PPTP thru SUSEfirewall

Hi.

I 'm usually pretty good at solving my own issues but this time, I'm
ready for some help... IF there is anyone out there who is up to the
challenge. It seems that in my ongoing quest to solve this particular
problem, there are scores of unanswered posts online with the same or
similar situation that have just been ignored for months or even
years.

Anyhow, I have racked my brain on this one and could use some insight.

I maintain a small and relatively simple network.
There are about 5 or 6 computers on a small internal network all using
a SUSE router with firewall enabled. We have NAT enabled and all of us
have no problem with the network or connection sharing. Port
forwarding is pretty straight forward as well. However, I am trying to
set it up so we can use VPN from the outside world and that is where
the problem lies.
I have done the research and know that I must forward port 1723 to the
internal VPN server on our internal LAN and have done that. I have
also enabled protocol 47 per the instructions found all around the
Internet. So, I have met the requirements for PPTP as per all of the
instructables I have read and while I can VPN from our internal LAN to
a destination, I can not accept incoming VPN connections thru the SUSE
firewall. I have bypassed the router for testing purposes and
connected the modem directly to the VPN server and it accepts incoming
VPN connections just fine that way. But, as soon as the network goes
back up, the firewall prevents traffic from flowing to the VPN
server.

I know that port 1723 is reserved for VPN traffic but it seems, by
reviewing my firewall logs, that a lot of incoming VPN traffic is not
originating from port 1723. If that is the case, what ports do I open
and forward to the VPN server for VPN traffic so we can get these
outside computers to connect thru our router/firewall?
What is the point of saying port 1723 is for VPN traffic if there is a
wide range of ports used for incoming VPN traffic?

So, could this be the problem? The firewall (SUSE firewall2) is
blocking the incoming traffic because it is not port 1723 therefore
has no way to be properly routed? Just a shot in the dark there but it
seems to be the only sensible answer until I can find one or someone
answers one of those old, abandoned posts asking basically the same
question as I am here.

Any help is greatly appreciated!!

-Les

On Thu, 05 Jul 2007 04:55:07 +0000, Leslie.E.Zeigler wrote:

<clip>

> I know that port 1723 is reserved for VPN traffic but it seems, by
> reviewing my firewall logs, that a lot of incoming VPN traffic is not
> originating from port 1723. If that is the case, what ports do I open and
> forward to the VPN server for VPN traffic so we can get these outside
> computers to connect thru our router/firewall? What is the point of
> saying port 1723 is for VPN traffic if there is a wide range of ports used
> for incoming VPN traffic?
>
> So, could this be the problem? The firewall (SUSE firewall2) is blocking
> the incoming traffic because it is not port 1723 therefore has no way to
> be properly routed? Just a shot in the dark there but it seems to be the
> only sensible answer until I can find one or someone answers one of those
> old, abandoned posts asking basically the same question as I am here.
>

I too am no expert but I think you may have accurately diagnosed the
problem. I don't use VPN but have used several broadband routers that have
special settings to allow VPN, above and beyond port forwarding and port
triggering. I suspect that SuSE's firewall is not sophisticated enough
to handle VPN. There may be no answers given because there may be no
answer possible for SuSE's firewall.

It might be worth it for you to invest in a dedicated broadband router
from Netgear, Linksys, D-Link, etc.. Be sure to get one that claims VPN
support on the box -- not all models do so. You can get broadband routers
with very sophisticated firewall functions, VPN support, built-in gigabit
switch, and wireless support for under $200. That is a lot for the money.

Bob

On Jul 5, 8:51 am, Bob <b...@dont.spam.me> wrote:
> On Thu, 05 Jul 2007 04:55:07 +0000, Leslie.E.Zeigler wrote:
>
> <clip>
>
> > I know that port 1723 is reserved for VPN traffic but it seems, by
> > reviewing my firewall logs, that a lot of incoming VPN traffic is not
> > originating from port 1723. If that is the case, what ports do I open and
> > forward to the VPN server for VPN traffic so we can get these outside
> > computers to connect thru our router/firewall? What is the point of
> > saying port 1723 is for VPN traffic if there is a wide range of ports used
> > for incoming VPN traffic?
>
> > So, could this be the problem? The firewall (SUSE firewall2) is blocking
> > the incoming traffic because it is not port 1723 therefore has no way to
> > be properly routed? Just a shot in the dark there but it seems to be the
> > only sensible answer until I can find one or someone answers one of those
> > old, abandoned posts asking basically the same question as I am here.
>
> I too am no expert but I think you may have accurately diagnosed the
> problem. I don't use VPN but have used several broadband routers that have
> special settings to allow VPN, above and beyond port forwarding and port
> triggering. I suspect that SuSE's firewall is not sophisticated enough
> to handle VPN. There may be no answers given because there may be no
> answer possible for SuSE's firewall.
>
> It might be worth it for you to invest in a dedicated broadband router
> from Netgear, Linksys, D-Link, etc.. Be sure to get one that claims VPN
> support on the box -- not all models do so. You can get broadband routers
> with very sophisticated firewall functions, VPN support, built-in gigabit
> switch, and wireless support for under $200. That is a lot for the money.
>
> Bob

modprobe ip_nat_pptp was the fix I needed.
Everything now works as it should.
Thanks for all the help and good luck to those who are dealing with
this same problem. Hope this thread helps you should you happen to
find it.

-Les