RVS4000 > Forward ports to the router itself?

Unanswered Question
Jan 17th, 2010

Hi,

I use thegreenbow VPN client to connect via IPSec to my router. it works so much better than the linksys vpn client thing. according to this article:

http://www.thegreenbow.com/vpn_faq.html#VPN24

if i am behind a firewall that blocks access to UDP 500 and 4500, i will have issues VPNing to my router. so what i think i need to do is forward UDP 80 to UDP 500 and UDP 443 to UDP 4500.

the problem is that im pretty sure the router will not route traffic to itself. i set my router's remote administration port to TCP port 81. then i set up a single port forward to forward TCP port 999 external to TCP port 81 internal (to my router's internal IP). when i type in my router's DNS name (dyndns name) from an OUTSIDE network using the following:

<snip>.gotdns.org:81

i get my router's setup page. when i type:

...gotdns.org:999

everything hangs and i finally get a timeout in my browser. this indicates to me that the router refuses to forward a port to itself. is that correct?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
William Childs Tue, 01/19/2010 - 05:02

You are correct in saying that you cannot port forward to yourself (yourself being the router). I do not understand how port forwarding the ports listed will/should result in a vpn connection. If your RVS4000 is behind a firewall/router (maybe a Verizon FiOS device) then you should forward Protocol 50 (AH) and 51 (ESP) as well as 500 UDP and 4500 UDP to a statically set private ip address (this would be the address assigned to your RVS4000).

If you are unable to do this, I may have misunderstood your problem. Please post more information about the equipment being used and the firmware of the RVS4000.

As a side note, when you are at a remote location the network you are on can block incoming requests to port 500 and 4500 and you will still be ok. The reason is the initiation of the tunnel comes from the LAN side of the network and leaves on a random port destined for port 500. The packet would look like this:

192.168.22.103 : 20394    -->      75.43.198.55:500

        YOU          ^port               Your private network

HTH,

Bill

aaron.martinas Tue, 01/19/2010 - 15:09

hi,

my network layout is as such.. i use a standard cable modem from TWC. on the wan side, my router plugs into this modem. based on the information in the link in my original post, i concluded that, when on my vpn client and in a remote location in relation to my RVS, my "IKE" packets needed to leave my computer on UDP port 80 and my "NAT-T" packets needed to leave on UDP port 443. Once they arrive on my TWC connection, the modem would forward them as is to the router, and then the router would say "what the #$%^ is a UDP 80 packet??? drop." the same for UDP 443. So my expectation was that i would just tell the router to expect traffic on UDPs 80/443, not knowing beforehand what they're meant for, check the NAT table, and then forward the same packet to itself on a port that knew what to do with the packets.

not knowing what you meant by the AH/ESP thing, do i still have any options here? i tried to tell the router to forward the UDP packets to an internal router that's sole purpose is to be a wireless access point (but has router functionality), and then have the "WAP" just forward those requests back to the router on the correct UDP 500/4500 ports. it didnt work.

juunda Wed, 01/20/2010 - 13:41

Here is a suggestion regarding VPNs, usually our Linksys routers need to be the "border router", meaning the one directly connected to the modem that is giving it a public WAN IP address for QuickVPN or whatever VPN client you are trying to use.   If your modem is also a firewall/router/etc then the VPN might not work unless you can forward all those ports to whatever WAN Ip your modem/router is assigning our Linksys router and even then I am not to sure if it will work.

Another suggestion is for you to find out if the ports are being blocked by your ISP instead of the actual devices in your network.  To do so connect a computer directly to your modem, and then go to the following website   https://www.grc.com/x/ne.dll?bh0bkyd2 and use a port scanner service called Shields Up.  If the results indicate that you have the particular ports you require blocked or in stealth mode you should contact your internet service provider and ask them to unblock them or to assist you in doing so.

Besides that I am still unclear on your network scheme, you can always contact us at 1-866-606-1866 SBSC and with your devices serial number we can look up if you are under free phone support to further assist you.

Actions

This Discussion