NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

LangusIII's avatar
LangusIII
Follower
Oct 28, 2017

FVS318N VPN Setup behind NAT Modem

Hello guys,

 

I'd like to use my FVS318N router (fw4.3.5-3) as a VPN Server to acces my SOHO-LAN but given that it is behind a NAT Modem I couldn't yet. Which are the ports I have to forward on the NAT Modem to use Netgear IPSec or L2TP implementation on FVS318N?

 

Setup: Win10 with VPN Client -> NAT Router/Modem -> Internet -> NAT Modem -> FVS318N -> SOHO-LAN

 

Or the only way is to DMZ/Passthrough all ports on the NAT Modem as suggested on some posts below? I was trying to leave the NAT Modem as a first firewall for basic PortScan/DOS security (stop it or explode) and the FVS318N as the real Firewall, but if I DMZ the NAT Modem I would loose this "double security" exposing FVS318N to everything.

https://community.netgear.com/t5/VPN-Firewalls/FVS318N-Box-to-Box-VPN-with-NAT/m-p/1146416#M5652

https://community.netgear.com/t5/Wired-Routers/VPN-and-NAT/td-p/330922

 

Thanks in advance.

Hardware
Security
Solutions
Troubleshooting

3 Replies

  • DaneA's avatar
    DaneA
    NETGEAR Employee Retired
    Oct 30, 2017

    Hi LangusIII,

     

    Welcome to the community! :) 

     

    Another option is if ever the modem connected to the FVS318N is a modem-router combination, I suggest you to set the modem-router to full-bridge mode so that it will become a modem-only device.  This will make the WAN IP Address be registered to the FVS318N which makes it as the main router. 

     

    Refer to the image below as reference for the recommended network setup:

     

     

     

     Regards,

     

    DaneA

    NETGEAR Community Team

    • DaneA's avatar
      DaneA
      NETGEAR Employee Retired
      Nov 02, 2017

      @LangusIII,

       

      I just want to follow-up on this.  We’d greatly appreciate your feedback.

       

      If ever your concern has been addressed or resolved, I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!

       


      Regards,

       

      DaneA

      NETGEAR Community Team

  • train_wreck's avatar
    train_wreck
    Luminary
    Oct 31, 2017

    The proper ports/protocols needed for IPsec VPN to pass through a NAT device (such as your front line NAT modem) are:

     

    UDP ports 500 and 4500

    Protocol ESP (protocol number 50)

     

    That said, I agree with DaneA's recommendation to just put the modem into DMZ mode (sometimes called "passthrough" or "bridge" mode) and run the FVS318N directly exposed. It's a firewall, it was designed to do exactly that. It will provide adequate security (at least until its internal software gets too old; Netgear end-of-lifed all the FVS VPN firewalls last month, so there will be no future security updates).

     

    Doing this also avoids you being in what's called a "double NAT" situation, which can wreck havok on performance and reliability for certain protocols. Not to mention, the 318N is almost certainly more powerful of a NAT engine than the modem.

     

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More