Port Forwarding for L2TP/IPSec VPN Behind Verizon Actiontec MI424WR-GEN2 Rev. E v20.21.0.2
haxin
Enthusiast - Level 1

I've got a NAS setup with various services running on custom ports to help minimize exposure (especially to script kiddies). I've tested everything both internally and externally to confirm they all work, and even had someone at a remote location confirm accessibility as well.  Port forward configurations performed on the Actiontec are working well. 

I installed an L2TP/IPSec VPN server, tested internally and it connected successfully.  So for all intents & purposes, this validates that the VPN server is correctly configured to accept inbound connections and functioning correctly.


I logged into the Verizon Actiontec MI424WR router, setup port forwarding for UDP ports 500, 1701 & 4500.

image
Note: I added the AH & ESP protocols based on what I saw on the built-in L2TP/IPSec rules

 

 

With the port forwarding in place, I tested VPN externally but it didn't connect.

I've done the following so far to no avail:

  1. Double & triple checked the port forwards, deleted & recreated the rules a few times to be sure
  2. There are no other pre-existing L2RP/IPSec port forward rules or otherwise conflicting port forward rules (e.g.: another rule for ports 500, 1701 or 4500)
  3. There was an L2TP port triggering rule enabled, that I toggled on and off with no change
    Image
  4. Verified the firewall on VPN server had an exclusion for L2TP, or that the firewall is off. (Firewall is off to reduce a layer of complexity, but it worked internally to begin with so I doubt that's the issue.)


Since it works internally, and there are no entries in the logs on the device indicating inbound connections, I'm convinced its an issue with the Verizon Actiontec router.  But unfortunately, I'm not sure what else to try or where else to look to troubleshoot this.  For instance, is there a log on the router that I can view in real time (e.g.: tail) that would show me whether or not the inbound connection attempt is reaching the device, and whether or not the device allowed or blocked it?




My router details:

  • Verizon Actiontec
  • MI424WR-GEN2
  • Revision E
  • Firmware 20.21.0.2


Verizon Actiontec built-in L2TP/IPSec rule templates.  They're not currently in use, but are baked into the firmware for easy configuration/selection from a drop down menu.
Image

0 Likes
1 Solution

Correct answers
Re: Port Forwarding for L2TP/IPSec VPN Behind Verizon Actiontec MI424WR-GEN2 Rev. E v20.21.0.2
Hubrisnxs
Legend

normally a vpn on that router, will have a GRE tunneling protocol as well.

two ways to build the PF rules,

Manually

Preconfigured

I know the preconfigured VPN rules will do the GRE protocol as well, but if you do it by hand you can't get it.

image

View solution in original post

Re: Port Forwarding for L2TP/IPSec VPN Behind Verizon Actiontec MI424WR-GEN2 Rev. E v20.21.0.2
Hubrisnxs
Legend

normally a vpn on that router, will have a GRE tunneling protocol as well.

two ways to build the PF rules,

Manually

Preconfigured

I know the preconfigured VPN rules will do the GRE protocol as well, but if you do it by hand you can't get it.

image

Re: Port Forwarding for L2TP/IPSec VPN Behind Verizon Actiontec MI424WR-GEN2 Rev. E v20.21.0.2
haxin
Enthusiast - Level 1

That's interesting, because none of the built-in (predefined) IPSec or L2TP 'services' (read: Port Forwarding Rules) had GRE enabled. (see last screenshot in my post).

However, I can add GRE to the new 'service' I defined in Advanced > Port Forwarding Rules.

 

I did that this evening, saved the rule, re-verified the port fowarding rules under Firewall Settings > Port Forwarding now shows GRE.

 

With GRE enabled in the 'all-in-one' L2TP/IPSec rule, its now allowing me to connect to the VPN server behind the Actiontec router.

Many thanks for that tip! Smiley Happy

 

0 Likes
Re: Port Forwarding for L2TP/IPSec VPN Behind Verizon Actiontec MI424WR-GEN2 Rev. E v20.21.0.2
Hubrisnxs
Legend

glad that worked, I'll have to play with my router again,  When I did it it came as a part of the preconfigured rules, and I Couldn't add the GRE (if I remember correctly, and sometimes I Don't) 

glad I saved that screen shot and glad it helped. 

0 Likes
Re: Port Forwarding for L2TP/IPSec VPN Behind Verizon Actiontec MI424WR-GEN2 Rev. E v20.21.0.2
Hubrisnxs
Legend

just as a follow up to this one, even though it's a resolved issue, I was able to get the GRE configured using the preconfigured PPTP from the drop down list.  I could also get it from advanced as you described, but the preconfigured PPTP will configure the GRE protocol as well.

🙂

0 Likes
Re: Port Forwarding for L2TP/IPSec VPN Behind Verizon Actiontec MI424WR-GEN2 Rev. E v20.21.0.2
inforr
Newbie

Has Verizon started to block inbound L2TP? I followed the instructions here and have the combined all in one rule as haxin has with GRE but it doesn't work. Connecting locally works fine. Any ideas?

0 Likes
Re: Port Forwarding for L2TP/IPSec VPN Behind Verizon Actiontec MI424WR-GEN2 Rev. E v20.21.0.2
Hubrisnxs
Legend

according to their TOS they don't block it, and we haven't heard any reports of them blocking it on these or the DSLreports forums.

0 Likes