In general verizon expects you to use the actiontec in front of other devices and not parrallel.  Their are about 8 different configurations that you can choose from, but this one tends to be one of the more popular solutions.

---

@Resonate wrote:

My job recently gave me a hardware VPN: Netgear ProSafe VPN Firewall, Model FVS338

I'm having a bit of difficulty setting it up the way I'd like.

---

You have a Multiple Dwelling Unit (MDU) installation with VDSL from the ONT to the Xyzel VDSL modem.

There are a number of posts on DSLReports regarding the FVS338 and the Actiontec.

http://www.dslreports.com/nsearch?q=FVS338&o=d&cat=remark&bids=,257&tt=tt1970039

Since you're VDSL, your two basic choices are option 1 and option 6 in the trade-offs FAQ (first link) Hubrisnxs posted.  

(Any references to connections to the ONT should be interpreted as connections to the Zyzel).

Option 1 requires that you create a port forward in the Actiontec for the IPSEC protocol. 

Not clear if you have FIOS-TV or not.  If you're not concerned with Remote DVR access or on-screen caller-id, option 6 is also an option.  The FVS338 "should" handle VDSL1 speeds upto 20/5.  HD VOD might be an issue going through both routers.

---

@Resonate wrote:

1) In general, should I connect the HW VPN directly into a free port of the Modem (parallel with the router), or should I connect it into the Router? (Does Verizon support multiple devices connected to the Modem, or do they expect us to connect everything via the router?) 

---

No, the Zyzel is not a router.  You can't connect to a free port on the Zyzel unless you have multiple static IP addresses.  On a residential account, Verizon only allows one WAN DHCP address so if you connected both the Netgear and the Actiontec to the Zyzel, only one would get an IP address.

The LAN-to-LAN configuration Huibrisnxs suggested (second link) won't work.  The VPN functionality of the FVS338 only works though the WAN port. In a LAN-to-LAN configuration, the WAN port is not used.

I believe the solution you want is ...

1. Connect WAN port of VPN device to LAN port on ActionTec

2. Connect ActionTec WAN port to Zxyel Modem

3. Connect modem to wall

Your VPN device will have to be configured such that the "LAN" side of it is using a network other than 192.168.1.x, I would suggest 192.168.2.x.   In addition, you will want to configure the VPN device to have a static IP address on the WAN side (say, for instance, 192.168.1.200).

Next, login to your ActionTec router via http://192.168.1.1 and place the VPN device in the DMZ in the Firewall section (192.168.1.200).

Than, when connected to the LAN side of the VPN device, you will be on the company network.  When connected on the LAN of the ActionTec or ActionTec wireless, you will be on the home network.

I have the rough configuration as suggested by lasagna.

zyxel modem  ->  Actiontec router -> HW VPN

The router is 192.167.1.2

The router sees the VPN as 192.167.1.9

The VPN itself uses 192.167.2.1

The VPN assigns my PC the IP of 192.167.2.2

I logged into the Actiontec and set up port forwarding for IPSEC to the VPN device.

I have internet access through the HW VPN, but no company network connectivity. When I look in the HW VPN logs, I see many entries like this:

Since I'm using 192.167.x.x, do I need to change the subnet masks of any of my devices?

Thanks again for your help.

---

@Resonate wrote:

  

Since I'm using 192.167.x.x, do I need to change the subnet masks of any of my devices? 

---

Why are you using 192.167.x.x?  That is not a legitimate private IP address range.

Valid ranges are:

• 192.168.0.0 – 192.168.255.255
• 172.16.0.0 – 172.31.255.255
• 10.0.0.0 – 10.255.255.255

From the log, it looks like your company is using 192.168.1.x for their VPN network.  Therefore, you will have to assign the Actiontec LAN to a different private IP range, such as 172.16.1.x, which I'm guessing is what you were trying to do with the 192.167.x.x addresses. 

When you set up the LAN side of the Actiontec, you should specify it's address as 172.16.1.1.  On the Netgear, you'll need to assign it's WAN port a static IP address of 172.16.1.9 and having a default gateway of 172.16.1.1.  You will also need to explicitly specify DNS server addresses in the Netgear since it will not obtain them automatically from the Actiontec.  The LAN side of the Netgear should be assigned as 172.16.2.1.  The DHCP configuration for the Netgear should specify 172.16.2.1 as the default gateway assigned to PCs attached to the Netgear.

I cross-posted over at the Netgear support forums, and got this response:

"The VPN router needs to have the public IP on it's WAN. You will need to bridge the Actiontec.

This is another reason why FiOS sucks. Depending on how they deliver your access (ethernet vs. Actiontec), you lose the TV guide with the bridging.

You may need to get an additional public IP from them to make it work correctly.

One of my customers is switching back to Comcast because of the issues."

Does this sound right? How would I go about getting an additional public IP?

---

From actiontec.com 

Can I use the Actiontec Gateway or Router to connect to my employers VPN so that I can work from home?
Yes, the Actiontec Routers and Gateways support connecting to VPN servers. By default, Actiontec Routers and Gateways allow Client VPN traffic to pass-through. (the Actiontec will allow a connected PC to "pass-through" and connect to a remote VPN server). 

NOTE: Unless otherwise specified, Actiontec Routers and Gateways do not function as VPN endpoints. They cannot make a VPN connection directly to a VPN server, router or client. The reverse is also true, VPN routers, servers and clients cannot make a VPN connection directly to the Actiontec Router itself. (Some of the proprietary VPN applications require specific ports be opened in the Actiontec, for a successful connection. Not all VPNs use the same ports, so determine the ports used by your VPN software before attempting to forward the ports.)

---

did you set up the pptp port forwarding rules ?  you should have l2tp (1701) protocol and pptp (1723) port forwarding protocol for port forwarding.  

the preconfigured vpn rules should be fine. 

I have set up port forwarding for IPSec, pptp, and l2tp, and placed the VPN in the actiontec's DMZ, all with no change in behavior. This is intensely aggravating...

@Resonate wrote:
Depending on how they deliver your access (ethernet vs. Actiontec), you lose the TV guide with the bridging.

That is not true.  You do not lose guide data, vod or widgets if it is bridged correctly.

See the following FAQ:

What are the tradeoffs between the various router configurations

Resonate wrote: 

Does this sound right? How would I go about getting an additional public IP?

Additional IPs are only available on a business account with static IPs.