netgate behind xfinity router - VPN

squirrellydw

What do I need to do to setup a VPN / IPSEC Netgate 1100 that will be behind a Comcast / xfinity router, the router will NOT be in bridge mode. I need to connect to it from either another 1100 or ideally my UDM SE.
The reason I can't put it in bridge mode is we still need wifi and my dad doesn't want to buy a different router.
Thanks

stephenw10

Can you add a port forward or use DMZ mode in the Comcast router?

If not then you will need to setup the 1100 behind it to connect out to the other device. So if you chose to use OpenVPN the 1100 would be setup as the client and the other side would be the server. The client will always connect out throught the comcast router so no settings need to be added to it.

Steve

squirrellydw

@stephenw10 I can port forward but not sure about DMZ, I would need to look into that. How would this connect, router to 1100 LAN? Or would the 1100 be first, 1100 WAN to xfinity router? Would this let the 1100 be the server?

stephenw10

What sort of connection do you need to make here? What access do you need across it?

By far the easiest thing is to add the 1100 as an OpenBPN client on the LAN side of the Comcast router. It can open a connection to your external OpenVPN server and you can then connect across that.

Steve

squirrellydw

@stephenw10 the location with the 1100 and xfinity router we have tv service and the other location does not. I would like to have a vpn so we can use the xfinity stream app so we can access the tv channels at the other location that’s doesn’t have service. So I think the 1100 needs to be acting as the vpn server if I’m correct.

Jarhead

@squirrellydw said in netgate behind xfinity router - VPN:

What do I need to do to setup a VPN / IPSEC Netgate 1100 that will be behind a Comcast / xfinity router, the router will NOT be in bridge mode. I need to connect to it from either another 1100 or ideally my UDM SE.
The reason I can't put it in bridge mode is we still need wifi and my dad doesn't want to buy a different router.
Thanks

Does dad need to access internet only or does he need LAN access too?
Most provided routers will still allow wireless access to the internet only while in bridge mode.
When I had a Frontier router in bridge mode I used the wifi from it to access their routers GUI only. Still had internet access from their wifi but I didn't need to use it.

Another option for internet only would be to set him up on the xfinitywifi of their box. Kinda low class to do to a dad but will he really know??

stephenw10

In a site-to-site tunnel you can route traffic across it either way. Without port forwarding or DMZ (1:1 NAT) at the Comcast end though the 1100 behind it will always have to initiate the tunnel to the other end. That's fine but it means the other side must be something fixed that can be connected to.
I'm not sure what the TV service requires but you are probably going to need to route all your traffic over the tunnel to make it work.

Steve