earned money went back to the distributor as not fit for purpose. Afraid, Netgear has no plan on how to design and implement such a router to today's real-world requirements. Instead, I'm told that [...censored...] well, better send me a PM if you are interested.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
