Is it possible to set up a VPN Endpoint router behind my ISP's provided router?

Posted on 2004-04-28
Last Modified: 2010-04-12
Is it possible to set up a VPN Endpoint router behind my ISP's provided router?

My DSL provider only supports PPPoA for their protocol.  My Linksys WRV54G does not.  Therefore I must use the ActionTec DSL gateway that they provide.

I have it set up with the ISP's router connected to the DSL Line and a cable between it's LAN port and the WRV54G's WAN port.

The VPN tunnel works if I move the router to a different location where I can connect the WRV54G directly to the internet.

Site A (WRV54G Only)

WAN IP Address:

Local Secure Group:

Remote Secure Group:

Remote Gateway:

Site B (WRV54G plugged into ActionTec DSL Gateway)

ActionTec WAN IP Address:

ActionTec LAN IP Address:

ActionTec DMZ Host:

WRV54G WAN IP Address:

WRV54G WAN Gateway:


Local Secure Group:

Remote Secure Group:

Remote Gateway:

Does the ActionTec need to support VPN Pass-Through?  If so will it handle more than one tunnel from the WRV54G?

Linksys can't seem to help me with this matter.  ActionTec deferrs me back to Qwest, and Qwest blames it on Linksys.

Please help.

Question by:myersbr
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 11

Expert Comment

ID: 10952814
Hmm try setting the action tec into transparent bridging mode you will find it in the advanced setup mode of the web interface. This will put the actiontec into straight modem mode and disable all firewall and routing. Then you should be able to setup your linksys.

Author Comment

ID: 10958779
The answer I got from Qwest is that they don't support transparent bridging.  I tried it anyway, setting the Linksys to the Static IP, but had no luck.  My guess would be that if I used the Actiontec in transparent bridging mode, then my linksys would need to handle the authentication with Qwest.  Qwest is using PPPoA, and the Linksys doesn't support that protocol.

I spoke with Actiontec again yesterday and they told me that I would need a block of IP addresses from Qwest.  The Actiontec should then be set in unnumbered mode.  They said that the Actiontec would use one of the Intenet IP addesses, and I would set the Linksys to one of the other ones.  My interpretation of this is that the Actiontec would handle the PPPoA and pass the other addresses in the block to its ethernet port.

I plan to try it this weekend.
LVL 11

Accepted Solution

ewtaylor earned 65 total points
ID: 10959085
Make sure you have the most recent firmware. I just had a radical idea if you move the linksys into the actiontec dmz you should be able to set it up as your vpn endpoint as well.
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

LVL 11

Expert Comment

ID: 10959144
Darn just reread what you wrote and it looks like you already tried that. LEt me look more into how the transparent bridging works on the actiontec you may have to change the mac address on the linksys router to mimic that of the actiontec.
Found this though There are several known problems with the Actiontec 1520 as shipped from Qwest. We recommend upgrading the firmware (the software that runs the Actiontec 1520).

Assisted Solution

Technicon-SG earned 65 total points
ID: 10998530

My first recommendation would be to get rid of both units and replace them with a Netopia 3341-ENT or 3347W-ENT modem/router (the 3347W-ENT is much better and has wireless).  Both support PPPoA and VPN tunnels from the same unit...with a higher SLA.  I have seen the 3341 (which can be flashed to 3341-ENT) for as little as $2 on Ebay.

For your hardware:

VPN-Passthrough is irrelevent as it is designed for client VPN connections originating from the LAN side of the Actiontec.

I agree with ew that the bridging option would be the best choice...however only some routers are capable of Authentication & Bridging...which is why you need the actiontec router.  I also agree that the DMZ option should also work...however if it does not, you can forward all traffic from the Actiontec to the linksys.

I would start by turning off the firewall funtions in the Actiontech (you will rely on the linksys for high level firewalling)

This can be done in the Port forwarding screen.

forward 0 - 65535 tcp/udp to

this should forward all incoming traffic to the linksys.

There still might be another problem with ESP which uses protocol 50 and 51....if you try this and it does not work post agian.

LVL 11

Assisted Solution

ewtaylor earned 65 total points
ID: 11261735
split ewtaylor/technicon-sb

Author Comment

ID: 11261838
Sorry for the long delay guys.  The fix that we ended up using was to put the ActionTec in Unnumbered-Mode and use an IP address for the Linksys.  This worked well, and it allows me to remotely administer both devices.  It was explained to me from another source that the reason that DMZ or Port Forwarding won't work, is because the ActionTec changes the destination IP address in the Packet, but does not change the checksum.  Thanks for your help anyway.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question