Remove restrictions for ports 4500 and 500 on NAT

This discussion was created from comments split from: VPN Passthrough.


  • MytiMyti Member Posts: 6

    I've just installed a NSG50 at a client's office, but this client have a VPN server (L2TP over IPSec), and need the ports 1701, 500 and 4500 to be forwarded to this server.
    My problem is that the Nebula interface prevent me to forward ports 500 or 4500, probably because  they are used by the embedded VPN gateway.
    So, I'm stuck and my client is angry.
    Is there a way to do what I need to do, or do I need to replace the NSG50 by an USG20 ?

    Thanks :)

  • Nebula_ChrisNebula_Chris Zyxel Official Agent Posts: 296  mod
    Hello @Myti
    Welcome to the community!!
    Since we have reserved those ports to our device hence you cannot do that.
    But you can still specify the other public port and NSG will mapping it to the local port as below screenshot.

    On the client site, for instance, if the customer use the Windows native L2TP, you can specify the connection port, as well. Hope it can help.

  • MytiMyti Member Posts: 6
    Thanks all,

    Nebula support answered me that this will never be possible.
    I understand that the NSG need this ports to be available in order to get the built in VPN working.
    But, on almost any other firewall on the market, you have the choice to use the built in VPN server or to forward the ports to another VPN server.
    For this client, I had to replace the NSG50 by an USG20 in order to do that, yet the USG20 have a built in VPN server.
    So I don't understand why the NSG series have to be so limited, since it cost much more than an equivalent USG, it should at least offer the same features !

  • Nebula_BayardoNebula_Bayardo Moderator, Zyxel Official Agent Posts: 225  mod
    Hi @Myti,
    Nebula Control Center purpose is to provide management of the Nebula Security Gateway (and NAP and NSW) from a centralized and cloud-based portal, striving for an ease of use and simplifying the networking tasks for our customers.
    Part of this ease of use includes auto-VPN which rapidly allow admins to build VPN tunnels within their NSGs networks in 2 steps. To achieve this purpose, our design limits the configuration of ports 500 and 4500 in NAT to reserve them for the exclusive use of the NSG VPNs. 

    Same as the USG, if NSG allows these settings, it won't allow using site-to-site VPN with the NSG, affecting the auto-VPN and resulting in confusion for non-expertise users.

    However, we understand your need and will revise this limitation for future improvement. For now, may I know if the solution given by @Nebula_Chris suits you?
  • MytiMyti Member Posts: 6

    No the customer wasn't able to change the port in his VPN client software (I don't know if it was impossible, or if he didn't know how to do), so I had to replace the NSG50 by an USG20, and everything works well now.
    It would be very apprectiated that Nebula Control Center allow more control for expertised users. I'm aware that the auto-vpn fonction is really useful, I'm often using, but sometimes, the easy way isn't possible, and it would be great if I could use the same hardware for both cases ;)

  • Nebula_BayardoNebula_Bayardo Moderator, Zyxel Official Agent Posts: 225  mod
    Hi Joris,

    Thanks for the feedback! Of course, we are analyzing to open this restriction. I will move your post to the idea category for a further follow-up! :) 

  • Nebula_BayardoNebula_Bayardo Moderator, Zyxel Official Agent Posts: 225  mod

    Hey @Myti

    The new Nebula version now includes the possibilities to use ports 500 and 4500 in NAT rules, as long as the NSG VPN settings are turned OFF.

    Try and out and let us know if all works for you 🙂.


Sign In to comment.