NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Allow VPN connections
I am trying to set up a WNR1500 to allow VPN connections. I need to OPEN ports, 443, 500, etc. to the entire LAN subnet. It appears that all of the settings for Blocking Services, UPNP, DMZ are...
It appears we agree.
The WNR1500 does not provide for opening an incoming port to an internal IP range.
Nor do some others that are quite recent products.
If opening an incoming port to an internal IP range is overkill, I've not figured that out yet.
That could be a reason....
Let's examine a reasonable objective and see what we think:
We have a site which is set up for official guests using its own public ip address and router. It's an entirely separate network.
The guests will be using either:
1) VPN client software to "phone home" from each of their multiple computers.
2) VPN device/router(s) to "phone home" as a VPN end point.
1. If there are a number of VPN software clients running on site then each one has to be able to connect to "home". Let's assume that they are using Netgear Prosafe VPN client pro. Under normal circumstances would this situation require that ANY firewall rules be set up at our site to assure their success?
I should think that such an arrangement would work with no firewall tweaking because they have to work in coffee shops, no?
2. If there is a VPN device brought into our faciltiy's guest network (for site-to-site VPN) then, since our firewall intercedes upstream of it, are there requirements on our router firewall rules that will allow this to work?
In this case it's more understandable that ports in our firewall have to be opened such as from
"To make IPSec work through your firewalls, you should open UDP port 500 and permit IP protocol numbers 50 and 51 on both inbound and outbound firewall filters. UDP Port 500 should be opened to allow Internet Security Association and Key Management Protocol (ISAKMP) traffic to be forwarded through your firewalls. IP protocol ID 50 should be set to allow IPSec Encapsulating Security Protocol (ESP) traffic to be forwarded. Finally, IP protocol ID 51 should be set to allow Authentication Header (AH) traffic to be forwarded."
But, in this case, there *would be* a single IP address; the internal IP address of their VPN router. Well, unless there's more than one VPN device brought in - which is much less likely.
fred339 wrote:
1. ...I should think that such an arrangement would work with no firewall tweaking because they have to work in coffee shops, no?
We agree. Also, the normal NAT processes you outlined earlier will work in this case.
fred339 wrote:
2. If there is a VPN device brought into our faciltiy's guest network (for site-to-site VPN) then, since our firewall intercedes upstream of it, are there requirements on our router firewall rules that will allow this to work?
I guess this depends on the nature of the device. The VPN site-to-site device in my home office (Aruba) would work fine. It makes an outbound connection to the corporate infrastucture, and client devices using it need to connect to the Aruba over wifi or ethernet. More than one of these gadgets should work fine in your hypothetical.
If the device has to accept an inbound connection from the far end, then of course your reasoning is perfectly correct.
Well, when the VPN device is also the network gateway then it's easy. But when the VPN device is behind a firewall then I've always had to open ports. I've never thought about which end point is "sending" as they appear to be symmetrical.
fred339 wrote:
Well, when the VPN device is also the network gateway then it's easy. But when the VPN device is behind a firewall then I've always had to open ports. I've never thought about which end point is "sending" as they appear to be symmetrical.
The only hardware VPN device I have experience with is the Aruba, which doesn't need any ports opened.
OpenVPN is enabled on my R8500 (which is behind my ISP router), and of course I do need to open ports in the ISP router for it.
