Windows 2003 VPN Server behind broadband router - what would you suggest?

Posted on 2005-03-22
Medium Priority
Last Modified: 2013-11-29
I am trying to set up our Windows 2003 Standard server as a PPTP VPN server on our small office network.  We have a Linksys WRV54G router as our gateway to the internet, so the VPN server is on our network BEHIND the router.  If I put the server in the DMZ, I can form a PPTP connection with no problems.  Needless to say, DMZ is a totally unacceptable solution.  When port 1723 is forwarded to the VPN server IP the connection does not work.  I get the following INBOUND entries in the router log from the VPN client (with sensitive IPs masked of course!):

RGFW-IN: ACCEPT (TCP 131.xxx.xxx.xxx:1257-> on ixp1) [200,0]
RGFW-IN: BLOCK-RULES (GRE 131.xxx.xxx.xxx->69.xxx.xxx.xxx on ixp1) [0,0]   <-- this line appears a total of 10 times for each connect attempt before client timeout

The 131 IP is the VPN client, the 192 IP the VPN server and the 69 IP the WAN IP on the router.

It would appear to me that the router is blocking the GRE (47) protocol and therefore preventing a VPN connection.  I have PPTP passthrough enabled (although its my understanding that this only matters for outbound GRE traffic).

There is a wealth of information available on the internet about how Linksys routers simply DO NOT WORK with VPN servers behind them so I don't hold much hope for a solution that involves not purchasing another router.  So that bring me to my two questions, the second of which think is more likely to be answered.

1) Has anyone made this setup work with this particular router?  If so, do you have some suggestions for me?

2) Could you recommend another brand and model of router that you KNOW will work for me?  I've seen some threads online stating that people do have such a setup working for them (i.e. VPN server behind router) but I haven't found much information as to which specific models and I don't want to do trial-and-error purchasing.

If someone can solve my problem by answering question 1, then you will be my hero and your cookie will be 500 points.  Otherwise, I'll split the points amoung those who can provide some guidance in the purchase of a replacement router that will solve this problem.  Thanks everyone, in advance.
Question by:miketayeb2
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 13

Expert Comment

ID: 13608535
Hello.  I never would use a Windows server as a VPN server anyway, so my suggestion might be biased.
CISCO sells the pix 501 for less than $500.  It is secure and can be setup as your firewall and VPN.
The setup is fairly quick, and if the WAN side needs DHCP, this one can handle it.
It also accepts the commands that the "big" pix's do.


Expert Comment

by:Leo Alexander
ID: 13608733

Seems like you already know the answer to your first question. There are no surprises there. I agree with the cisco hardware since its obviously the best (and i believe it owns linksys). But then you are not using your win2k3 server like im assuming you want to do...

Expert Comment

ID: 13609371
>>>1) Has anyone made this setup work with this particular router?  If so, do you have some suggestions for me?

Not on this particular model.... You said you have port forwarding enabled? Did you enable 47 / 1723, both TCP and UDP port forwarding???

>>>Could you recommend another brand and model of router that you KNOW will work for me?  I've seen some threads online stating that people do have such a setup working for them (i.e. VPN server behind router) but I haven't found much information as to which specific models and I don't want to do trial-and-error purchasing.

Is your internet connection DSL???...

BTW.. is this your router?? http://www.linksys.com/products/product.asp?grid=33&scid=35&prid=681

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!


Author Comment

ID: 13622236
grpiceee, smarturtle - I agree, the Cisco PIX 501 would be a good solution, but at a cost of $600+ tax CDN I would like to explore some cheaper options before I resort to spending that kind of money.  I never like to have to go to the boss with requests for capital purchases if I can solve the problem without one.  However I may have to purchase one in this case.

HiS_Slyness - yes, I enabled both 1723 and 47 TCP and UDP, although I don't necessarily agree that port 47 is neccesary.  PPTP uses GRE protocol 47 which, to my understanding, is not related to a TCP or UDP port.  There seems to be conflicting information in many places online regarding this though.  In any case, the line in my router logs shows that GRE is being blocked, so I'm 99% sure that this is the problem; that this router simply does not allow GRE inbound.  I'm thinking that the PPTP passthrough is only for GRE outbound.  Also, our internet connection is 5 mbps cable, not DSL.  I've checked with our ISP and they say that they are not blocking any ports or protocols because we are on a business connection.  And yes, the link you provided is the router I am using.

Author Comment

ID: 13622252
Another quick note.....I spoke to a Linksys Technical Representative via online chat last night and s/he sent me a beta-version firmware that is supposed to address this issue.  Of course, I'm not holding my breath on that one.  I will try this firmware tonight; I can't do it while there are people in the office in case it pooches the router.

Author Comment

ID: 13643767
Naturally, the new Linksys firmware did nothing to fix the problem.
LVL 13

Accepted Solution

gpriceee earned 2000 total points
ID: 13643872
I have no problems with my Netgear installations for lower budgets (It's still a very good solution):

Just make sure you enable VPN pass through.

Author Comment

ID: 13678524
I managed to solve the problem by purchasing a D-Link DI-524 router to replace the Linksys WRV54G.  The D-Link engineers were smart.  Although you cannot control the permeability of the firewall to GRE directly, they did add some code that automatically allows incoming GRE when you open TCP port 1723 for PPTP.  Now why couldn't the folks at Linksys think of doing that?

This is a short-term solution....maybe for 6 months or so.  At that point, I will purchase a Cisco PIX 501 as gpriceee suggested.

Featured Post

Are You Using the Best Web Development Editor?

The worlds of web hosting and web development are constantly evolving. Every year we see design trends change, coding standards adapt and new frameworks/CMS created. With such a quick pace of change it’s easy to get lost trying to keep up.

See if your editor made the list.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Suggested Courses
Course of the Month8 days, 1 hour left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question