Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[jimerman]

This has been frustrating me for quite some time.  I replaced a Linksys g router at home with this one, and my VPN connections don't work.  When I try to connect to my work VPN (SonicWall), it doesn't respond from behind the DIR-826L.  If I move it off the 826L to the router attached to the Internet, it works fine.

I have a L2TP VPN server, and can't connect clients to it from the Internet - they time out.  Worked great with the Linksys.

I have Internet router with firewall forwarded ports to the 826L, and on the 826L I opened up a DMZ to my server.  I also went to Advanced/Applications, and opened up TCP/UDP ports 0-60000 just to see if I could open up outbound VPN traffic.  On theory, with DMZ or port forwarding, the inbound traffic should reach the server.  However, connection out proves it is blocking outbound at least.  I can't figure out how to open up outbound traffic!  What am I missing?

Thanks.

[FurryNutz]

Link>Welcome!

Link>What Firmware version is currently loaded? Found on routers web page under status.
What region are you located?

What ISP Service do you have? Cable or DSL?
What ISP Modem Mfr. and model # do you have?

[jimerman]

Thanks for the reply, FurryNutz.  It says firmware is the latest - 1.03.  ISP is AT&T U-Verse, I believe that is DSL, I'm in US mid-west.  Modem is 2WIRE i38HG.

Should have mentioned, I also have VNC port forwarded, and that works great from Internet in to my DMZ.  Not sure why VPN traffic seems to be blocked on the outgoing side.

[hyelton]

Well the modem you have with AT&T is a Gateway device which means it has a firewall as well unless you have it bridged/

[FurryNutz]

What he said...

If this modem has a built in router, it's best to bridge the modem. Having 2 routers on the same line can cause connection problems.
Double NAT
To tell if the modem is bridged or not, look at the routers web page, Status/Device Info/Wan Section, if there is a 192.168.0.# address in the WAN IP address field, then the modem is not bridged.
If the modem can't be bridged then see if the modem has a DMZ option and input the IP address the router gets from the modem and put that into the modems DMZ.

Can try this:
http://forums.dlink.com/index.php?topic=49338.msg182337#msg182337

[jimerman]

I mentioned in the post that the firewall on the 2wire has the VPN ports forwarded to the DLINK; the same ports that were forwarded to the Linksys before I replaced it.  It worked great there.  But this is for inbound traffic.  The only explanation that makes sense to me is that the outbound traffic is blocked, because I can't connect from home to the company VPN.  That should work regardless of firewall settings, no?

[jimerman]

Well the modem you have with AT&T is a Gateway device which means it has a firewall as well unless you have it bridged/

I'm not exactly sure what you mean by bridged -- I do have Port Forwarding enabled for all the L2TP and PPTP with NAT ports.  These are:

VPN-L2TP
UDP   500
UDP   4500
UDP   1701
UDP   5500

VPN-PPTP
TCP   1723
TCP   47

UPnP
UDP   1900
TCP   2869

[jimerman]

What he said...

If this modem has a built in router, it's best to bridge the modem. Having 2 routers on the same line can cause connection problems.
Double NAT
To tell if the modem is bridged or not, look at the routers web page, Status/Device Info/Wan Section, if there is a 192.168.0.# address in the WAN IP address field, then the modem is not bridged.
If the modem can't be bridged then see if the modem has a DMZ option and input the IP address the router gets from the modem and put that into the modems DMZ.

Can try this:
http://forums.dlink.com/index.php?topic=49338.msg182337#msg182337

I think this is what you indicate - I went to Settings / Broadband / Status, and under Internet Details I see:

Broadband Link Type   Built in modem - VDSL
Connection Type   Direct IP (DHCP or Static)
Current Internet Connection   
{and the IP connection info}

This looks like a public IP and not a private one (76.x.y.z).  The puzzler here is that I have had this U-Verse modem for 1 year, but the D-Link router for only a month.  The rest of the year was Linksys, and it worked beautifully.  So I don't think it's a configuration issue with the 2wire, it would have to be something with the D-Link.  Another indicator, if I hook my laptop by wire to the 2wire, I can connect to my work VPN.

[jimerman]

I looked at the link to the DIR-857 SPI post, I suppose that is something I could try.  So I basically expose the DLINK router to the Internet directly via DMZ, and then use the DLINK firewall to protect my network, right?  So I would want to turn off  the DLINK DMZ and just enable pinholes per app ports as needed, is that correct?

[FurryNutz]

Yes. The DLink needs to be on the front lines of the Internet as much as possible. Handling the PPPoE DSL info is preferred however I presume since you have a 2wire model, bridging may not be possible. So yes, use the DMZ on the 2wired for the WAN side IP address on the 826L. Then set up either Virtual Server or PF for your ports. Try disabling uPnP if you set up PF options.

I take that back, I didn't see your first replay post. So you are getting a public IP address ON the 826L?

Are those L2TP ports you listed set up on the Modem or the 826L? If you have made configurations on the modem, I think you'll need to clear all those then set up any ports on the 826L.

[jimerman]

I take that back, I didn't see your first replay post. So you are getting a public IP address ON the 826L?

Are those L2TP ports you listed set up on the Modem or the 826L? If you have made configurations on the modem, I think you'll need to clear all those then set up any ports on the 826L.

Sorry should have been more clear.  The public IP address is on the 2wire.  Port forwarding on the 2wire Firewall page, to the DLINK.

[FurryNutz]

Ok, ya, then if the 2wire can't be bridged, you'll need to use DMZ and put the WAN IP address the 826L gets from the modem in the modems DMZ and get the 826L on the front lines as much as possible. Remove the modems port configurations that you've done as well. If DMZ works with the 826L, then input port configurations on the 826L.

Do you have video or phone service thru this modem? or just Internet?

[jimerman]

I'm reading the article about Double NAT, I had always wondered about it but never had an issue until I installed the DLINK.  So, I was assuming that the Linksys seemed to be able to route correctly.  Perhaps the DLINK is just a much more configurable router, and I am missing some key option that would make it work like the Linksys, or maybe I do have the problem because of security on the DLINK, or some other requirement.

I would be willing to try putting the DLINK forward to the Internet, given that it would not disable the 2wire functionality, I think that is necessary for the TV boxes.  (Now if only I could convince my wife we don't need TV!)

[jimerman]

Ok, ya, then if the 2wire can't be bridged, you'll need to use DMZ and put the WAN IP address the 826L gets from the modem in the modems DMZ and get the 826L on the front lines as much as possible. Remove the modems port configurations that you've done as well. If DMZ works with the 826L, then input port configurations on the 826L.

Do you have video or phone service thru this modem? or just Internet?

I have TV and phone service as well, so I have to be careful not to disrupt.

[FurryNutz]

Not sure what model Linksys you had before however Most routers have NAT abilities built in. So they are there own dhcp server and NAT router. Over the past several years, ISPs have teamed up with some router mfrs to have some modem designed with built in routers as well. This also introduces NAT to the modem as well. Think of it as a combo modem. Yes they work ok and are good for the average user, however some folk don't realized this and that understandable from a end user stand point. Not much information is given to end users regarding modems and routers. ISP just expect to install it and customers just want it working. More advanced users are generally more aware of this condition.

You can review this:
Bridge Mode vs Relay vs Acess Point (AP) / Routers vs Dedicated Access Points (AP)

One thing to consider, if modems can't be bridged or if you really want to use the ISP modem has your main DHCP and NAT server, then maybe an external router is not a good solution for you. Rather maybe upgrading to a DAP model wireless AP would be more beneficial. You can turn the 826L in to an AP however you'd be loosing most of the features of the router save the wireless and wired connections. Not sure what you'd like to do here. I think if you can get the 826L into the modems DMZ and then setup the 826L ports for your VPN and test, maybe it will all work out. I've always been leery of the 2wire DMZ though. Seen reports that it's not truly DMZ like it should be.  One thing I don't care for in some of the ISP modems with built in routers. 

Ya, since you have video services thru the 2wire, you'll need to keep that modem or I'd hightly recommend swapping it out for a stand alone DSL modem with out a router built in. Then the 826L would be good to go.