11 posts in this topic

Posted

We have a SOHO setup with Windows 2008 Server as DC.

 

The Server is configured as VPN Server as well (PPTP)

 

The setting was working perfectly and we had remote access outside the LAN through VPN to the internal resources.

 

For some reason the DSL router was reset to factory defaults.

 

Later everything is working apart from VPN. Both VPN Passthrough and Port forwarding have been configured but of no use.

 

VPN can be connected through local Ip but not through WAN Ip.

 

Help Needed!!!

 

 

 

 

 

Share this post


Link to post
Share on other sites

Posted (edited)

I'm not familiar enough with dd-wrt, as I'm using Tomato with built in PPTP server; but I remember from when I was using an old Cisco that I had to enable pass-through of another protocol.

 

Edit: Found it: GRE. http://blogs.technet.com/b/rrasblog/archive/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through.aspx

Edited by GreenMartian

Share this post


Link to post
Share on other sites

Posted

Why don't you use SSTP ?

Share this post


Link to post
Share on other sites

Posted

Here are the screenshots of the router web admin...

 

Am i missing something....

 

I cant change any settings on server, just need to configure the router settings after the factory reset.

 

192.168.10.1 is Local IP of Server

post-70004-0-70741900-1387281764.png

post-70004-0-90831500-1387281773.png

Share this post


Link to post
Share on other sites

Posted

And as mentioned where is your GRE forward.. Passthru is from the inside going out, not the outside going in.

I do believe you have to forward it via cmdline on the dd-wrt box

iptables -t nat -I PREROUTING -d `nvram get wan_ipaddr` -p 47 -j DNAT --to 192.168.10.1

iptables -I FORWARD -d 192.168.10.1 -p 47 -j ACCEPT

No that is not -p for port, but protocol you could also use -p gre in both lines.

You may need to verify that the modules are loaded, something like

/sbin/insmod xt_connmark

/sbin/insmod xt_mark

/sbin/insmod nf_conntrack_proto_gre

/sbin/insmod nf_conntrack_pptp

/sbin/insmod nf_nat_proto_gre

/sbin/insmod nf_nat_pptp

Should be good, also you do understand that 1723 is TCP, not tcp and udp ;)

And PPTP -- Really in this day and age, PPTP has been deprecated for YEARS!!

Share this post


Link to post
Share on other sites

Posted

Budman please see if i am doing it right..

 

Should i copy paste the above 2 commands in the command shell and hit the run command button?

 

Do i need to restart the device?

 

PS: I know PPTP is ancient but there is nothing i can do about it at the moment,

post-70004-0-03586000-1387284828.png

Share this post


Link to post
Share on other sites

Posted

That should work sure, I would do one line at a time.. Why are you not just at a ssh/telnet prompt?

As to restarting the device - no I don't believe you should have to.. Been a long time since I played with actually using dd-wrt as edge router.. I run it currently, but only as AP.. I outgrew soho devices at my edge years and years ago ;)

They just do not have enough umph for my needs.. dd-wrt makes them useable for sure.

While your playing with your router - they released new build few days back.

ftp://dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2013/12-12-2013-r23082/

Share this post


Link to post
Share on other sites

Posted

Unfortunately the script didn't work. Maybe my settings are not correct :(

Share this post


Link to post
Share on other sites

Posted

Saw your PM, see my reply -- can you post your rules, PM is fine.. also maybe `nvram get wan_ipaddr' didn't work.. Might have to use your actual wan IP in that.. You ran one at a time right, what was the response? I would really suggest you work at prompt vs that script gui thing.

I might be able to find some time later this morning to TV in. Have to run to work here in a bit. Do a google for dd-wrt forwarding GRE. There is no way it will work unless GRE is forwarded to your PPTP machine. Who setup the original working config? You sure they just didn't put the think in DMZ? I would not suggest that, nor would I really use my DC open to the public net either ;)

Share this post


Link to post
Share on other sites

Posted

Thanks Budman, Let me work on the things you have suggested. I will reply later.

Share this post


Link to post
Share on other sites

Posted

I bet you he just DMZ'd it to be honest.. But creating the specific rules is best, or you expose every thing that DC is listening on.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.