Orbi WiFi 7 RBE973
Reply

FVS318N VPN Setup behind NAT Modem

LangusIII
Follower

FVS318N VPN Setup behind NAT Modem

Hello guys,

 

I'd like to use my FVS318N router (fw4.3.5-3) as a VPN Server to acces my SOHO-LAN but given that it is behind a NAT Modem I couldn't yet. Which are the ports I have to forward on the NAT Modem to use Netgear IPSec or L2TP implementation on FVS318N?

 

Setup: Win10 with VPN Client -> NAT Router/Modem -> Internet -> NAT Modem -> FVS318N -> SOHO-LAN

 

Or the only way is to DMZ/Passthrough all ports on the NAT Modem as suggested on some posts below? I was trying to leave the NAT Modem as a first firewall for basic PortScan/DOS security (stop it or explode) and the FVS318N as the real Firewall, but if I DMZ the NAT Modem I would loose this "double security" exposing FVS318N to everything.

https://community.netgear.com/t5/VPN-Firewalls/FVS318N-Box-to-Box-VPN-with-NAT/m-p/1146416#M5652

https://community.netgear.com/t5/Wired-Routers/VPN-and-NAT/td-p/330922

 

Thanks in advance.

Model: FVS318N|ProSafe Wireless N 8 port gigabit VPN firewall
Message 1 of 4
DaneA
NETGEAR Employee Retired

Re: FVS318N VPN Setup behind NAT Modem

Hi @LangusIII,

 

Welcome to the community! 🙂 

 

Another option is if ever the modem connected to the FVS318N is a modem-router combination, I suggest you to set the modem-router to full-bridge mode so that it will become a modem-only device.  This will make the WAN IP Address be registered to the FVS318N which makes it as the main router. 

 

Refer to the image below as reference for the recommended network setup:

 for LangusIII.jpg

 

 

 Regards,

 

DaneA

NETGEAR Community Team

Message 2 of 4
train_wreck
Luminary

Re: FVS318N VPN Setup behind NAT Modem

The proper ports/protocols needed for IPsec VPN to pass through a NAT device (such as your front line NAT modem) are:

 

UDP ports 500 and 4500

Protocol ESP (protocol number 50)

 

That said, I agree with DaneA's recommendation to just put the modem into DMZ mode (sometimes called "passthrough" or "bridge" mode) and run the FVS318N directly exposed. It's a firewall, it was designed to do exactly that. It will provide adequate security (at least until its internal software gets too old; Netgear end-of-lifed all the FVS VPN firewalls last month, so there will be no future security updates).

 

Doing this also avoids you being in what's called a "double NAT" situation, which can wreck havok on performance and reliability for certain protocols. Not to mention, the 318N is almost certainly more powerful of a NAT engine than the modem.

 

Message 3 of 4
DaneA
NETGEAR Employee Retired

Re: FVS318N VPN Setup behind NAT Modem

@LangusIII,

 

I just want to follow-up on this.  We’d greatly appreciate your feedback.

 

If ever your concern has been addressed or resolved, I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!

 


Regards,

 

DaneA

NETGEAR Community Team

Message 4 of 4
Discussion stats
  • 3 replies
  • 2577 views
  • 0 kudos
  • 3 in conversation
Announcements