Procedure for VPN passthrough

leadhead · October 19, 2007, 3:12pm

I just downloaded this firewall yesterday, so I have the latest version.

windows xp sp2
account is an administrator
Previous firewall was the windows firewall
I have avg antivirus installed
internet connection is cable

I was wondering if you guys had a setup article on opening 1723 for the windows vpn. It is blocking the vpn dialer. I tried to create an access rule, but it didnt seem to work. However there is some information that I am missing.

I set the source allow from x.x.x.205 and 206 internal IP as that is the ip address that dhcp will assign the connecting computer. I realize that this is probably wrong because the firewall will block the tunnel before an IP is assigned to the connecting computer (duh)

I could try to allow the connecting computers external IP address, but I would prefer not as it is a residential cable isp and those ips are subject to change.

I could also try to open 1723 to any which I guess wouldnt be too bad as the isp of the server machine ping blocks icmp blocks etc… so that the public ip is sort of invisible.

Also, the connecting computer needs to use Remote desktop. Do I need to open a port to 3389 (I think that is the right port) or is commodo defaulted to allow RDP.

Sorry if this has been posted before, I tried a search and didnt see anything when I perused the FAQ.

Leadhead

PS Oh yeah, does the rules list work like a router access list in that the rules are read and applied from the top down. I noticed there was a block any any at the very bottom. That is pretty cool! (J)

grue155 · October 19, 2007, 8:44pm

I’m a little confused (which is not unusual, nature of the dayjob). Are you referring to a VPN client trying to connect to a server, or are you setting up a server with inbound clients?

If you are running a server (I’ll use PPTP as example, as it runs on port 1723), then presumably you’re trying to come in over the Internet. You can test things from another machine on your LAN to check out your rules.

Assuming your server is behind a NAT router in the typical home setup, you’ll need to have your router forward port 1723 to the PC with the VPN server. You’ll have to assign a fixed address to the PC, so the router knows where to forward the packets when they come in. If the router supports it, a dynamic DNS facility, like dyndns.org, can give a hostname to your router that Internet clients can use in their setup.

On the PC with the VPN server, CFP needs to allow TCP 1723 inbound on your LAN address. PPTP will go thru a DHCP “boot” on the connecting client, and then assign an address to the client. You’ll need rules to allow that. Without knowing something of the addresses, it’s hard to describe the rules. I’ve done this, but it has been a while, and I was using a packet sniffer (Microsoft Network Monitor v3, free download tool) to tweak rules as things broke. I’ll try to dig up my notes for something more coherent. I do know that running the Network Monitor sniffer made setup a whole lot easier.

On the remote client that is trying to connect to the VPN server, you need to allow TCP 1723 outbound. There are a lot of client connection properties that need to be set properly. The one that seems to trip up most people is buried down in the IP Connections properties for “use remote default gateway as default”. Watch out for that one if your Internet connection seems to disappear.

That will get you connected with that virtual wire LAN.

Now you get to set up rules for that virtual LAN, using those LAN addresses. This is a different set of CFP rules, and makes no difference whether it’s a VPN or a wired Ethernet adapter.

Network Monitor v3.1 is available for download at
http://www.microsoft.com/downloads/details.aspx?familyid=18b1d59d-f4d8-4213-8d17-2f6dde7d7aac&displaylang=en&tm

meier12 · October 19, 2007, 8:52pm

hi,

its a tunnel, if specific ports were open, might protocol check interferrers.

have not right now here a vpn but think plausible.

Mike

those tunnels,

leadhead · October 19, 2007, 11:52pm

Grue,

Sorry, I wasnt all that clear. Basically if I disable commodo firewall, the client can connect. Therefore my router and all the settings are correct. When I enable commodo, the tunnel is blocked. I set an access policy to allow port 1723 inside but I am still blocked.

When I say server, I just mean the machine that is performing the duties of routing and remote access which is xp pro in a workgroup.

Both machines involved have comcast high speed residential service. This means that their public ip addresses are subject to change (Although not very often) as they are assigned via dhcp.

Anyways I think I got it figured out. It is operator (me) error. Actually just typing my first post out made me realize that I am ■■■■■■■■ by trying to allow the interal dhcp assigned ip instead of the external IP address.

meier12 · October 19, 2007, 11:58pm

re,

none perfect, the democrazy solve anything.

wold you share in detail your doing so we benefit?

Mike