VPN source port 2

[Pseudopath]

Hi,

Hope someone can help me with this.

I am trying to establish a VPN though the internet via a "BT Voyager 205" ADSL Router.

I have examined the packets during the VPN connection while on my local net work and beleive that the problem is the source port.

The problem I think is that the request is sent from a random port to the destination port of 1723 on the remote PC, which can be configured for at the destination NAT firewall but on return of the request because the source port is not known then the NAT firewall cannot be configured to accept the packets hence the connection does not complete.

Does any one know of a way to set the Windows XP source port so that I can make it consistant and allow a NAT rule to be applied?

failing that any other suggstions would be gratefull received too!

Thanks for reading.

Regards,

Pseudo.

 

[namni]

I am having the same problem on a BT 1800HG ADSL router.
It seems to be using a different port each time to connect to 1723 on the remote server.

If you find out anyway to solve this can you post it? Sorry I can't help.

Thanks!

 

[LloydSev]

Are you not able to create the rule specifying "Any" for the source port? As long as the rule only specificly allows your machine and the VPN device to talk would remove any security problems.

Computer/Network Technician
CCNA

 

[Pseudopath]

Thanks LloydSev, for your reply.

Yes, I suupose it would solve the problem but I would rather not have a range of ports open and forwarding indescriminate packets to my main PC. Kinda defeats the onbject of havin a firewall ;¬)

That said I haven't managed to get it working from my own network to the internet and back again so I might try it as a short term test option.

Cheers,

Pseudo.

 

[lgarner]

There shouldn't be a problem with the incoming traffic, your router should already allow it. PPTP uses TCP port 1723, and established connections should be allowed through. When you browse web sites, you also use a random source port and it's the same type of thing.

PPTP also uses protocol 47. Make sure that you're allowing that in and out as well. Some of the SOHO routers have an option for "pptp passthrough" or something like that.

 

[Pseudopath]

Cheers Igarner, I may end up looking for a replacement router to be honest. Becuase although I can be sure the destination port will be 1723 the source port from my PC is not specified and on return of the packets blocked.

Here are my IP filters :-

RuleID IFName RuleFlavor Proto Local IP From Local IP To
47 ALL Virtual Server GRE 192.168.3.3 192.168.3.3
50 ALL Virtual Server 50 192.168.3.3 192.168.3.3
51 ALL Virtual Server 51 192.168.3.3 192.168.3.3
443 ALL Virtual Server TCP 192.168.3.3 192.168.3.3
500 ALL Virtual Server UDP 192.168.3.3 192.168.3.3
1000 ALL Virtual Server ANY 192.168.3.3 192.168.3.3
1023 ALL Virtual Server TCP 192.168.3.3 192.168.3.3
1723 ALL Virtual Server TCP 192.168.3.3 192.168.3.3
10000 ALL Virtual Server UDP 192.168.3.3 192.168.3.3

In theory these should work.

If a solution cannot be found for the VPN perhaps a decent but relatively cheap router could be suggested?

Thanks.

 

[LloydSev]

like I said.. you should create a rule specifying "source" port as any.

This does NOT open your computer to more attacks, only allows traffic to be forwarded back to that port from the address you sent it to.

Computer/Network Technician
CCNA

 

[BadFrog]

What LloydSev is saying makes sense to me. The key being that the rule specifies the two devices concerned so your port is not, "open" to everyone, just to the device that you specified in youre rule. My only question would be how would you specify the devices in the rule? Are there different ways to do that and if so is one more secure than the other?

 

[LloydSev]

Why do your rules specify that same source and destination IP?

Computer/Network Technician
CCNA

 

[Pseudopath]

They quote the same source and destination IP because they are set up through the routers URL interface.
I can telnet onto it but as yet have not figured out exactly how to set the values I want hence my initial question.
Incidentally my incoming packets will be from an IP that I do not know the IP for.
Although it is another BT Voyager 205 it does not have a static IP so a DNS has been set up on the internet to point to it. The VPN connects to the DNS which is dynamically updated so no matter what the destination IP is the VPN points the right way.
I suppose if I were to do as you suggested I would simply open ports from 0.0.0.0 (for some reason the 205 uses this to mean all instead of 255.255.255.255) to be forwarded via NAT to my PC. I am beginning to suspect that the problem here is the rules and how the routers web interface sets them... Can't stand fiddlely stuff another reason to buy a decent replacement... We'll see I suppose!

 

[LloydSev]

0.0.0.0 is a netmask, and does not pertain to ports in any way.


Computer/Network Technician
CCNA

 

[Pseudopath]

Yeah I realise that but does it not refer to the source/destination IP of the packets?

 

[LloydSev]

0.0.0.0 as a netmask would mean ANY IP address.

255.255.255.255 would be specifically pertaining to 1 host.

Computer/Network Technician
CCNA

 

[Pseudopath]

I understand now, thanks.

What is still a little confused is how that affects the NAT/IP filter rule above, does it just specify which IPs will receive the packets?

 

[PeterHurst]

Just to muddy the waters a little guys...

I had a user running a Microsoft PPTP connection through Broadband - he was OK until he upgraded to the BT Voyager 205 whereupon it stopped working.

After much playing and network tracing it appearred that the connection failed during link setup and was something to do with the NATing of the Voyager.

Changing the router for a Netgear or a Draytek fixed the problem.

 

[LloydSev]

well the router does need to support pptp pass-through..

If it doesn't, then it will fail, since PPTP uses port 1723 and protocol 47.

Computer/Network Technician
CCNA

 

[Pseudopath]

Another nail in the coffin of the 205, think a netgear DG832 will be my next investment....

 

[Pseudopath]

Thanks all who submitted.

I've decided that LloydSev and Peterhurst added the most value to this thread.

THanks to you both.

Answer - replace Voyager 205 (it don't appear to support VPN passthru...)