Community discussions

MikroTik App
  4. RouterOS
  5. General

win 7 can't connect to L2TP unless all ports open

Post Reply
 
jaytcsd
Member
Member
Topic Author
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:
Contact jaytcsd

win 7 can't connect to L2TP unless all ports open

Sat Jun 11, 2011 11:50 am

Read about 50 threads and all the wikis on L2TP-ipsec VPN. I can get my win 7 stater PC to connect using the basic examples, but when I enable my last input rule, which drops everything that isn't specifically allowed, it won't connect.

I added input, output and forwarding chain rules to accept udp 500, 1701 and 4500, and ipsec- ah and -esp.

I ran packet sniffer on the public NIC with the drop rule disabled to see if I could figure out what packets / protocols I block that prevents win 7 from connecting, but all I see are the ports and protocols I already have opened.
I'm using a routerboard 133 with 5.4, the PC is on a broadband card with a public IP, no NAT.

Once I'm connected I can re-enable the drop rule in the input chain and remain connected to the LAN.
Top
 
microshift
just joined
Posts: 15
Joined: Sat Feb 16, 2008 4:01 am

Re: win 7 can't connect to L2TP unless all ports open

Sat Jun 11, 2011 5:15 pm

Is the GRE Protocol 47 open?
Top
 
jaytcsd
Member
Member
Topic Author
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:
Contact jaytcsd

Re: win 7 can't connect to L2TP unless all ports open

Sat Jun 11, 2011 8:13 pm

I do have GRE open, I had been using PPTP and wanted to move up to something more secure for public Wifi use.


/ip firewall filter

add action=drop chain=input comment="drop invalid packets" connection-state=\
invalid disabled=no
add action=accept chain=input comment="established connections" \
connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections" \
connection-state=related disabled=no
add action=log chain=input comment="log invalid " connection-state=invalid \
disabled=no log-prefix="INVALID **"
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid disabled=no
add action=jump chain=input comment="viurs check" disabled=no jump-target=\
virus
add action=accept chain=forward comment="allow established connections" \
connection-state=established disabled=yes
add action=accept chain=forward comment="allow related connections" \
connection-state=related disabled=yes
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid disabled=no
add action=jump chain=forward comment="jump to the virus chain" disabled=no \
jump-target=virus
add action=drop chain=input comment=ssh disabled=no dst-port=22 protocol=tcp
add action=drop chain=input comment=ssh disabled=no dst-port=22 protocol=udp
add action=accept chain=input comment="From private LAN" disabled=no \
src-address=192.168.1.0/24
add action=accept chain=input disabled=yes src-address-list=safe
add action=accept chain=input comment="pp2p tunnel" disabled=no protocol=gre
add action=accept chain=input comment="pp2p tunnel" disabled=no dst-port=1723 \
protocol=tcp
add action=drop chain=input comment="drop pings" disabled=yes limit=1/1m,1 \
protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=yes \
protocol=icmp
add action=drop chain=input comment="detect and drop port scan connections" \
disabled=yes protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
3,32 disabled=yes protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input comment="detect DoS attack" \
connection-limit=10,32 disabled=yes protocol=tcp
add action=jump chain=input comment="jump to chain ICMP" disabled=no \
jump-target=ICMP protocol=icmp
add action=jump chain=input comment="jump to chain services" disabled=yes \
jump-target=services
add action=accept chain=input comment="Allow Broadcast Traffic" disabled=no \
dst-address-type=broadcast
add action=accept chain=input comment=ntp connection-type="" disabled=no \
protocol=udp src-port=123
add action=accept chain=input comment=DNS connection-type="" disabled=no \
protocol=tcp src-port=53
add action=accept chain=input comment=l2tp connection-type="" disabled=no \
dst-port=500 protocol=udp
add action=accept chain=input comment=l2tp connection-type="" disabled=no \
dst-port=4500 protocol=udp
add action=accept chain=input comment="l2tp tunnel" disabled=no protocol=\
ipsec-esp
add action=accept chain=input comment="l2tp tunnel" disabled=no dst-port=1701 \
protocol=udp
add action=accept chain=ICMP disabled=no src-address=66.220.2.74

add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no \
icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no \
icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no \
icmp-options=3:4 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no \
icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no \
icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=accept chain=forward comment="allow ping" disabled=no protocol=\
icmp
add action=accept chain=forward comment="allow udp" disabled=no protocol=udp
add action=drop chain=forward comment="drop everything else" disabled=yes
add action=accept chain=forward comment="pp2p tunnel" disabled=no protocol=\
gre
add action=accept chain=forward comment="pp2p tunnel" disabled=no dst-port=\
1723 protocol=tcp
add action=passthrough chain=output disabled=no protocol=gre
add action=passthrough chain=output disabled=no dst-port=1723 protocol=tcp
add action=accept chain=output disabled=no protocol=ipsec-esp
add action=accept chain=forward comment="l2tp tunnel" disabled=no dst-port=\
500 protocol=udp
add action=accept chain=forward comment="l2tp tunnel" disabled=no dst-port=\
4500 protocol=udp
add action=log chain=input disabled=no ipv4-options=strict-source-routing \
log-prefix="input rule 60"
add action=accept chain=input comment="l2tp tunnel" disabled=no protocol=\
ipsec-ah
add action=drop chain=input comment="Drop everything else" disabled=no
add action=accept chain=forward comment="pp2p tunnel" disabled=no protocol=\
ipsec-esp
add action=accept chain=output disabled=no dst-port=500 protocol=udp
add action=accept chain=output disabled=no dst-port=4500 protocol=udp
add action=accept chain=forward comment="pp2p tunnel" disabled=no dst-port=\
1701 protocol=udp
add action=accept chain=forward comment="pp2p tunnel" disabled=no protocol=\
ipsec-ah
add action=accept chain=output disabled=no protocol=ipsec-ah
add action=accept chain=output disabled=no dst-port=1701 protocol=udp
Top
 
microshift
just joined
Posts: 15
Joined: Sat Feb 16, 2008 4:01 am

Re: win 7 can't connect to L2TP unless all ports open

Sat Jun 11, 2011 11:15 pm

I can't see what's wrong in that list, but
You could add some firewall rules to log everything, maybe that could point something else than packet sniffer would.
Code: Select all
/ip firewall filter
add action=log chain=forward comment="" disabled=no log-prefix=forward:
add action=log chain=input comment="" disabled=no log-prefix=input:
add action=log chain=output comment="" disabled=no log-prefix=output:
Top
 
jaytcsd
Member
Member
Topic Author
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:
Contact jaytcsd

SOLVED - Re: win 7 can't connect to L2TP unless all ports op

Sun Jun 19, 2011 10:21 am

I disabled the pptp interface and changed the 'Type of VPN' setting in the client to auto from L2TP and it's working.
Top
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], kokoboko, lostb1t, pajapatak, xicu and 119 guests
  4. RouterOS
  5. General