Setting up a VPN through a DSL modem

I need to set up a VPN tunnel to a remote site and could use some good step-by-step instructions. The equipment at the remote site is a Netgear 7550 DSL modem/router. I need to connect to the entire LAN at the remote site , not just a specific computer. I have a Netgear FVS318N firewall to set up behind the DSL modem, and from there to the LAN switch/devices, so traffic has to go through the DSL modem and then through the firewall to the devices and back out.

A laptop will be used from various locations  to tunnel in to this remote network and access devices on it.

I'm not wedded to the Netgear firewall, so other suggestions are welcome on that.  I don't have much control over the DSL modem other than that I should be able to get into the interface for it when I'm on site if changes are needed.
Alex ScarfoneInternal IT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Is the DSL adapter configured in routed mode or in bridge mode( is the public IP on the netgear?

If In routed mode, you would need to open port 500 for ipsec to the IP the netgear has.
Setting up the DSL router in bridge mode if available such that the netgear will have the Public IP simplifying things.
Rob WilliamsCommented:
Agree, the fist thing you need to know is it a basic modem or a modem and router combined, (i.e as Arnold asked bridge or NAT mode).  One way of telling, does the Netgear receive a public IP or private.  If public, it is in bridge mode and you are good to go.  If not you need to be able to manage the modem.

If we provide details are you prepared to purchase the Netgear Prosafe VPN client?  If not we may need to look at other options.
Alex ScarfoneInternal IT ManagerAuthor Commented:
I have been trying to get bridge mode working. I had it working for a little while but then it stopped working. I documented the steps and repeated but no go. ISP is no help as they are "getting away from bridge mode".

The modem I have from the ISP is a router/modem, as I had mentioned above.

So it appears I need a  pass-through or forwarded solution. I am prepared to purchase the VPN client if the VPN "Lite" client is not sufficient.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Rob WilliamsCommented:
It is possible on the modem/router unit to forward the appropriate ports (ports depend on the type of VPN; PPTP, SSTP, L2TP, IPsec)  to the Netgear however this often does not work as VPN's do not like being behind a NAT device.  It works fine for SMTP, Http, etc, but VPN's are fussy.  The Netgear router really needs a public IP.  Others have resolved this by putting the Netgear in the DMZ zone of the modem/router if that is an option.

A lot of the ISP's are moving to NAT'd devices only unless you have a business account.  If a business account they should be able to address it with the modem provided or supply another.
Not sure what the meaning of their statement is.  When looking at the configuration of the Netgear, what is the authentication method? Are they using PPPoE? If you have a static ip, check to what Mac address it is tied. If you get a dynamic ip, check what their authentication method.

When in bridging mode i
They see your firewalls Mac address......
Rob WilliamsCommented:
Just to note: when I was referring to "the Netgear" it was the FVS318N, I forgot the modem/router unit was also a Netgear.
Alex ScarfoneInternal IT ManagerAuthor Commented:
I was able to get a public IP on the FVS318N in bridge mode, using PPPoE. It's not working now. I'm thinking I may try purchasing a VPN/DSL modem in one box. If anyone has been successful with this please let me know.
Rob WilliamsCommented:
To start with if using PPPoE you likely have a residential account with a dynamic IP.  You would be better subscribing to a static IP if you want to set up a VPN and they would then likely provide a basic Modem.

Out of curiosity why do you need a VPN?  I just ask as there may be other options, VPN's can add security risks depending who is using it by creating a wide open tunnel between a remote unmanaged PC and a corporate network.
Alex ScarfoneInternal IT ManagerAuthor Commented:
We are trying to get to devices in a control system. No PC is inside the LAN that we can (or want to) use. Ideally we would like to keep the devices behind our own vpn router and have no changes to the rest of the network (i.e. they would continue to be behind the main DSL modem/router.) The VPN is for a remote technician to program the devices directly from a remote laptop.

I will probably table this until I can get a static IP and basic modem on site, per your suggestion. I've been trying to do it in a test environment through a DSL account at my lab with a dynamic IP (which doesn't change unless you reboot the modem) but that seems to be a dead end.
Rob WilliamsCommented:
Ah, that makes sense since you cannot install software on the 'control system'.  

Does it use specific ports which you could forward to the device?

Alternatively is it possible to remote in to one PC, even a dedicated PC or virtual machine, and then access the device.  You could use LogMeIn's Hamachi VPN for that.  No port forwarding, the modem does not have to be configured, and it doesn't require a static IP.  

The VPN is a good idea, just suggesting alternatives, even as a short term solution.
Alex ScarfoneInternal IT ManagerAuthor Commented:
We'd have to put a PC in but that's a possibility. As long as the traffic can pass from a remote laptop to the devices and back without us running the control software on the internal PC (which we don't have extra licenses for) it would be fine.
Rob WilliamsCommented:
You would have to install on the PC, or you can set it up to route traffic, but the VPN might be easier.  Some control systems can be run from a browser, which is why I suggested a PC.  I trust on your control system you can either set static routes or a default gateway?  If not you will only be able to connect from on-site.  You can with most.
Alex ScarfoneInternal IT ManagerAuthor Commented:
We can't program the control system in a browser, but can set static routes/default gateway. Can we use the SSL VPN for this, and just open appropriate ports?
Rob WilliamsCommented:
Yes the Netgear SSL VPN will work fine, if you can get it working.  As mentioned the FVS318 will need a public IP.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.