I’ve just spent a couple of weeks fighting with a very frustrating problem- setting up VPN passthrough on a Netgear DGND3700v2. This is a reasonably high end device (for Netgear) and actually contains the ability to terminate VPN endpoints. However the built in VPN server does not support the built in VPN software in the Mac OS, and you have to use something like VPN Tracker (up to $20 Aus per month) or IPSecuritas (free, but difficult to configure and support).
I decided that the best option here would be to port forward the appropriate ports to the Mac server (which already has the usernames and passwords) so we could provide a reliable, easy to use and supported VPN solution. Let’s see how that worked out…
In theory it’s pretty easy (although even a big MSP managed to stuff this up causing me great frustration a few months back) you just have to forward the following ports for L2TP on Mac OS X
VPN-IPSec Port UDP500
VPN-L2TP Port UDP1701
IPSec NAT Traversal Port UDP4500
Pretty simple right? But it didn’t work. So, let’s have a look at the documentation.
The manual mentions port forwarding, and also the built in VPN server in great detail, but does not mention that it can’t be turned off. You’ll notice that all of the required ports are UDP which is a connectionless protocol and can’t easily be traced as there is no guarantee of delivery- the Mac VPN client just says ‘the server did not answer’. Which may, or may not be true.
A quick search leads us to this Netgear knowledgebase document titled ‘Troubleshooting VPN Passthrough for Home Routers’ which contains this statement-
OK cool. Looks like we are in the right place. there’s also a whole bunch of helpful tips on how to get it working. That don’t work.
So we update the firmware on the router, delete all the rules and re-add them. But now it complains that port 500 UDP is being used already and can’t be added as a port forwarding rule. The message say to check settings for ‘Remote management, Port Forwarding, Port Triggering, Universal Plug n Play, RIP, and Internet Connection Type’. So we duly check all of these and find exactly nothing wrong.
But at least we have a new clue- it’s whinging about something rather than simply not working. A new Google search brings up this-
And a bit of further digging around suggests that the issue is this- on Netgear routers that support VPN endpoints, the VPN server cannot be turned off, so you cannot port forward and use your own server.
So, questions for Netgear-
1. Why not put this in the user manual?
2. Why not put this in your knowledge base article?
3. Why not AT LEAST correct your knowledge base article so that it isn’t WRONG?
4. If I can’t forward these ports, why are they available in the drop down menu?