allowing PPTP passthrough

cahook · April 26, 2006, 12:57am

I am running a small WISP and have recently replaced a Linksys router at the top of my network with a MT router. Everything went smooth for just about everything, however, one of my customers whose VPN uses PPTP is not able to connect any longer.

On the linksys, there was a simple check box to enable PPTP passthrough and that worked.

I realize that I will need to write a firewall rule on the MT to do this, but I cannot seem to figure out what is needed.

I have a rule for forwarding tcp port 1723 and one for gre, what am I missing?

any help is greatly appreciated

andrewluck · April 26, 2006, 8:34am

You need to turn on the GRE and PPTP helpers in Connection Tracking.

Regards

Andrew

cahook · April 26, 2006, 8:37am

I know of the helpers in the services section of the firewall filter, but I am not familiar with connection tracking helpers.

Can you tell me where to find them using winbox?

Thanks

andrewluck · April 26, 2006, 9:08am

Same thing. Do you have them turned on?

You’ll also need connection tracking turned on.

Regards

Andrew

cahook · April 26, 2006, 9:19am

The helpers are turned on, and the tracking option in the connections tab is enabled. However, the TCP synCookie checkbox is unchecked.

I also have set a filter rule for tcp port 1723 and gre. With the helpers on, do I need the filter rules?

Thanks

andrewluck · April 26, 2006, 10:05am

Depends on how you’re doing your firewalling.

Are these PPTP connections inbound or outbound from your network? If outbound, then you just need rules in the Forward chain to pass the TCP:1723 and GRE packets.

If the VPN server is on your network then you’re going to have to setup some DST-NAT rules as well.

Regards

Andrew

cahook · April 26, 2006, 10:18am

The VPN server is on the outside of my network.

andrewluck · April 26, 2006, 1:12pm

Can you post the contents of your firewall Forward chain?

Regards

Andrew