VPN Setup behind ISP router

machochico

New Around Here
Hello, hoping for a bit of help.

We're a small business (about 10 computers all together) with 3 occasional remote users and we wanted to start using a VPN connection for remote users. We've purchased a TPLink ER7206 and walked through the setup steps, but cannot get a connection.

We also have a static IP through Comcast Business, and they require that we use their equipment (Cisco DPC3941B), and to set it up as a "passthrough" device rather than bridge (as per this thread and confirmed with tech over phone: https://forums.businesshelp.comcast...-vs-passthrough-mode/5fe0a58dc5375f08cd7d88fe). I have my suspicions that the device is NOT passing through any communications (possibly defective?) from WAN side, but need some help to determine it.

We wish we could just use the TPlink as everything, but cannot because of static IP. Does anyone have any experience with this? Am I setting this up correctly?

Static IP (74*.........) -> Comcast Router -> LAN -> 10.0.0.1 which is plugged into WAN on TPLink. TPLink Wan is set to 10.0.0.2 (Gateway 10.0.0.1) and LAN is set as the GW to rest of our network (192.168.168.1), plugged into the switch...

All outgoing communication is working (internet, etc). But each VPN Server connection I've tried is failing (PPTP & L2TP with key). No NATs/Static Routes have been set either. Should I be able to see open ports for PPTP 1723 (from https://portchecker.co/)?

Many thanks for your suggestions.
 

Tech Junky

Very Senior Member
Looks like a built in MTA with a Cable Modem.

Do you have phone service tied into the service package?

If you don't then switching to a regular modem to terminate the Coax connection should be an option. With regards to support though using your own modem will limit your support options but it makes your network easier to manage.

Putting the GW into bridge mode will bypass any routing the GW may be doing and then you simply move the static IP to the TPL.

Everything then gets managed on the TPL and bridge mode disables the phone / wifi / firewall functions of the GW. Which from the sound of it is fine since you're going to use the TPL for VPN and other services anyway.

One of the issues you're probably having is the double NAT from 10.x.x.x to 192.x.x.x as this makes VPN's a tad confused.

Now onto the port you're opting to use. Using common ports leads to port scanners to find you on the internet to attempt to break in. Using another port that's somewhat random makes this harder to do. Legacy PPTP/L2TP options should be avoided if possible.



I use WG to connect with a provider and it's faster than the other options. I was reading up on a FireWalla box that you can use to host VPN access / additional firewalling and good throughput. There are ~5 different options to choose from depending on needs and if you don't want to mess with clients / software you can setup the remote folks using the site to site option on some models that can funnel work related traffic to your main site. For sub $500 and no subscription fees it's a good option if you don't want to get your hands dirty with setting up a PC / server of your own to handle the traffic.
 

Tech9

Part of the Furniture
We wish we could just use the TPlink as everything

You can, but to access all ER7206 features you'll need Omada Controller. Use IPSec or OpenVPN*. Make sure the port is forwarded on the ISP equipment. Static IP is good, no DDNS needed. It should work with simple configuration. I don't know passthrough mode does on your gateway though.

* - see here what requires Omada Controller:

It can be hardware OC200 device or software running on a PC. Hardware device is better, it's under $100.
 

machochico

New Around Here
Thanks, great input!

We are planning on shifting to OpenVPN once we can prove that this should work with the ISP; I just wanted to use the most "basic" setup to verify if the Gateway was actually forwarding the traffic or not.

We do have phone service under the account a well, but there is another device (Arris brand I think?) that has it's own Coax cable and is patched into the phone network. I am not sure if the Cisco unit does anything for the phones. I have a service tech coming out tomorrow, and I will see if there is an alternative for just a modem with our setup. The sticking point may be the Static IP.

One of the issues you're probably having is the double NAT from 10.x.x.x to 192.x.x.x as this makes VPN's a tad confused.
Should I remove the 10.x.x.x? It's only used for the interface between ISP router LAN and TPLink WAN. Both could just be on the 192.x.x.x? Would I still set the ISP router as my "main" GW (192.168.168.1) or TP link?
 

sfx2000

Part of the Furniture
You can, but to access all ER7206 features you'll need Omada Controller. Use IPSec or OpenVPN*. Make sure the port is forwarded on the ISP equipment. Static IP is good, no DDNS needed. It should work with simple configuration. I don't know passthrough mode does on your gateway though.

Good advice...

One thing to consider -- L2TP/IPSec is supported by every major operating system out there, natively, and it's pretty easy to set up.

OpenVPN requires client software to be installed and configured.

IPSec also performs much better than OpenVPN.
 

Tech9

Part of the Furniture
Should I remove the 10.x.x.x?

Address 192.168.x.x is fine. Double NAT is also fine. You just need to make sure the ports you use are open on your Internet facing router.

OpenVPN requires client software to be installed and configured.

True. And IPSec doesn't even need the controller on ER7206, it's a built-in feature. Faster and secure enough. Up to 290Mbps on this router.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top