Filter not allowing VPN (PPTP) access?

GlueGuy · May 3, 2011, 5:49pm

I’ve got a new RouterOS installation, using my default filter settings that is not allowing VPN access. I set up a filter rule (# 6 below) on the input chain to allow access through the PPTP port (1723), but it’s not triggering. Instead it’s falling through to the “drop everything else” rule.

If I disable the “drop everything else” rule, then PPTP access works.

/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Drop invalid connections
     chain=input action=drop connection-state=invalid 

 1   ;;; Allow established connections
     chain=input action=accept connection-state=established 

 2   ;;; Allow related connections
     chain=input action=accept connection-state=related 

 3   ;;; Allow UDP
     chain=input action=accept protocol=udp 

 4   ;;; Allow ICMP
     chain=input action=accept protocol=icmp 

 5   ;;; Allow incoming on the BACnet port
     chain=input action=accept protocol=udp in-interface=ether1 dst-port=47808 

 6   ;;; Allow incoming for PPTP tunnel
     chain=input action=accept connection-state=new protocol=tcp dst-port=1723 connection-type=pptp 

 7   ;;; Allow input from the private address space
     chain=input action=accept src-address-list=private 

 8   ;;; Log everything about to be dropped
     chain=input action=log log-prefix="Drop" 

 9   ;;; Drop everything else
     chain=input action=drop

I’ve tried different variations on rule #6, but nothing seems to trigger.

Anyone know what I’m missing here? ROS version is 4.17, but I also tried 3.13.

fewi · May 3, 2011, 6:06pm

6 ;;; Allow incoming for PPTP tunnel
chain=input action=accept connection-state=new protocol=tcp dst-port=1723 connection-type=pptp

PPTP uses two connections: tcp/1723 as a control channel, and a GRE tunnel that carries the actual data. connection-type=pptp matches GRE tunnels that the firewall previously observed being set up via tcp/1723 control channels. The control channel itself, however, will never match that. Because you’re referring to this relationship in your rule it doesn’t match, so the packets drop through to rules further below. Remove the connection-type=pptp from this rule. Your related rule:

2   ;;; Allow related connections
     chain=input action=accept connection-state=related

will then permit the GRE tunnel.

GlueGuy · May 3, 2011, 6:21pm

Thanks for the very quick response. I guess I hadn’t tried that variation yet. I did look at another router, where I had it working properly, and sure enough, it didn’t have the PPTP conection-type modifier.

When I dropped that, it started working correctly.

Evelio · June 3, 2011, 3:54pm

Hello,

I followed the instructions and filter rules in the posts to allow VPN tru Firewall.

I am worried about too many things getting Dropped. So I am logging but disabled the dropping until answer:)
Is this Ok?

Sample drops:
11:50:23 firewall,info Drop input: in:ether1 out:(none), src-mac 00:12:1e:0c:98:02, proto TCP (SYN), 173.78.168.102:4570->
MyPublicIP:37885, len 32

11:50:23 firewall,info Drop input: in:ether1 out:(none), src-mac 00:12:1e:0c:98:02, proto TCP (SYN), 217.10.42.79:64421->MyPublicIP:35908, len 44

11:50:24 firewall,info Drop input: in:ether1 out:(none), src-mac 00:12:1e:0c:98:02, proto TCP (SYN), 203.200.217.180:61068
->MyPublicIP:35908, len 44

11:50:24 firewall,info Drop input: in:ether1 out:(none), src-mac 00:12:1e:0c:98:02, proto TCP (SYN), 173.78.168.102:4570->
MyPublicIP:37885, len 32

Evelio · June 3, 2011, 4:04pm

Evelio:

Hello,

I followed the instructions and filter rules in the posts to allow VPN tru Firewall.

I am worried about too many things getting Dropped. So I am logging but disabled the dropping until answer:)
Is this Ok?

Sample drops:
11:50:23 firewall,info Drop input: in:ether1 out:(none), src-mac 00:12:1e:0c:98:02, proto TCP (SYN), 173.78.168.102:4570->
MyPublicIP:37885, len 32

11:50:23 firewall,info Drop input: in:ether1 out:(none), src-mac 00:12:1e:0c:98:02, proto TCP (SYN), 217.10.42.79:64421->MyPublicIP:35908, len 44

11:50:24 firewall,info Drop input: in:ether1 out:(none), src-mac 00:12:1e:0c:98:02, proto TCP (SYN), 203.200.217.180:61068
->MyPublicIP:35908, len 44

11:50:24 firewall,info Drop input: in:ether1 out:(none), src-mac 00:12:1e:0c:98:02, proto TCP (SYN), 173.78.168.102:4570->
MyPublicIP:37885, len 32

Some of these drops are from Netvision Networks which is a Video conferencing or video streaming software…

dcabro · September 10, 2016, 12:42pm

Same issue here. Do not understand why the filter/firewall is dropping packets.

Here are my rules:

[java@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=icmp in-interface=!pppoe-out1 log=no log-prefix=“”

1 chain=input action=accept connection-state=established

2 chain=input action=accept connection-state=related

3 chain=input action=drop in-interface=pppoe-out1 log=yes log-prefix=“”

4 chain=input action=accept protocol=tcp in-interface=pppoe-out1 dst-port=1723 log=no log-prefix=“”

5 chain=input action=accept protocol=gre log=no log-prefix=“”

However, log shows:

14:40:55 firewall,info input: in:pppoe-out1 out:(none), src-mac e4:8d:8c:2c:88:33, proto TCP (SYN), masked.source.ip:44799->masked.dest.ip:1723, len 60

dcabro · September 13, 2016, 7:30pm

Anyone?

2frogs · September 13, 2016, 10:17pm

Accept before you drop! You need to reorder your rules so your drop is at the bottom.

And please, in the future, create a new post instead of posting on an old one.