dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3937
share rss forum feed

BlastoFriz

join:2013-01-20
Clearfield, UT

USG 50 Behind DSL Modem/Router

Hi everyone! First time posting, but I've used tons of suggestions from here to get things mostly working. I'm setting up a Zywall USG 50 for L2TP VPN. I couldn't get my USG to do my PPPoE authentication for Centurylink, even in bridged mode for whatever reason, so I'm attempting to pass traffic from my modem/router to the USG.

Quick setup info:

I have the WAN port connected to my modem with a static address outside of my modem's DHCP pool (192.168.0.200). I have a Win7 PC connected to my modem and then a server (static 192.168.1.2) connected on the USG's LAN1. I cannot see the server until I connect via Win7 VPN client to my USG so that much is working.

Now my question is this - in order to have my modem correctly pass VPN/L2TP traffic to the USG do I forward UDP ports (500, 4500 and 1701 right?) to my WAN port's address (192.168.0.200)??? The port forwarding seems to be where I'm hung up.

Thanks for any input!



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

If you can connect to USG via Win7 VPN your port forwarding must be correct as is.

What issues did you have terminating your PPPoE on USG?


BlastoFriz

join:2013-01-20
Clearfield, UT

I hadn't had the opportunity yet to connect outside my house, so I tried to simulate the best I could. Hopefully I've got it

The PPPoE connection on the USG - I would click on the connect button on the dashboard after creating my connection and it would just count down from 59 and timeout and never connect. Once I got things working by giving the WAN port an address, and still authenticating via my modem, I figured stick with that for the time being.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

With PPPoE terminating on your modem you'll be behind double NAT which will complicate your life (it is already the case as you have to forward ports on the modem).

Easiest way is to switch modem to bridging mode and terminate PPPoE on your USG. What did USG show in the logs when you were trying to connect?

That said, for L2TP VPN you need to forward these ports and protocols:
UDP 1701 (L2TP)
UDP 500 (IKE)
UDP 4500 (NATT)
IP Protocol 50 (ESP) ... on some routers labelled as "IPSec/VPN pass-through"


BlastoFriz

join:2013-01-20
Clearfield, UT

Thanks for the quick replies by the way. I'm not positive what my USG logs said on my PPPoE connection attempts, I'll have to reconfigure and try again (reset to factory along the way). I was however, able to connect outside my house and run some tests. When I scanned myself, I'm still returning only tcp ports 21, 80 and 8080. This was even after configuring port forwarding and disabling firewall. So I'm highly suspicious of my lame DSL modem/router and its NAT causing issues.

Any ideas? Get PPPoE working on USG (haha)



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
reply to BlastoFriz

You need to open firewall for the ports on USG as well.

What modem do you have?


BlastoFriz

join:2013-01-20
Clearfield, UT

Its an Actiontec Q1000.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

There are numerous how-to in internet how to set Q1000 to bridge mode ... google it.

What specific issues do you have when doing that? What's in the logs?



bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1
reply to Brano

said by Brano:

That said, for L2TP VPN you need to forward these ports and protocols:
UDP 1701 (L2TP)
UDP 500 (IKE)
UDP 4500 (NATT)
IP Protocol 50 (ESP) ... on some routers labelled as "IPSec/VPN pass-through"

I thought so too, and I'm scratching my head as on my USG50 all that is required is forwarding UDP500 (IKE) and UDP4500 (NATT). Port forwarding to Mac OS X Server running L2TP/IPSec. Didn't bother trying to answer why, I started with all 4 services and then played around to find the minimum number required to port forward (and allow in firewall).


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

I "think", I can explain that:
Obviously you need WAN-to-ZyWALL IKE and NATT.
L2TP however is encapsulated in the IPSec and thus the incoming zone is IPSec_VPN and not WAN. So if you have other IPSec_VPN to ZyWall rule then L2TP gets through.
And ESP is initiated from inside (I believe) thus no inbound rule is needed.



bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1

No interfaces are members of IPSec zone. No IPSec rules. No use of the Default_Allow rules (which includes ESP).

My WAN-to-ZyWALL only allows ping, and remote https/ssh management from office IP addresses.


emerging

join:2003-10-17
Winnipeg, MB
reply to BlastoFriz

Just so everyone is aware I have opened a support case with ZyXel as we are unable to get a USG20 with current firmware to initiate a PPPOE link with any of the modem that we are testing (speedstream modem, speedstream modem/router and actiontec modem/router).

Our regional ISP is absolutely no help as well as they are only concerned with can you configure and connect from a laptop. If it works it can't be them... makes it tough to get info for the folks at ZyXEL.

Unfortunately the main engineering staff are away until Feb 17th with Chinese new year.



Hank
Searching for a new Frontier
Premium
join:2002-05-21
Burlington, WV
kudos:2

Is your modem in bridge mode? How did you setup the USG20?



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to emerging

You should have opened new thread for your issue. But since we're already here few questions:
- did you setup the modem to the bridge mode?
- did you try configuring the PPPoE connection with compression disabled and enabled?
- do you know which authentication to use? if not did you try all of them?
- what's in the USG logs?
- did you try packet trace and see in wireshark what the issue might be?
- do you have proper policy routes and FW rules configured?