VPN Passthrough


I've just installed a NSG50 at a client's office, but this client have a VPN server (L2TP over IPSec), and need the ports 1701, 500 and 4500 to be forwarded to this server.
My problem is that the Nebula interface prevent me to forward ports 500 or 4500, probably because  they are used by the embedded VPN gateway.
So, I'm stuck and my client is angry.
Is there a way to do what I need to do, or do I need to replace the NSG50 by an USG20 ?

Thanks :)



  • IwannaquitthegymIwannaquitthegym Member Posts: 20  Freshman Member
    edited July 12, 2018 10:08AM
    I believe it's not allowed because otherwise you won't be able to build a VPN tunnel to the NSG itself, which happens if you configure the NAT on the USG devices. 

    Why doesn't your customer use the NSG as VPN server?
  • Nebula_ChrisNebula_Chris Zyxel Official Agent Posts: 24  mod
    Hello @Myti
    Welcome to the community!!
    Since we have reserved those ports to our device hence you cannot do that.
    But you can still specify the other public port and NSG will mapping it to the local port as below screenshot.

    On the client site, for instance, if the customer use the Windows native L2TP, you can specify the connection port, as well. Hope it can help.

  • MytiMyti Member Posts: 2
    Thanks all,

    Nebula support answered me that this will never be possible.
    I understand that the NSG need this ports to be available in order to get the built in VPN working.
    But, on almost any other firewall on the market, you have the choice to use the built in VPN server or to forward the ports to another VPN server.
    For this client, I had to replace the NSG50 by an USG20 in order to do that, yet the USG20 have a built in VPN server.
    So I don't understand why the NSG series have to be so limited, since it cost much more than an equivalent USG, it should at least offer the same features !

  • Nebula_BayardoNebula_Bayardo Moderator, Zyxel Official Agent Posts: 123  mod
    Hi @Myti,
    Nebula Control Center purpose is to provide management of the Nebula Security Gateway (and NAP and NSW) from a centralized and cloud-based portal, striving for an ease of use and simplifying the networking tasks for our customers.
    Part of this ease of use includes auto-VPN which rapidly allow admins to build VPN tunnels within their NSGs networks in 2 steps. To achieve this purpose, our design limits the configuration of ports 500 and 4500 in NAT to reserve them for the exclusive use of the NSG VPNs. 

    Same as the USG, if NSG allows these settings, it won't allow using site-to-site VPN with the NSG, affecting the auto-VPN and resulting in confusion for non-expertise users.

    However, we understand your need and will revise this limitation for future improvement. For now, may I know if the solution given by @Nebula_Chris suits you?
Sign In to comment.