1 Reply Latest reply: Apr 24, 2014 2:50 PM by LaPastenague
spincast Level 1 (5 points)

I have a Synology NAS system that is running a VPN server for me that I would like to access remotely. I am using ATT Uverse service, configured to DMZ to a Time Capsule which I use as my home router. It worked for a little while, then all of a sudden just stopped. The configuration is:


Internet --> UVerse RG --(DMZ Mode)--> Time Capsule --> VPN Server


I can not seem to reliably access my VPN server from outside through the Time Capsule. I can access it just fine when I'm on my home network, and I can access the web services of the NAS drive remotely also. It seems the Time Capsule has a problem allowing my VPN connection through its firewall. I'm running an L2TP server and have ports 500, 1701, and 4500 open (UDP) on the TC. When I try to log in remotely I can't access the VPN server.


Interesting note: I had trouble with this initially and made it work by creating three separate line items in the port forwarding list. One for 500, one for 1701, and one for 4500. When I tried making a single line item for all three in Airport utility it did not work.


Any ideas here would be great.

Time Capsule 802.11n (1st Gen)
  • LaPastenague Level 8 (47,025 points)

    DMZ comes in a number of styles and types.. not all work well.


    There is a good chance some ports may have already been used by BTMM if you happen to have that setup on a computer in the network or the TC.


    See the list from Apple.




    Both 500 and 4500 are allocated to BTMM.


    Once a port is allocated it cannot be reallocated even with DMZ.


    That is one of the limitations of the NAT system.. and why we need to move to ipv6 and have public addressable IP on everything.


    I would bridge the TC and use the Uverse for main router.. you are just making the setup more complicated than is already a problem.. If you really want to clean it up, get a plain bridge modem from ATT and use a proper VPN router.. do not use VPN to internal server.. VPN direct to the WAN of the Router.. it is much more reliable.. Internal VPN is fine to dial out, not to dial in.