FVS336GV2 - Handling of VPN IPSec tunnel and DMZ

Christophe1376 · ‎2014-10-05

Hello all.

I have some problems with the handling of VPN and DMZ rules.
Here is my configuration
1 location A, with public IP AA.BB.CC.DD
Router NETGEAR FVS336GV2, Firmware 4.3.1.18
LAN 192.168.11.254
1 location B, with public IP WW.XX.YY.ZZ
Router NETGEAR FVS336GV2, Firmware 4.3.1.18
LAN 192.168.51.254

Between the 2 locations, we have a VPN IPSec tunnel which works fine as is very stable

We want to setup a Wifi guest on each location, to give access to internet for our visitors. Direct Internet access, and isolated from our Network.
For that, we've enabled the DMZ port, with the following parameters
Location A, DMZ IP 192.168.21.1, 255.255.255.0, dhcp on DMZ enabled 192.168.21.100 to 150,
Location B, DMZ IP 192.168.61.1, 255.255.255.0, dhcp on DMZ enabled 192.168.61.100 to 150,
And we've set the following DMZ Wan Rules
Outbount services : ANY, allow always, DMZ users : all, WAN users : all
Inbound services : ANY, Allow always, DMZ server IP 192.168.21.1 (for site A) and 192.168.61.1 for (site B)

The problem is that, as soon as we enable the DMZ rules on one site, the VPN tunnel fails, and in order to have it available again, we need to disable the DMZ Wan rules and to reboot the router.
I'm sure i'm doing something wrong with the rules, but i don't know what.

Would be great if someone can help me.
Thanks in advance
kind regard

adit · ‎2014-10-05

That is the way it is supposed to work. You used the ANY Service in a Rule. ANY means everything. You really want a router that supports VLANs.

Christophe1376 · ‎2014-10-06

Hello,
Where i was wrong is that as it refers to "DMZ Wan" rules i thought that it will have effect only on the DMZ port

What i try to do is to have :
-- In ports 1 2 and 3 access to my LAN, and also access to internet.
-- In port 4 only internet browsing, and no access to the LAN
-- And of course the VPN IPSec tunnel operational

Can you tell me how to do that , or if there is a tutorial somewhere which explains the solution for this topic?

Thanks a lot
Christophe.

adit · ‎2014-10-06

Remove the DMZ Rules. Enable DMZ Port.

Christophe1376 · ‎2014-10-06

Ok Adit, i'll do that.
But i've set up these rules, because only with DMZ port enabled, i was not able to browse internet from the Wifi access point.
I can connect on the access point, receive a LAN IP adress from the router, i can ping the router from the DMZ LAN, but no access to internet
And just after setting up these 2 rules, it was OK for the DMZ internet access.

Maybe i've done something wrong. I'll check that tomorrow envening and keep you updated

Angain thank you.
kind regards

Christophe1376 · ‎2014-10-30

Hi
It took longer than i expected to go back to this location and try what has been recommended by Adit.

DMZ enabled, DMZ rules Enabled:
All internet browsing is OK from LAN or DMZ ports
VPN tunnel NOT working

DMZ enabled, DMZ rules Disabled:
internet browsing is OK from LAN
internet browsing NOT OK from DMZ port
VPN tunnel is OK.

I'm totally lost
Do you think i have to revert to the previous FW version?

Thanks for all ideas
kind regards

FVS336GV2 - Handling of VPN IPSec tunnel and DMZ

FVS336GV2 - Handling of VPN IPSec tunnel and DMZ

Re: FVS336GV2 - Handling of VPN IPSec tunnel and DMZ

Re: FVS336GV2 - Handling of VPN IPSec tunnel and DMZ

Re: FVS336GV2 - Handling of VPN IPSec tunnel and DMZ

Re: FVS336GV2 - Handling of VPN IPSec tunnel and DMZ

Re: FVS336GV2 - Handling of VPN IPSec tunnel and DMZ