Comcast Business Gateway NetGear CG3000DCR has killed VPN

I have a NetGear CG3000DCR advanced cable modem gateway for our business service with static IP. Since switching to Comcast from another provider we have lost VPN capacity... which seems a common problem with the CG30000DCR. I have spent an inordinate amount of time trying to restore VPN service, which is not in high demand but is needed. At this point, after trying every permutation of disabling firewalls, port management - everything possible to just run signals through to our Linksys wireless router and hence to the connected Macintosh server, I am desperate to do something to restore VPN, whether it means dumping the NetGrear, dumping Comcast; whatever it takes. Any hints?

Responses

Accepted Solution

VBSSP-RICH

Advocate

•

1.4K Messages

11 years ago

Hello Talabardio and welcome,

Could you provide some more detail regarding your internet-working configuration as follows:

1. How many Static IP do you have?

2. Please identify which devices you have your static IPs assigned to Linksys, Mac Server, etc.?

3. Please provide all device intra-network connectivity?

4. What device is specifically supporting the VPN hardware and software facilities?

We have many Business Class customers using the NetGear 3000 for successful VPN implementation. I am highly confident if you share the above requested internetworking configuration, we can assist you.

Look for to hearing from you.

0

Accepted Solution

Talabardio

New problem solver

•

3 Messages

11 years ago

Hello RICH,

Thanks for your interest. My area of specialist knowledge is Macintosh computers, and not so much peripherals such as cable modem gateways. When I speak to my users, I have to be careful to communicate with them in terms that they understand. Along those lines, some of what you are asking is incomprehensible to me as I don't understand your terminology.

1. How many Static IP do you have?
> 1. We have a Comcast Business Gateway with Static IP.

As for your other questions, I have a series of screen shots which I hope addresses your range of inquiry. I had assumed that the topic was too complex to write about and a Comcast technician would have to come out to look everything over, but we'll see. I have replaced some of the data in the images with 'X's to preserve a modicum of privacy. My strategy has been to open up the ports, disable the firewall, etc on the NetGear and get it out of the way as much as possible and let the LinkSys handle everything. So far this has not worked.

port forwarding.png

Here is the LinkSys router, to which you can see a static IP is assigned:

Now we see some information from the Macintosh server, which is connected via ethernet cable to the LinkSys router.

Our PPTP settings, which is what we have used previously.

L2TP settings.

0

VBSSP-RICH

Advocate

•

1.4K Messages

11 years ago

Hey Talabardio, thanks for the information.

From your display sequence I see that you have a controlling Lynksys Router (LR) (using the Static IP Routable address) performing your entire Internet-work control and security. This is also based on your Netgear 3000 (NG3K) has its DHCP Server disabled and it operating in psuedo-bridge/pass through mode. This means that your LR is providing all DHCP addresses to all computers and devices, including your Mac Server, confirmed by one of your displays with respect to DHCP address 192.168.1.101. Before we go any further here, it is mandatory that you fix the subnet mask on your LR static IP address to 255.255.255.252 for single static or 248 for 5 block or 240 for 13 block. Try this first to make sure this is not your root cause of your problem. If not, let's keep going.

If all of the above is accurate then we need to understand how your ports are bidirectionally open between the VPM Mac server, your LR, up to the NG3K. It is of paramount requirement that all the following ports are all bidirectionally open in order to facilitate the VPN implementation you are looking for:

For PPTP:
- IP Protocol=TCP, TCP Port number=1723 <- Used by PPTP control path
- IP Protocol=GRE (value 47) <- Used by PPTP data path
For L2TP:
- IP Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv1 (IPSec control path)
- IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv1 (IPSec control path)
- IP Protocol Type=ESP (value 50) <- Used by IPSec data path
For SSTP:

IP Protocol=TCP, TCP Port number=443 <- Used by SSTP control and data path

For IKEv2:
- IP Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv2 (IPSec control path)
- IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path)
- IP Protocol Type=ESP (value 50) <- Used by IPSec data path

From your last two displays, your are authroizing the use of both PPTP and L2TP and for this reason, it is mandatory for you to have these ports bidirectionally open on the LR address ranges that your are authorizing for each. Now, after you open these LR ports and you are still having VPN connect/disconnect issues you will need to precede as follows to make absolutely sure that your LR static IP routable ports are also bidirectionally open within the NG3K:

1. Log into the NG3K, then click Firewall, then disable the Enable True StaticIP Firewall by clicking on the check mark, then click apply.

2. In Firewall , now click on Port Forward Tab, then click on True Static IP Port Management Link, make sure in the drop-down list box you have selected - block all port with the following exceptions.
3. The click the add button, and type in here the same birdirection ports that you opened for the LR. The ONLY difference is that you will use the actual routable 23.25.143.X1 address:

So one entry here would look something like : VPN1 1723 1723 both 23.25.143.x1.

I believe that this will get your VPN up and running as you expect it to perform. Regards

0