Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

LAN & WAN Reviews

SSL VPN Modes

NETGEAR’s implementation of SSL VPN offers a greater level of access control and security to network administrators in the form of three options: Full Tunnel Mode, Split Tunnel Mode, and Port Forwarding.

Full Tunnel Mode will allow a remote user full access to the LAN without restrictions. I found this level of access to be more than necessary, as it also routes simple web surfing for the remote client through the VPN tunnel.

A subset of Full Tunnel Mode is Split Tunnel Mode. This option allows a remote client full access to the LAN behind the 336G, while leaving web surfing to the end user's local connection.

In this mode, the remote client is issued an IP address different from the NETGEAR LAN subnet, which is then routed to the LAN subnet. As shown in Figure 8, my PC has received IP 192.168.251.2, which the NETGEAR routes to my LAN subnet (192.168.3.0 /24)

SSL IP

Figure 8: SSL VPN IP address

Using a different subnet for SSL VPN clients is similar to NETGEAR’s Mode Config option for IPSec VPN clients in that it creates separate routed networks between VPN clients and the main LAN. Restrictions can then be applied to the VPN subnet, enhancing security with the ability to limit access based on originating IP addresses.

Split Tunnel Mode requires setting up a static route between the VPN Client subnet and the NETGEAR LAN subnet. It's a two-step process, enabled by de-selecting Full Tunnel mode and entering the LAN subnet as shown in Figure 9. 

Split Tunnel Mode

Figure 9: Setting up Split Tunnel Mode

With Split Tunnel Mode, a remote client has routed access to the NETGEAR LAN 192.168.3.0 /24 from anywhere with an Internet Connection. Using the NETGEAR SSL VPN implementation, I was able to access my Windows and Linux servers via Remote Desktop, VNC, and SSH services, as well as map to my network drives. 

I was also impressed that pinging LAN devices through the VPN tunnel added minimal latency. As shown in Table 2 previously, there was virtually no difference in ping times to the WAN interface and to LAN devices through the VPN tunnel. Encapsulating and encrypting packets in a VPN tunnel adds some expected delay. It was impressive to see 1ms or no difference between pinging the WAN interface and pinging a LAN IP.

NETGEAR’s third SSL VPN option, Port Forwarding, is similar to common firewall Port Forwarding. This feature enables restricting VPN access to only specific TCP ports, such as web and email servers, or other TCP-based applications. Note: UDP-based applications, such as VOIP, won't work in this mode.

Additional configuration options for SSL VPN client exist through the use of User, Group, and Domain configurations. Further, the FVS336G can be configured to use a RADIUS server for user authentication. Finally, User Policies can be created to define which browsers are permitted for end user access.

More LAN & WAN

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

Asuswrt-Merlin 384.19 is now available for all supported models, except for the RT-AX56U (no up-to-date GPL available for that model).The main changes...
Main goal of this release: additional boost of the router performance as I hope (slight boost ). I succeed to change GCC compiler from the version 9....
I am using an Asus AC3200 router with V384.13.8 firmware.I have purchased a number of Devolo powerline adapters but am having problems using them.The ...
So to solve all the problems with installing dnscrypt with entware (or similar) then setting up various scripts to handle dnscrypt-proxy starting up i...
RT-AC88U configured with the following. Just enabled dnsycrypt and when I run the dns leak test it still shows up my IP Address in the list of DNS ser...

Don't Miss These

  • 1
  • 2
  • 3