We have Comcast Business service at two of our locations. I would like to establish a VPN connection between the two.
I am trying to use NetGear FVS318g's behind my Comcast (NetGear 3000) modems, but the performance degrades significantly with that configuration. Should I be bridging the Comcast Modems to my VPN devices, or is that not helpful?
What have folks seen as a best performer; bridge the Comcast modems to internal VPN devices or establish the VPN IPSec tunnels between the Comcast modems?
The built-in help in the Comcast modem is not. Has someone gone through the VPN setup using the Comcast NetGear modems? Is there better documentation for this setup? I'm looking for better descriptions for the IPSec fields and IP addresses so I know what to put where and how it is used.
Solved! Go to Solution.
I use sonic wall routers behind the comcast gateways to set up thje vpn.s you need to manually assign one of your external ip addresses to the outside interface of your netgear router. On the comcast gateway you need to go in to the firewall tab and check Disable Firewall for True Static IP Subnet Only do this on each end.
I would second chris'h suggestion.
- get static IPs on one or both of your Comcast connections.
- you only need the comcast netgear device on the connection(s) with the static ip. Get a motorola sb6180 or similar for the non-static ip connection, if you go that route.
- put the comcast supplied netgear(s) into true static ip (bridge) mode.
- get a sonicwall tz series for each end. They are relatively cheap, solid, and easy to manage.
- follow the sonicwall site to site vpn wizard on each end.
- your in like flint.
An added bonus of the sonicwalls is that they have Failover support. Get a cheap dsl or 3g/4g connection for $20-50/mo and set it up as a failover. Comcast connections do not typically come with SLA's, and you will probably see some downtime at some point.
Having the failover setup will save you the time of having to come and vent on the comcast boards over something that you should have been setup to handle in the first place.
The FVS318 CPU is not very fast, it is really only suitable for slow DSL links.
Any VPN device that does not have a hardware encryption card will degrade throughput. If you must do software VPN then run some PC's with 3.3Ghz CPUs as your routers and run pfsense on them.
The sonicwall stuff requires a yearly service contract fee to be paid or they won't give you firmware updates when the crackers find a way to take them down. You can get used Cisco gear with encryption cards in it for $500 and put it under service for the same yearly service fee and then have 2 $3,000 routers under service instead of 2 $500 routers under the same cost of service.
Just my $0.02