Hi!
Config:
PC1-10 -> SWITCH -> MT (gateway, dhcp server, PPTP server) 2.9.38
PPTP connections disconnets randomly (1-2 mp or seconds) try with different servers, OPENVPN... nobody can make VPN connection.
interfaces:
LAN - proxy-ARP (192.168.0.254)
Internet - ARP enabled
IP-firewall:
0 chain=input connection-state=established action=accept
1 ;;; Accept related connections
chain=input connection-state=related action=accept
2 ;;; Drop invalid connections
chain=input connection-state=invalid action=drop
3 ;;; UDP
chain=input protocol=udp action=accept
4 ;;; Allow limited pings
chain=input protocol=icmp limit=50/5s,2 action=accept
5 ;;; Drop excess pings
chain=input protocol=icmp action=drop
6 ;;; SSH for secure shell
chain=input protocol=tcp dst-port=22 action=accept
7 ;;; Private
chain=input src-address=192.168.0.0/24 action=accept
8 ;;; PPTP + GRE
chain=input protocol=tcp dst-port=1723 action=accept
9 chain=input protocol=gre action=accept
10 Winbox
chain=input protocol=tcp dst-port=3987 action=accept
11 chain=forward action=accept
12 chain=input action=log log-prefix=""
13 ;;; Drop else
chain=input action=drop
14 ;;; allow established connections
chain=forward connection-state=established action=accept
15 ;;; allow related connections
chain=forward connection-state=related action=accept
16 ;;; drop invalid connections
chain=forward connection-state=invalid action=drop
17 chain=forward action=accept
ip-firewall-NAT
srcnat-masquarading-192.168.0.0/24
An other problem, when a user opens an IE there is no internet...but when he push reload button everything fine? Why?
Or something with my firewall rule...Could somebady shrare his own firewall rule? I read the wiki.mt....and use that rules
thanks,
santajosh
-
-
andrewluck
Forum Veteran
- Posts: 700
- Joined:
- Location: Norfolk, UK
What does PPTP logging show?
Your ICMP rules are rather severe. I would allow things like TTL-exceeded, packet too large etc.
Your Input filters are rather relaxed. Do you really want to allow SSH and Winbox sessions to your router from the outside world? Also, you're accepting any unsolicited UDP packets!
Regards
Andrew
Your ICMP rules are rather severe. I would allow things like TTL-exceeded, packet too large etc.
Your Input filters are rather relaxed. Do you really want to allow SSH and Winbox sessions to your router from the outside world? Also, you're accepting any unsolicited UDP packets!
Generally, this is a DNS timeout. Check your DNS setup.An other problem, when a user opens an IE there is no internet...but when he push reload button everything fine?
Regards
Andrew
What does PPTP logging show?
Your ICMP rules are rather severe. I would allow things like TTL-exceeded, packet too large etc.
Your Input filters are rather relaxed. Do you really want to allow SSH and Winbox sessions to your router from the outside world? Also, you're accepting any unsolicited UDP packets!
Generally, this is a DNS timeout. Check your DNS setup.An other problem, when a user opens an IE there is no internet...but when he push reload button everything fine?
Regards
Andrew
Thanks for the Reply!
Could you give me a not too severe firewall setup?! I search de forums...but can't find any...
-
-
andrewluck
Forum Veteran
- Posts: 700
- Joined:
- Location: Norfolk, UK
I'd generally use the following rules for ICMP:
Regards
Andrew
Code: Select all
35 ;;; Allow ICMP Time-exceeded
chain=input protocol=icmp icmp-options=11:0-255 action=accept
36 ;;; Allow ICMP source-quench
chain=input protocol=icmp icmp-options=4:0-255 action=accept
37 ;;; Allow ICMP Destination unreachable
chain=input protocol=icmp icmp-options=3:0-255 action=accept
Andrew