VPN with home broadband?

ajf · 11 Jan 2011 at 10:04

I have Virginmedia broadband at home and want to experiment with VPNs.
Is it possible to setup a Sonicwall (small TZ170 or SoHo3) at home so a remote machine can VPN IN to my home network?

I know I can connect outbound to VPNs but not sure if I can do it inbound? Does the Sonicwall need a public IP address? Obviously the cable modem just issues local IPs.

Am I in fact thinking along completely the wrong lines?!

THanks in advance for help.
Andrew

Skidilliplop · 11 Jan 2011 at 10:31

You can, you just need to forward the relevant ports to the sonicwall, or if your router supports it configure VPN Passthrough to the sonicwall.

Note you will need a ROUTER not a MODEM to do this.
Though the sonicwall firewalls should be configurable to do the Router functions for you. But you'll need to know what you're doing with NAT as they probably won't come set up to do it out of the box like a standard cable router would.

ajf · 11 Jan 2011 at 12:50

I have a router on the back of the cable modem so I should be OK then?

J.B · 11 Jan 2011 at 13:35

Correct me if Im wrong but doesnt the TZ170 have a route function in it? Might make it easier if you can combine some devices.

Skidilliplop · 11 Jan 2011 at 13:51

J.B said:
Correct me if Im wrong but doesnt the TZ170 have a route function in it? Might make it easier if you can combine some devices.

It almost certianly does, but it'll need configuring. NAT routing etc won't necessarily be plug and play. You'd need to know what you're doing.

If you have a router then just configure VPN passthrough or forward the relevent ports to the IP you assign to the sonicwall box.

ajf · 12 Jan 2011 at 01:17

Cheers.
Will be giving it a go shortly.
The only thing I am unsure of is this:
The 'remote' PC uses the vpn client software. i have used this at work it requests the (public) ip for the vpn as part of the setup.
As my sonicwall is behind a router do I use the public ip of the cable modem for this?

Skidilliplop · 12 Jan 2011 at 10:20

Yup. The public IP of your connection gets it to the modem, this passes it on to your router, which then (if it's an IPSEC VPN packet) forwards it to the sonicwall.

ajf · 14 Jan 2011 at 21:51

Hmm.
Got the sonicwall and having problems with the vpn.
It is setup thus: internet--Virgin Motorola Surfboard modem--Belkin Router--TZ170

Normal access through the TZ170 is fine. Trying to connect to the VPN externally using a laptop and 3g mifi results in this error:
Error <local host> Failed to find MAC address 00:60:73:xx:xx:xx in the system interfaces table.

This appears to mean it cannot see or connect to the tz170. The WAN port IP is DHCP from the router and the remote vpn client is set to connect to the modem ip which is 84.x.x.x

Obviously there is an issue but not sure where it might be and how to resolve. According to Belkin all their routers passthrough vpn traffic and there are no additional settings relevant to this.

One odd thing (possibly). If I connect the tz170 direct to the back of the virgin modem, it will not pick up an ip for the wan port.

Andrew

DJMK4 · 14 Jan 2011 at 22:09

I work with SonicWall firewalls on a day to day basis

Might be able to help however im just about to pop out.

I will have a read later

ajf · 15 Jan 2011 at 15:57

Thanks. Would be helpful if you can.
Thought I had it working earlier via 3g, then realised the laptop was also still plugged into the LAN on the sonicwall.
Still, I didn't think it would even connect that way?

Skidilliplop · 15 Jan 2011 at 21:09

you dont' want the WAN port on DHCP as you'll have to forward ports to it. Depending on the VPN type you're using these ports vary.

DJMK4 · 15 Jan 2011 at 22:29

Depending if it has standard licence or enhanced licence you have options of either using something like the sonicwall ssl VPN net extender which is a piece of software that you can use to VPN directly into the box to get you on your network. Or just setup VPN passthrough.

Sonicwalls work on licensing though. But if licences are capable of ssl VPN, global VPN, site to site VPN.

Tz170s usually come with standard firmware but you can get enhanced. Soho3s god knows, they are quite old. I havnt used them at my time in my current job. Iv worked on tz range, Nsa range (NSA and pro)

J.B · 15 Jan 2011 at 22:43

I used to work with NSA2400s, OP what ports do you have forwarded from your router to the VPN?

ajf · 16 Jan 2011 at 22:47

Feel the fool here.
Got it working tonight. Starting looking around in the router and despite what the manual and website said about vpn settings being built in and not setup required I tried setting the ports here:

Guess what? It worked!

Thanks for the info and sorry for ignoring the suggestions of adding ports!

Skidilliplop · 17 Jan 2011 at 10:51

Belkin generally suck balls for networking gear. Take what it says it'll do with a pinch of salt. It's always better when you're learning and experimenting to configure things manually anyway. It gives you a better understanding of what's going on.

ajf · 17 Jan 2011 at 23:15

Learnt my lesson anyway

Belkin wouldn't be my first choice but it was an emergency purchase from 'that' shop on a Friday after my D-link died.

What are good routers to look at anyway these days?

Skidilliplop · 17 Jan 2011 at 23:20

Linux based Linksys ones/anything with a decent CPU supported by DD-WRT, the mid to high end of the prosafe netgears, tbh it really comes down to budget.

For learning purposes aswell as performance I'd recommend getting your hands on a second hand Cisco 877 if you can stretch to it. (some good bargains about on auction sites but still looking the top side of £80)