Solved

Setting up the router for VPN

Posted on 2007-11-29
8
1,919 Views
Last Modified: 2012-05-05
Hi,

I got a Windows Server 2003 SBS that is acting as a VPN server. It is behind a D-Link EBR-2310 router that is acting as a firewall.

PPTP passthrough is enabled and port 1723 is fowarded to my VPN server IP adress.

However, it is impossible to establish a VPN connection even if my router setup looks fine. The only way I can make the connection work is by putting my server in the DMZ zone in my router config, which is unacceptable.

Is this a limitation of this router that can't accept incoming VPN connections? If so, what model of router would work for me? Thank you.
0
Comment
Question by:controlgmc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 18

Expert Comment

by:PowerIT
ID: 20380603
What are the IP-ranges assigned to:
- your internal network
- your DMZ
- The client trying to connect
Both side can not have the same subnet

Also, allowing VPN is not only opening and forwarding ports. You need to enable the protocols also. GRE in this case. (ESP too for L2TP). By default this could be open to your DMZ but not internally. You may need to add your own rules.

J.
0
 

Author Comment

by:controlgmc
ID: 20382397
They do not have the same subnet.

Also, the config of the router only allows port forwarding AND PPTP passthrough, which is equivalent to enabling GRE protocol as I understand. If this is not the case, how do I enable the GRE protocol.

I think the problem really comes from the router not accepting incoming VPN connections unless the VPN server IP is in DMZ, which is equivalent to having no firewall at all.

Is it possible that my router won't ever accept incoming VPN connections?
0
 
LVL 18

Accepted Solution

by:
PowerIT earned 500 total points
ID: 20382691
DMZ of those kind of small models is indeed no real DMZ, but a full open and forward to one IP. Not good indeed.
PPTP passthrough is from your network to the outside, for several internal clients connecting to different VPN servers going OUT.
This would not enable GRE incoming.
Somehow you also need to forward the protocol to your VPN server. By enabling 'DMZ' you are just doing that, but in a crude way.
You'll have to create an additional rule. BTW, GRE is protocol 47 (not port 47). But I doubt that this is possible on such a basic SOHO router.

BTW, which revision do you have of the 2310? At the end of the partnummer there is a A1 of B1 which means revision A or B.
So I can have a look at the manual.
Also, does it run the latest firmware? http://www.dlink.com/products/support.asp?pid=478&sec=0#firmware
From a quick look it seems indeed like it's not suited for incoming VPN.

As an alternative you can replace it with something else. I recommend ZyXel for this type of environment. But they also have models that don't support incoming VPN. Have a look here on how to do this and which models support it: http://www.zyxel.com/web/support_knowledgebase_detail.php?KnowledgeBaseID=2053
They can even act as VPN server / endpoint.
If you have a look at the Zywall prices then you'll understand why they are such a well kept secret: the price is too low for what they offer ;-)

J.
0
SendBlaster Pro 4 - Bulk Email Sending Software

SendBlaster 4 Pro - Best Bulk Emailing Sending Software
Automatic Subscribe / Unsubscribe Processing
Great for Newsletters & Mass Mailings
Optional HTML & Text Composition
Integration with Google Features
Built in Spam Score Checking
Free Professional Templates - Feature Packed!

 

Author Comment

by:controlgmc
ID: 20396270
Thank you, I think it is really the router indeed that is the cause of my problem. I did a small research on the routers that would allow incoming VPN (PPTP). I came up with your suggestion; ZyXel (ZyWall 5) which is around 500$; and the SonicWALL TZ 170 SP which is around the same price.

They both offer similar specifications.

I'm simply wondering... I was used to buy routers for around 100$. This is a major upgrade. Is 500$ the lowest price I can pay for a router with the VPN capability? Isn't there a model for around 250$?

Thank you in advance.
0
 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 500 total points
ID: 20397842
Sorry to bring you the bad news, but your analysis is correct. We are talking about REAL firewalls here, which can follow and analyse traffic.
The cheapo's are very basic, as you have seen. A real firewall/UTM needs more computing power. I'm actually very pleased that prices have dropped to 500$ and have not yet seen any at 250$. Maybe within a year or so.

J.
0
 

Expert Comment

by:nate2170
ID: 21357708
Older D-Link Models used to offer this capability - such as the D04. They had a "Virtual Server" option that would open GRE. I have not found any of the newer models that will do this.
0
 

Expert Comment

by:OurTech
ID: 24418176
The EBR 2310 is fully capable of accepting incoming VPN connections without enabling DMZ.  You need to go to the Vitrual Server page (Under Advanced) and forward protocol 47 to your server's IP address.  Then go to port forwarding and forward port 1723 to your server.
0
 

Expert Comment

by:nate2170
ID: 24419960
Actually, since this time, I have discovered several small business class routers for under $200 that do GRE (protocol 47). The Linksys RV042  does this quite nicely for around $150 and has 2 WAN Ports.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Blocking outside IP Addresses 16 130
juniper ssg5 netscreen slow performance with vpn 6 45
Unable to enable HWIC 2FE 2 31
Lost or Stolen Laptops 13 49
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question