Hi, A couple of thoughts. If the router is the telstra business router netgear v7610 (which it sounds very much like), various software versions of this have lots of problems with port forwarding. Telstra support know all about it, and you (or the registered owner) can ask them to downgrade it. (usually they downgrade to version 6A) 2.2.2.6A Note: I have not actually used the specific ports 500 and 4500, but have had to have a few downgraded for other port forwardings. You shouldn't port forward 1701, this traffic goes encrypted inside the ipsec on port 4500 (when natted as in this case). (or in the ESP payload when there is no Nat). Good Luck. Regards Roger From: Karl Auer <kauer@nullarbor.com.au> To: MikroTik Public <public@talk.mikrotik.com.au> Date sent: Fri, 16 Oct 2020 12:44:31 +1100 Subject: [MT-AU Public] [OFF-TOPIC] Reverse question Send reply to: kauer@nullarbor.com.au, MikroTik Australia Public List <public@talk.mikrotik.com.au> [ Double-click this line for list subscription options ] This is not really a Mikrotik question, but the people here have lots of experience with routers generally so I will ask anyway... I (of course) use a Mikrotik router at home. I also have a Synology NAS at home, which supports an LT2P/IPsec VPN (with PSK). I have forwarded UDP ports 1701, 500 and 4500 through the Mikrotik, and connections from outside work flawlessly. When I configure another Synology, this one at a client site, the exact same way, the port forwarding through the Telstra-supplied router just doesn't work. I have disabled the in-router VPN. The client says that the L2TP negotiation failed. Now here's the thing: Connecting to the VPN from inside the network works fine. So L2TP, IKE, IPsec-NAT-T, the pre-shared key and the NAS user credentials are all demonstrably correct. Attempt from outside the network and - nope. Not sure of the model of Telstra router (it's the black-faced vertical one with the big blue-lit button at top). Anyway, I have a couple of other Telstra routers, one a Netgear DEVG2020, on a Technicolor TG799vac. and as far as I can tell they don't work either! Is this a Telstra thing - don't let VPNs through? Is there a trick to it? Short of replacing the things with Mikrotiks, which I am seriously considering recommending... Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au---------------------------- Roger Plant