Configuring a Netgear BR500 router VPN

I have been using Netgear routers and switches for years, and decided to update my home router after it failed two weeks ago. I had a Netgear FVX318N as our VPN router.

The old router that failed.

Consulting my brother, he recommended the BR500 due to its higher throughput, and it introduced a new function called “Insight”, which is intended to make the configuration of a VPN easier.

As of 29 April 2020, It has been 10 days since I tried to install the routers on both ends (home and work) of the VPN, and my impression to date is that the BR500 is NOT READY for a production environment. The reason for this is that the Insight cloud-based VPN service has failed on most days since the installation.

A typical indication when the VPN is not working.

Anyway, here is my ‘journey’ of the installation service, I hope it helps someone.

Buying the Netgear BR500 router

First I started shopping around for the routers, and realized that the BR500 is a single unit, the BRK500 is a dual unit. I also tried to figure out if a BR500 could hook up to a vpn with my existing SRX5308 Netgear Prosafe router. There is basically no information on this, other than a statement on Netgear’s site saying that the only supported vpn is a BR500 -> BR500, using insight cloud services from Netgear. So, I went with the BRK500, on unit for home, one unit for work.

I shopped on Netgear.com, Bestbuy.com, Amazon.com, Frys.com, and MicroCenter.com. Pricing and availability was different in most of the locations. I considered getting it at Netgear.com for $349.95, but the deliveries were a week or two, and my home router (Netgear ProSafe FVS318N) was not working, and I use the VPN to my office all the time (every day, data, voice, etc.). Frys didn’t carry it (according to their website), Bestbuy didn’t have the BR500, Amazon had it with limited availabilities at prices slightly less and several offerings significantly more than list price, and at one of my local MicroCenter stores they had inventory of 3 units of BRK500, marked down from $499 to $399.95. Fortunately, they (MicroCenter) will match internet pricing.

Off to MicroCenter I went, there was a line due to the Coronavirus social distancing. After about 15 minutes, I was allowed in, and headed over the router row. No sign of the BRK500, so I asked one of the assistants for help. The first time to the back of the store was unsuccessful, we searched the router isle one more time, and then the helper went to back of the store. This time he found it (thankfully), put a sticker on it, and I told him of the (new?) retail price, so he looked it up and made a note in his computer.

At the checkout counter, I had to tell the worker that it was a ‘meet competition’ price, she had to look it up in her computer, and call the manager over to ok it.

Step one complete!

Waiting in line at MicroCenter
Corona Virus Warning

Installing the Netgear BR500s

Ok, ok, ok… I got in ‘big trouble’ the previous night when we were watching something on Netflix, and the internet went out. So the quicker I got the internet going again, the better.

Removing the Netgear ProSafe FVS318N

This was somewhat straight forward:

  1. Turn off the router
  2. Unplug the WAN port cable
  3. Unplug the LAN port cable(s)

Our home network isn’t super complicated, but it’s not super simple…

  • We have two laser printers (color and b/w) on the network
  • I use cables to distribute wired internet connections around the house
  • and use Netgear Switches to connect multiple devices near a connection (i.e. Apple TV, Tivo and Rokus near the TV set.
  • Apple Airport Extreme and Airport express to create wifi access and Apple Music ‘bridges’ to several stereos in the house
  • Netgear Powerline adapters to send the internet to back of the yard via the electricity wires. See my post on that.
  • As far as clients go, we have IPhones, IPads, Windows PCs, Apple Portables, Unix machines (linux/hpux,solaris)

So changing out the router might be simple, it might be complicated… One thing that worked out well at home is that our network is 192.168.1.x, which is the default network for the LAN side of the BR500. The WAN side of the BR500 is configured via DHCP, and we have a Comcast supplied internet, with a Netgear cable modem, so this looked like it might be simple.

Installing a BR500 at home

The basic installation process is:

  • Unbox the BR500
  • Plug in the power cord
  • Connect the WAN port on the BR500 to the cable modem
  • Plug in the LAN cables into the BR500
  • Turn on the BR500
  • Reboot or restart network interface on any DHCP configure devices on the lan.

My Home Lan is 192.168.1.x and the BR500 is configured for this as it comes from the factory, so it was an easy install.

Installing the 2nd BR500 at my office

This was a bit more complicated, in that there are many devices, including a home-built XEN based cloud, VOIP phone system, Database server, Cameras, Voip phones, wifi access points, printers, etc.

In the end, it required a separate procedure that looked like this:

  • Unbox the router, plug in the power
  • Without connecting to the existing network, turn on
  • Connect my portable with a patch cable to the LAN on the BR500
  • Login to the BR500 and change the LAN network to 192.168.0.x
  • Change the BR500 WAN interface network settings to the fixed ip address/network/gateway/dns of my existing setup (I have fixed ips at work
  • Turn off, remove existing router
  • Install the BR500, connect power and network cables (LAN and WAN), turn on.

Ok, this all sounds easy, but it took a day and a half to eliminate a lot of other approaches that didn’t work.

Configuring the VPN

According to the documentation, there are 3 types of VPNs available:

  1. Insight VPN
  2. IPsec VPN (point to point)
  3. Open VPN (open source client to Insight VPN?)

Configuring the Insight VPN

The idea behind the Insight VPN is that everything is managed within the Netgear Cloud. Think of this as ‘VPN for dummies’, which is an idea that is appealing. You setup an account at https://insight.netgear.com, and that becomes the configuration ‘portal’ for all of your Netgear devices, of which the BR500 is one type. Other types of devices that can be added are newer ReadyNAS storage devices and newer managed switches. Once you log in, you can configure the settings for any given device.

An example of my dashboard at the Insight Cloud portal. The dashboard is indicating that all is well with the router and the internet connection, but that the Netgear Insight managed VPN is broken.

The way this works is that you setup groups of devices based on location, and then setup a VPN group, add up to 3 BR500s to a VPN group, and Netgear’s cloud configures the VPN, and manages the settings and monitoring.

Although I do very much like the concept, it has three issues that, for me, are definitely not ideal:

  1. If the VPN is down, there is nothing you can do. It’s up to Netgear to fix, and if they are still working on it, you have to wait until they fix it. Right now, as I write this, the VPN has been down for 6 days.
  2. When I bought the router 6 weeks ago, this Insight VPN required the purchase of a $25/year subscription. 5 weeks ago, they changed the policy that a 1 year subscription is included. No biggy, just feels like I got penalized for purchasing too early.
  3. Unfortunately, the Netgear Insight VPN has been intermittently not working, which makes it unreliable for providing the infrastructure that I require to do my job. If I knew this before I spent ~$400, I would have purchased a different product (from an alternate manufacturer). My options now are to wait until Netgear (hopefully) fixes their issues, or throw away/de-install the routers and start all over with new routers from another vendor. I would prefer to just install another Netgear router, but they have discontinued their previous product line that did work well for me.

Setting up a Point to Point IPsec VPN

Ok, now that the Insight Managed VPN does not work for me, I decided to try a point to point IPsec VPN. I believe that I did read somewhere in the documentat that the Point to Point VPN is available in the router, but is not a ‘supported’ function, meaning that if it doesn’t work for some reason, it’s not up to Netgear to fix at no charge.

In theory, you would use two BR500s… one at each end of the VPN (in my case, one at home, and one at work) and setup a VPN, matching the settings for the connection at each side. I have a fixed IP at work (Comcast business), and a dynamic IP at home (Comcast). I also have a subscription at Dyndns.org, so the IP address at home resolves from a ‘permanent’ host name in DNS. That way, I can setup connection from work to connect to a hostname, which resolves down the the IP provided (and periodically changed) by Comcast.

An example of the IPsec configuration: Specify the local LAN, the remote LAN, the Domain name of the remote router, and connection parameters.

When this is complete, you ‘Apply’ the configuration, and if done correctly, you will see that the VPN is connected (indicated by the green dot). If something is wrong, the dot is red

The green dot indicates that the IPsec Point to Point configuration is working.

Once the connection is working, it is possible to ping a computer on the far side of the VPN:

Although it is possible to ping an ip, other items that I need to do, such as login to computers via ssh are not supported by the IPsec VPN… What’s not working I don’t know, in that the various logs for the VPN are hidden or not accessible.

SSH connections are not supported in the IPsec Point to Point connections.

A list issues that I had with the Point to Point VPN functionality are listed here:

  • SSH connections to computers on the far side of the VPN are blocked
  • Remote desktop connections are blocked
  • SIP (Voip phones) can connect to the VOIP server, but audio is blocked by the IPsec VPN, so are rendered useless.
  • Adjusting a setting on the far router is not allowed over the VPN… you have be on the local lan
  • It appears that you have to choose between an Insight managed VPN OR an IPsec VPN, but they interfere with each other if the IPsec VPN is a ‘backup’ VPN when the Insight VPN is not working
  • The IPsec VPN seems to loose the connection after some period of time, and does not automatically reconnect

At this point, I hate to say it, but the IPsec VPN is not useable for any of the needs that I have.

Setting up a Client to Router connection

I’ll start off stating that Netgear only officially supports connections from Windows computers to a BR500. For a variety of reasons, I have been using an Apple MacBook Pro for the last 7 year, and Apple phones/ipads. I had a good VPN connection between my devices and the previous Netgear routers, so I am optimistic that I connect remotely.

Let’s start with the phone… an IPhone X, running the latest IOS.

The connection is provided by Open VPN, which is an app that can be downloaded from the App Store. It’s open source, so it’s free.

To configure the connection between your phone and a BR500, you login to the router, in the settings ‘Advanced’, ‘OpenVPN’, you can download the connection settings. In my case, I had to then do a little ‘computer gymnastics’ to get the phone OpenVPN app to import the settings:

  • Email the settings to my email address
  • Check my email on phone
  • Save the configuration file to my phone
  • Open the OpenVPN app
  • Import the configuration file into the OpenVPN app on the Iphone

Once that was done, I noticed that when connecting to my work LAN (the 192.168.0.x LAN), the settings for the OpenVPN assigned a 192.168.1.x IP address to my phone. This is in conflict with the LAN IPs at my home, so the connection failed.

For my MacBook Pro, the button on the router OpenVPN page links to instructions on how to install a third party VPN software, and import the configuration file.

More on this later, in short, I wasn’t able to verify the connection, and ‘ran out of steam’ to apply to this. Will update this with more information at a later date.

In the end, I don’t have a remote connection that works yet.

Monitoring the VPN

As of right now, the VPN is working, but it is temperamental, in that the VPN starts and stops with mind of its own. Instead of ‘forever’ rating it as unreliable, I am posting the graphs to show you the ping times from work to home… you can decide if it’s reliable or not.

Updated 5/30/2020: The VPN connection issues seem to be addressed on the Netgear Insight side, below are updated graphs for the last several weeks.

Update for June 8, 2020 – More bad experiences

For about the last month, the routers worked the way they are supposed to, and I would love to give a positive review of the routers. Today (Monday) I tried to do one of my regular tasks which requires access to the far side of the VPN.

The VPN was down again! It turns out it has been down since Saturday (according to Netgear’s Status web page). My router’s Insight VPN does not work due to issues with Netgear’s cloud.

So being ‘smart’, I decided to setup a Point to Point VPN, per the instructions on Netgear’s website. The VPN did connect, and I can ping IP Addresses on the far side of the VPN. However, services like VOIP, FTP, SSH, Remote desktop are apparently blocked by the router settings, and there is no way to change the settings.

So, I guess I can take the day off of work, or drive over to the far side of the VPN to log in…

At this point, I DO NOT recommend the BR500 for use as a VPN that needs to work. It’s great when it does work, it’s a complete waste of time when it doesn’t. And if you need it to work, for instance because of what you do at work, I recommend that you pass on it for now. Perhaps in the future, it will actually work well.

This is really too bad that the router has all of these issues. It replaces a Netgear Prosafe router, which was bullet-proof…. if the internet connection was ok, then the VPN was functional.

Connectivity between work and home. From the top graph, you can see that the Insight VPN stopped working on June 3, 2020, which was 6 days ago. The bottom graph shows that the VPN had worked for about 1 month before it stopped working ~ 1 week ago.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.