Orbi WiFi 7 RBE973
Reply

Orbi VPN with Gateway behind it

iaa
Aspirant
Aspirant

Orbi VPN with Gateway behind it

I have Orbi 750 router and Huawei Fiber Gateway behind it, I have configured VPN and DDNS on my Orbi to access my internal devices (CCTV and NAS) from outside home. VPN wasn’t working at the beginning, but when I added my Orbi router to the DMZ on the Gateway, the VPN worked, however I’m not sure if this is secure! Is there a more secure way to do this without adding my Orbi router to DMZ?
Message 1 of 5

Accepted Solutions
CrimpOn
Guru

Re: Orbi VPN with Gateway behind it

Technically, there may be a "more secure" method, but in practical terms the additional security is pretty small.

If the Huawei router is able to forward ports, then you can forward the ports used by OpenVPN to the Orbi router.  This will leave all other connection attempts blocked.  By default, OpenVPN uses UDP ports 12973 and 12974:

CrimpOn_0-1667584485797.png

This means that  the Huawei router will absorb all of the irritating Denial of Service (DoS) traffic that tends to clog up the Orbi log file.  However, this also results in the Orbi being in a Double NAT situation which interferes with other activities besides VPN, such as sharing media, running web sites, and some internet gaming.

 

When the Orbi is in the router's DMZ, that is identical to the router being connected to an ordinary modem, which is the usual recommended practice.  In other words, it is exactly as vulnerable as it would be if the Huawei was not a router to begin with.

View solution in original post

Message 3 of 5

All Replies
iaa
Aspirant
Aspirant

Orbi VPN with Gateway behind it

I have Orbi 750 router and Huawei Fiber Gateway behind it, I have configured VPN and DDNS on my Orbi to access my internal devices (CCTV and NAS) from outside home. VPN wasn’t working at the beginning, but when I added my Orbi router to the DMZ on the Gateway, the VPN worked, however I’m not sure if this is secure! Is there a more secure way to do this without adding my Orbi router to DMZ?
Message 2 of 5
CrimpOn
Guru

Re: Orbi VPN with Gateway behind it

Technically, there may be a "more secure" method, but in practical terms the additional security is pretty small.

If the Huawei router is able to forward ports, then you can forward the ports used by OpenVPN to the Orbi router.  This will leave all other connection attempts blocked.  By default, OpenVPN uses UDP ports 12973 and 12974:

CrimpOn_0-1667584485797.png

This means that  the Huawei router will absorb all of the irritating Denial of Service (DoS) traffic that tends to clog up the Orbi log file.  However, this also results in the Orbi being in a Double NAT situation which interferes with other activities besides VPN, such as sharing media, running web sites, and some internet gaming.

 

When the Orbi is in the router's DMZ, that is identical to the router being connected to an ordinary modem, which is the usual recommended practice.  In other words, it is exactly as vulnerable as it would be if the Huawei was not a router to begin with.

Message 3 of 5
Razor512
Prodigy

Re: Orbi VPN with Gateway behind it

If the DMZ worked then you may have the description reversed, and the fiber gateway device is actually in front of the Orbi router. In which case, if on a double NAT, then there is no issue with putting the Netgear router on the DMZ of the fiber gateway, as you will still have the firewall and other security features of the Orbi router.
Ideally, you should search for an option on the fiber gateway to be placed into a transparent bridge mode, or at least an IP passthrough mode so that you will not be faces with a double NAT.

Message 4 of 5
iaa
Aspirant
Aspirant

Re: Orbi VPN with Gateway behind it

Thank you so much, I removed Orbi form the DMZ and added these ports to the port mapping on the Gateway and now it works fine.
Message 5 of 5
Top Contributors
Discussion stats
  • 4 replies
  • 955 views
  • 2 kudos
  • 3 in conversation
Announcements

Orbi WiFi 7