Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SG-3100 behind home ISP

    Scheduled Pinned Locked Moved IPsec
    9 Posts 2 Posters 882 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dhb
      last edited by

      Trying to get an SG-3100 working from behind a remote home ISP router. Remote user has a Trendnet tew-818dru.

      What do I need to port forward from his router to the Netgate?

      Cheers

      D.

      1 Reply Last reply Reply Quote 0
      • D
        dhb
        last edited by

        Added UPD 500 and 4500, still no joy. This Trendnet does not do ESP so are we dead in the water?

        D.

        1 Reply Last reply Reply Quote 0
        • kiokomanK
          kiokoman LAYER 8
          last edited by

          if you can give more information maybe, like how the interface of you sg-3100 are configured
          client ipsec ->internet -> router trendnet -> sg-3100 -> more client ?

          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
          Please do not use chat/PM to ask for help
          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

          1 Reply Last reply Reply Quote 0
          • D
            dhb
            last edited by

            Remote devices -> SG-3100 -> Trendnet Router -> Home ISP -> Internet -> IPSEC tunnel on our firewall -> our network

            1 Reply Last reply Reply Quote 0
            • D
              dhb
              last edited by

              Also are we meant to forward to the LAN or WAN side of the SG-3100? His home devices are on a differnet subnet than the LAN side of the SG-3100.

              1 Reply Last reply Reply Quote 0
              • kiokomanK
                kiokoman LAYER 8
                last edited by

                if "remote device" is trying to connecto to your "ipsec tunnel" than you need only to open the ports from lan to wan in the Sg-3100, check the firewall log when you try to connect. is the trendnet router configured as bridge or not? if not you also have a double nat situation, check interface / WAN if "Block private networks and loopback addresses" must be unchecked

                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                Please do not use chat/PM to ask for help
                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                1 Reply Last reply Reply Quote 0
                • D
                  dhb
                  last edited by

                  I was following the PFsense manual from Netgate that states:

                  "What if pfSense is not the main Internet Firewall?

                  In some cases there is a different firewall or router sitting between this firewall and the Internet. If this is the case it is necessary to add a port forward for ESP and UDP 500 to send the traffic to this firewall. The outside router must be able to properly handle NAT of this traffic, and some do not. A modem’s “DMZ” mode or 1:1 NAT may also help here. In this case, NAT Traversal will be needed, but the default Auto setting should be sufficient."

                  So I'm interpreting that as doing the forwarding on the ISP firewall not the NGate.

                  D.

                  1 Reply Last reply Reply Quote 0
                  • kiokomanK
                    kiokoman LAYER 8
                    last edited by kiokoman

                    so as I thought, you are in a double nat situation, idk i never found myself in such situation. but i think you should portforward everything(any port any ip) from the trendnet to the sg-3100(let the Sg3100 do the work) or the sg-3100 must be set as dmz on the trendnet if there is that option, plus uncheck "Block private networks and loopback addresses"
                    after that you should portforward from the sg-3100 to the client that need to connect to the ipsec server, check the firewall log

                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                    Please do not use chat/PM to ask for help
                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                    1 Reply Last reply Reply Quote 0
                    • D
                      dhb
                      last edited by

                      I think I like the DMZ option better, I will check that out.

                      Thanks for the input.

                      D.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.