VPN not working from public internet but does work from local outside the firewall...

You will now need to connect to the WAN/Public IP of the ADSL router. The ADSL router also needs to be configured to forward PPTP traffic on port 1723 to the external IP of your server. The ADSL router also needs to be configured to allow GRE traffic, which is protocol 47 (not port 47). On many units this is done by enabling PPTP pass-through or VPN pass-through. This assumes you have only a combined ADSL router and not a second router. If you have both an ADSL router (combined modem and router) as well as a second router, the ADSL router will have to be put in bridge mode and the forwarding and pass-through allowed on the second router.
If you were to provide make and model of your equipment we could be more specific as to how to configure.

Hi Robwill thanks for your speedy response. It is a combined router/adsl (Speed touch pro). I have copied all the settings below. From thinking about it some more it has to be a translation/routing table issue...somewhere this config is not right...

In regards to the ports and protocol 47 this is already setup in the NAT as you will see below. Remmebering that VPN does work if I am on the 10.0.0.x network AND I am selecting the internal ip 10.0.0.8 of the SBS server. It doesn't work when I go to the external fixed IP of 61.9.247.216 from an external location.

Here's the config of the Speedtouch Pro:

Initial Setup:
IP address: 10.0.0.1
subnetmask 255.255.255.0

Phonebook:
Bigpond  VPI:8 VCI:35 Type:PPP Usage:Confirmed

PPP Dial-in Connections:
(None).

Routing:
IP ADDRESS TABLE
Intf          Address             Netmask           Type     Transl    
BigPond   61.9.247.216      255.0.0.0          Auto      pat  
eth0        10.0.0.1             255.255.255.0   User      none  
loop        127.0.0.1           255.0.0.0          Auto      none  

IP ROUTE TABLE:
Destination                  Source          Gateway         Intf  
10.0.0.0/24                 10.0.0.0/24    10.0.0.1         eth0  
61.9.247.216/32          any                61.9.247.216 BigPond  
10.0.0.1/32                 any               10.0.0.1         eth0  
127.0.0.1/32               any               127.0.0.1       loop  
255.255.255.255/32     any               10.0.0.1        eth0  
10.0.0.0/24                 any               10.0.0.1         eth0  
default                       10.0.0.8/0      61.9.247.216  BigPond  

PPP:
Name       Encap    Mode         State    Status  
BigPond    vc-mux  always-on   up       on        

PPP CONFIG:
Authentication
 User :   (myname@static.bigpond)
 Password :  *******
 
Routing
 Connection Sharing:  Everybody
 Destination networks All networks
 Specific network  (Blank)
 Address translation (NAT-PAT)  (checked)
 Primary DNS  10.0.0.8   Secondary DNS  (none)
 
Options
 Local IP:   none
 Remote IP:  none
 Mode : always-on
 Idle time limit : (none)
 LCP echo(currently enabled)
 PAP(currently disabled)
 ACCOMP(currently enabled)

 CIP Interfaces:
(none)

CIP Connections:
(none)

PPTP Connections:
(None)

Bridging Ports:
(none)
 Aging: 300 seconds

DHCP:
NO DHCP

DNS Server Configuration
Server active (Checked)
Domain Name (My internal domain)

DNS hostname table:
[Hostname]        [address]
SpeedTouch       own address

Upgrade:
Active software version : GV8BAA3.290 (1007669)
Passive software version : GV8BAA3.290 (1007669)

When telnetting in to the SPeed touch router and doing a NAT LIST you get the following:
Indx   Prot   Inside-address:Port     Outside-address:Port    Foreign-address:Port    Flgs        Expir   State    Control
   1    6       0.0.1.187:10               61.9.247.216:443         0.0.0.0:0                     instance
   2    6       10.0.0.8:1723             61.9.247.216:1723        0.0.0.0:0                     instance
   3    17     10.0.0.1:4672             61.9.247.216:4672        0.0.0.0:0                     instance
   4    6       10.0.0.1:4711             61.9.247.216:4711        0.0.0.0:0                    instance
   5   6        10.0.0.8:4125             61.9.247.216:4125        0.0.0.0:0                    instance
   6   6        10.0.0.1:4662             61.9.247.216:4662         0.0.0.0:0                  instance
   7  17        10.0.0.100:1029         61.9.247.216:10019     61.9.240.14:53             1             20      10
   8   6        10.0.0.1:4661             61.9.247.216:4661        0.0.0.0:0                   instance
   9  17        10.0.0.1:4665            61.9.247.216:4665        0.0.0.0:0                  instance
  10   6        10.0.0.8:61953           61.9.247.216:10026     67.19.96.18:80              1           1        6
  11  47        10.0.0.8:1                  61.9.247.216:1             0.0.0.0:0                 instance
  12  17        10.0.0.1:4672             0.0.0.0:4672               0.0.0.0:0               template
  13   6        10.0.0.1:4662             0.0.0.0:4662          0.0.0.0:0               template
  14   6        10.0.0.1:4661            0.0.0.0:4661          0.0.0.0:0          template
  15  17        10.0.0.1:4665           0.0.0.0:4665          0.0.0.0:0          template
  16   6        10.0.0.1:4711           0.0.0.0:4711          0.0.0.0:0         template
  17   6        10.0.0.8:1723           0.0.0.0:1723          0.0.0.0:0          template
  18  47        10.0.0.8:1               0.0.0.0:1             0.0.0.0:0            template
  19   6        10.0.0.8:4125          0.0.0.0:4125          0.0.0.0:0         template
  20   6        0.0.1.187:10           0.0.0.0:443           0.0.0.0:0          template

Further to this I did an open port check on 1723 from a workstation that sits behind the SBS2003 server (on the internal 192.168.0.x subnet) using canyouseeme.org

The website detected my workstation as my static IP on the router 61.9.247.216 and came back with "Success: I can see your service on 61.9.247.216 on port (1723) Your ISP is not blocking port 1723"

So from this it would appear that the 1723 port is open - does this necessarily mean that the packets are getting passed to the server?

Help!

Ok thanks Robwill for your comments. You may have tested just when I was testing as I had disabled the firewall on the Speedtouch through telnet by issuing the nat command defserver addr 10.0.0.8 This then immediately worked and I could VPN into the server. I have now reenabled the firewall and it no longer works again. My external test is a notebook dialing out via bluetooth modem onto the internet via GPRS. So confirmed working with the speedtouch pro firewall off and not working when turned back on.

So therefore there is definately something wrong with the configuration of the speedtouch pro. The fact that canyouseeme.org sees 1723 port as open is a bit baffling though as that would seem to indicate that the port is ok although it may be having a problem with GRE translation as you pointed out. Still I am examining the Nat List as in my config above to see what might be the problem there but at least the problem is narrowed right down now to the speedtouch pro router.

If you can focus your superior networking skills in this area you hopefully will be able to solve it much faster than me as I need time to pack my bags to catch my flight!!

I'll be keeping this onscreen and refreshed so if you do come up with something let me know asap!! Many thanks for your suggestions thus far!...

Which model SpeedTouch ?
I will look through the manual to see if there is anything I can find. Specifically are there any options such as "allow PPTP pass-through" ?
Some older Alcatel Speedtouch units I have seen have High, medium, low and off firewall security settings. Is this the case here? Seems to me if so, it requires the medium setting, high and low will not work.

It's simply called a "Speedtouch Pro".  From info on the net it is one of the earlier ADSL models provided by Telstra in Australia. There was a speedtouch home and a speedtouch pro. Then there were some later models with numbers after them. However this one is definately referred to as simply the Speed Touch Pro.

There is no "allow PPTP pass-through" option and no high,medium,low and off setting. If you look back at my configuration above that is effectively a copy from each available setting on the web interface the the Speedtouch pro. Other than that you have to telnet in to do NAT's.

Seems others have had problems as well, but I found no solutions. As you suggested it must be the firewall. I can't seem to find any further information on how to configure it. There are dozens of Speed touch units with even more firmware versions for different vendors. I will keep looking and let you know if I find anything.
--Rob

OK. Just in case it is a firmware problem I found a later firmware revision at http://www.nzdsl.co.nz/software/alcatel/Default.htm . I installed it - Gv8bab3.281 (1005372)  - however unfortunately it has not resolved the problem.

Certainly from the NAT perspective the entries for VPN specifically seem fine....  Is the IP Route table and the options below it correct?....

For example is the following options correct? What's PAP, lCP echo and ACCOMP? and should I have the localip defined as 10.0.0.1 and remote ip as 61.9.247.216 ?
Options
 Local IP:   none
 Remote IP:  none
 Mode : always-on
 Idle time limit : (none)
 LCP echo(currently enabled)
 PAP(currently disabled)
 ACCOMP(currently enabled)

I am not very familiar with these protocols but there should be no need for any of them:
LCP echo - Link Control Protocol Echo
PAP -Password authentication protocol
ACCOMP - Access Control Compression

However I would think you have to configure the local and remote IP's Local 10.0.0.8 and remote 0.0.0.0 = any

Wonder if you should consider un-binding PPTP and GRE as per article below. Seems backward to my thinking but if it makes sense to you you could try.
http://www.speedtouch.net.nz/DisableALG.htm

Unfortunately the unbiding is only relevant to the SpeedTouch 500 / 600 not the Pro. I have already tried this before :o)

I do have something weird happening now though. I thought I'd check the NAT list after the formware upgrade and noticed a few additional entries in the tables that were not there before. I thought I'd simply clear all the port forwards and start a fresh perhaps with the reissuing of the nat create under the new firmware might spark it into life. However I'm now finding that on each list (after I deleted them all) i'm getting weird port forwards appear and then disappear...?

Here is some repeated Nat lists with no change in between: (Very odd)

[nat]=>list
Indx Prot Inside-address:Port  Outside-address:Port  Foreign-address:Port Flgs E
xpir State  Control
   1   6        10.0.0.8:63704    61.9.247.216:10078     67.19.96.18:80    1
 8     5
   2   6        10.0.0.8:63706    61.9.247.216:10080     67.19.96.18:80    1
 8     5
   3   6        10.0.0.8:63707    61.9.247.216:10081     67.19.96.18:80    1
 60    1
[nat]=>list
Indx Prot Inside-address:Port  Outside-address:Port  Foreign-address:Port Flgs E
xpir State  Control
   1   6        10.0.0.8:63704    61.9.247.216:10078     67.19.96.18:80    1
 8     5
   2   6        10.0.0.8:63708    61.9.247.216:10082     67.19.96.18:80    1
 60    1
   3   6        10.0.0.8:63706    61.9.247.216:10080     67.19.96.18:80    1
 8     5
   4   6        10.0.0.8:63707    61.9.247.216:10081     67.19.96.18:80    1
 8     5
[nat]=>list
Indx Prot Inside-address:Port  Outside-address:Port  Foreign-address:Port Flgs E
xpir State  Control
   1   6        10.0.0.8:63704    61.9.247.216:10078     67.19.96.18:80    1
 8     5
   2  17        10.0.0.8:63709    61.9.247.216:10084   70.112.78.227:20011 1
 20    10
   3   6        10.0.0.8:63710    61.9.247.216:10085  132.211.194.39:59216 1
 60    1
   4   6        10.0.0.8:63708    61.9.247.216:10082     67.19.96.18:80    1
 1     6
   5   6        10.0.0.8:63706    61.9.247.216:10080     67.19.96.18:80    1
 8     5
   6   6        10.0.0.8:63707    61.9.247.216:10081     67.19.96.18:80    1
 8     5
[nat]=>list
Indx Prot Inside-address:Port  Outside-address:Port  Foreign-address:Port Flgs E
xpir State  Control
   1   6        10.0.0.8:63704    61.9.247.216:10078     67.19.96.18:80    1
 8     5
   2  17        10.0.0.8:63709    61.9.247.216:10084   70.112.78.227:20011 1
 20    10
   3   6        10.0.0.8:63710    61.9.247.216:10085  132.211.194.39:59216 1
 60    1
   4   6        10.0.0.8:63706    61.9.247.216:10080     67.19.96.18:80    1
 8     5
   5   6        10.0.0.8:63707    61.9.247.216:10081     67.19.96.18:80    1
 8     5
[nat]=>list
Indx Prot Inside-address:Port  Outside-address:Port  Foreign-address:Port Flgs E
xpir State  Control
   1  17        10.0.0.8:63709    61.9.247.216:10084   70.112.78.227:20011 1
 20    10
   2   6        10.0.0.8:63710    61.9.247.216:10085  132.211.194.39:59216 1
 60    1
   3   6        10.0.0.8:63706    61.9.247.216:10080     67.19.96.18:80    1
 8     5
   4   6        10.0.0.8:63707    61.9.247.216:10081     67.19.96.18:80    1
 8     5

[nat]=>list
Indx Prot Inside-address:Port  Outside-address:Port  Foreign-address:Port Flgs E
xpir State  Control
   1  17        10.0.0.8:63709    61.9.247.216:10084   70.112.78.227:20011 1
 20    10
   2   6        10.0.0.8:63710    61.9.247.216:10085  132.211.194.39:59216 1
 60    1
[nat]=>list
Indx Prot Inside-address:Port  Outside-address:Port  Foreign-address:Port Flgs E
xpir State  Control
   1  17        10.0.0.8:63709    61.9.247.216:10084   70.112.78.227:20011 1
 20    10
   2   6        10.0.0.8:63712    61.9.247.216:10087     67.19.96.18:80    1
 60    1
   3   6        10.0.0.8:63710    61.9.247.216:10085  132.211.194.39:59216 1
 60    1
[nat]=>

These may be temporary mappings created by outgoing connections, especially where mostly port 80. They tend to choose any available port.

OK, I went back to the original firmware and now all my original port forwards are back again?.... It seems that the new firmware I tried was not right - very strange....

It could mean though that some of these firmwares do not work properly and therefore it still could be an issue with the firmware I have...I'm now going to look for some others to try.

sorry I posted in between your reponse. Is that normal behaviour then to see ports dynamically update like that in quick succession? Perhaps my original firmware didn't support this dynamic updates and the newer one does...

Which means that perhaps if I go back again to the new one and try and re enter the VPN ports it may be worth a try...?

First confirm if the above is normal as it wasn;t on my original firmware!!

I wonder if the difference is just the reporting and you didn't get that information before. The previous list appears to be a static NAT list as opposed to the latter which seems more like a log report. At the risk of displaying my ignorance.....on a NAT router when a PC makes an outgoing connection to a site such as a web site, the router 'tags' the request and assigns a temporary port number. When the reply comes back it knows by the port number which PC to send the reply to. Thus, the temporary NAT table.

I did read in several forums about some versions being "flaky" especially the newest ones. However all references I read were quite different version numbers, so I believe they were for different models. Also noticed the commands and options changed with some versions.
If interested the following link has lots of similar information and many links within the text. Doesn't appear to apply to your SpeedTouch but still may be of some interest:
http://forums.whirlpool.net.au/forum-replies-archive.cfm/458420.html

Have to head out to a service call for a while.
--Rob

OK, I tried  putting in the options section - Local 10.0.0.8 and remote 0.0.0.0 = any However it wouldn't take 0.0.0.0 in the remote. So I also thought I'd try Local 10.0.0.8 and remote 61.9.247.216 That simply hung the router up...wouldn't reconnect to the net. I then thought that perhaps the local shouldn't be the server address but instead the router address so I tried that also ie: Local 10.0.0.1 and remote 61.9.247.216  - same result wouldn't connect to the net. So my final test was to try both server and adsl ips for the local and leave the remote blank. 10.0.0.1 as local by itself did the same thing. 10.0.0.8 didn't hang up the router (ie web interface could still work) but it simply wouldn't connect....

I then turned all these off:

LCP echo - Link Control Protocol Echo
PAP -Password authentication protocol
ACCOMP - Access Control Compression

The link came back up but when I tried to VPN in I got a 678 error not respond.

So I turned them all on. The link kept trying to come back up and wouldn't. So from all these results I would say that these options relate to the router dialing up the ISP to connect rather than specific options for the link once it is up.

By the way I found the manual here: http://www.speedtouchdsl.com/pdf/stpro_manual_01.pdf

Looking at the manual, there is no reference to PPTP, GRE, VPN's or VPN pass-through, other than for ISP connections. Adding to that, look at the first "NAT LIST". In addition to your NAT configurations, there are other obscure mappings that I assume you did not set up. If they are outgoing, automatically configured/temporary NAT connections, then the PPTP and GRE are outgoing as well, based on the inside and outside addressing, probably for ISP type connections. I am wondering if the router supports PPTP incoming connections at all. Some older units do not. Is the router supplied by your ISP ? Wondering if it is possible to confirm whether it is supported with them?
I'm not being much help here.
--Rob

slater27, any luck with this, and were you able to confirm if the router was VPN compatible?
--Rob

I have closed this now. At the time I had left promptly via plane to Melbourne and couldn't respond.  The VPN ended up working remotely it was the testing mechanism through my bluetooth GPRS modem connection to my notebook which was causing the problem. Points awarded for the great help that Robwill provided regardless and he was on to it when he said that he could get through to the VPN himself but couldn't login without the userpass and password.
Cheers.

Thanks slater27.
--Rob