NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Orbi VPN with Gateway behind it
I have Orbi 750 router and Huawei Fiber Gateway behind it, I have configured VPN and DDNS on my Orbi to access my internal devices (CCTV and NAS) from outside home. VPN wasn’t working at the beginning, but when I added my Orbi router to the DMZ on the Gateway, the VPN worked, however I’m not sure if this is secure! Is there a more secure way to do this without adding my Orbi router to DMZ?
Technically, there may be a "more secure" method, but in practical terms the additional security is pretty small.
If the Huawei router is able to forward ports, then you can forward the ports used by OpenVPN to the Orbi router. This will leave all other connection attempts blocked. By default, OpenVPN uses UDP ports 12973 and 12974:
This means that the Huawei router will absorb all of the irritating Denial of Service (DoS) traffic that tends to clog up the Orbi log file. However, this also results in the Orbi being in a Double NAT situation which interferes with other activities besides VPN, such as sharing media, running web sites, and some internet gaming.
When the Orbi is in the router's DMZ, that is identical to the router being connected to an ordinary modem, which is the usual recommended practice. In other words, it is exactly as vulnerable as it would be if the Huawei was not a router to begin with.
4 Replies
- I have Orbi 750 router and Huawei Fiber Gateway behind it, I have configured VPN and DDNS on my Orbi to access my internal devices (CCTV and NAS) from outside home. VPN wasn’t working at the beginning, but when I added my Orbi router to the DMZ on the Gateway, the VPN worked, however I’m not sure if this is secure! Is there a more secure way to do this without adding my Orbi router to DMZ?
Technically, there may be a "more secure" method, but in practical terms the additional security is pretty small.
If the Huawei router is able to forward ports, then you can forward the ports used by OpenVPN to the Orbi router. This will leave all other connection attempts blocked. By default, OpenVPN uses UDP ports 12973 and 12974:
This means that the Huawei router will absorb all of the irritating Denial of Service (DoS) traffic that tends to clog up the Orbi log file. However, this also results in the Orbi being in a Double NAT situation which interferes with other activities besides VPN, such as sharing media, running web sites, and some internet gaming.
When the Orbi is in the router's DMZ, that is identical to the router being connected to an ordinary modem, which is the usual recommended practice. In other words, it is exactly as vulnerable as it would be if the Huawei was not a router to begin with.
- Thank you so much, I removed Orbi form the DMZ and added these ports to the port mapping on the Gateway and now it works fine.
If the DMZ worked then you may have the description reversed, and the fiber gateway device is actually in front of the Orbi router. In which case, if on a double NAT, then there is no issue with putting the Netgear router on the DMZ of the fiber gateway, as you will still have the firewall and other security features of the Orbi router.
Ideally, you should search for an option on the fiber gateway to be placed into a transparent bridge mode, or at least an IP passthrough mode so that you will not be faces with a double NAT.
