how to allow pptp at firewall

RouterOS General
1

hi all,

i try make firewall to allow pptp connection, i have turn on gre and pptp at service port. then i make firewall to allowed pptp connection to this router. this my firewall configuration :

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Checked For Viruses Port
chain=input action=jump jump-target=virus

1 chain=forward action=jump jump-target=virus

2 ;;; allow ping
chain=input protocol=icmp action=accept

3 chain=forward protocol=icmp action=accept

4 ;;; Accept established connections
chain=input connection-state=established action=accept

5 chain=forward connection-state=established action=accept

6 ;;; Accept related connections
chain=input connection-state=related action=accept

7 chain=forward connection-state=related action=accept

8 ;;; Drop invalid connections
chain=input connection-state=invalid action=drop

9 chain=forward connection-state=invalid action=drop


10 ;;; From All Network
chain=forward src-address-list=Allowed action=accept

11 ;;; To All Network
chain=forward dst-address-list=Allowed action=accept

12 ;;; Allowed PPPtP
chain=input protocol=tcp dst-port=1723 action=accept

13 chain=input protocol=tcp dst-port=47 action=accept


14 ;;; Port scanners to list
chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list
address-list=port scanners address-list-timeout=2w

15 chain=forward protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list
address-list=port scanners address-list-timeout=2w

16 ;;; NMAP FIN Stealth scan
chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w

17 chain=forward protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w

18 ;;; SYN/FIN scan
chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w

19 chain=forward protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w

20 ;;; SYN/RST scan
chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w

21 chain=forward protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w

22 ;;; FIN/PSH/URG scan
chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w

23 chain=forward protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w

24 ;;; ALL/ALL scan
chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w

25 chain=forward protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list=port scanners
address-list-timeout=2w

26 ;;; dropping port scanners
chain=input src-address-list=port scanners action=drop

27 chain=forward src-address-list=port scanners action=drop

28 ;;; Drop everything else
chain=input action=drop

29 chain=forward action=drop

with this rule, pptp conenction still drop. please share

2

The error is in your second PPTP rule. You have to allow ip PROTOCOL 47 (GRE), not TCP port 47.
So this should be

13 chain=input protocol=47 action=accept

TCP port 1723 is the control connection, while the actual tunnel is GRE (protocol 47).

Best regards,
Christian Meis

3

ive always wondered, is that rule the same as enabling the gre and pptp option in winbox under IP->FIrewall->service ports?


which one superciddes the other? (ie if i have it set to disable gre in FW but enabled in winbox service ports?)

tks

4

The service ports in the firewall section are only needed for traversing NAT.
So there’s not one taking priority over the other - those are two different things.

Best regards,
Christian Meis

5

GRE how can use key?

6

So there’s not one taking priority over the other - those are two different things???




WALEEEED

7

So there’s not one taking priority over the other - those are two different things???



-== crossword puzzles ==