SG-3100 behind home ISP

  • Trying to get an SG-3100 working from behind a remote home ISP router. Remote user has a Trendnet tew-818dru.

    What do I need to port forward from his router to the Netgate?



  • Added UPD 500 and 4500, still no joy. This Trendnet does not do ESP so are we dead in the water?


  • LAYER 8

    if you can give more information maybe, like how the interface of you sg-3100 are configured
    client ipsec ->internet -> router trendnet -> sg-3100 -> more client ?

  • Remote devices -> SG-3100 -> Trendnet Router -> Home ISP -> Internet -> IPSEC tunnel on our firewall -> our network

  • Also are we meant to forward to the LAN or WAN side of the SG-3100? His home devices are on a differnet subnet than the LAN side of the SG-3100.

  • LAYER 8

    if "remote device" is trying to connecto to your "ipsec tunnel" than you need only to open the ports from lan to wan in the Sg-3100, check the firewall log when you try to connect. is the trendnet router configured as bridge or not? if not you also have a double nat situation, check interface / WAN if "Block private networks and loopback addresses" must be unchecked

  • I was following the PFsense manual from Netgate that states:

    "What if pfSense is not the main Internet Firewall?

    In some cases there is a different firewall or router sitting between this firewall and the Internet. If this is the case it is necessary to add a port forward for ESP and UDP 500 to send the traffic to this firewall. The outside router must be able to properly handle NAT of this traffic, and some do not. A modem’s “DMZ” mode or 1:1 NAT may also help here. In this case, NAT Traversal will be needed, but the default Auto setting should be sufficient."

    So I'm interpreting that as doing the forwarding on the ISP firewall not the NGate.


  • LAYER 8

    so as I thought, you are in a double nat situation, idk i never found myself in such situation. but i think you should portforward everything(any port any ip) from the trendnet to the sg-3100(let the Sg3100 do the work) or the sg-3100 must be set as dmz on the trendnet if there is that option, plus uncheck "Block private networks and loopback addresses"
    after that you should portforward from the sg-3100 to the client that need to connect to the ipsec server, check the firewall log

  • I think I like the DMZ option better, I will check that out.

    Thanks for the input.


Log in to reply