What port numbers and type (TCP or UDP) do I need to open for VPN

Gurus,

What port numbers and type (TCP or UDP) do I need to open up on my Linksys
Firewall/Router so that I can VPN into a computer sitting behind my
Firewall/Router. I know how to do port-forwarding, I just need the VPN port
numbers and type.

 

It's not as simple as port forwarding. If you want to connect to a pptp
server behind a NAT router, the router has to actively support pptp server
publishing. If your router does not have that feature, it isn't going to
work. Same for IPSec.

Normally the PPTP or IPSec tunnel endpoints are on the public interface, not
inside NAT.

 

I assume you will be using pptp unless you are using Windows 2003 Server as a VPN
server and have the NAT-T client installed on the VPN client machines which would
also need computer certificates for l2tp. If that is correct you need to port forward
port 1723 TCP to your VPN server/computer accepting inbound and allow protocol
47/gre. I believe Linksys has an option to enable pptp passthrough which enable
protocol 47 access. I also suggest you configure the VPN client connectoid properties
to use pptp in network type instead of auto if available. Windows 2000 for instance
will try l2tp first if auto is selected. --- Steve

 

If you have VPN connections using PPTP, you will need to allow TCP port 1723
and IP protocol port 47 to pass through your firewall. If you are using
L2TP/IPSec, you will need UDP port 500 and IP protocol port 50 to pass
through the firewall. If you are using AH/ESP in your IPSec policies, you
will also need IP protocol port 51 to pass.

Doubtful that any SOHO router supports the flexible rules for IP protocol.
One of my Linksys routers has just one radio button for IPSec pass-through
and another one for PPTP pass-through. Certainly this is not a firewall but
Swiss cheese.

 

No, it could mean the opposite. Less features mean less opportunity for
flaws and vulnerabilities. The more "feature filled" and complicated a
Device becomes, the greater the chance of security problems. That's why the
"Keep it simple" philosophy is such a good motto to live by.

 

I prefer to know what's going on behind the curtain and keep my hands dirty.
Anyway, SOHO "router" is neither a router nor a firewall as you perfectly
awared and isn't too configurable, that was my point as always.

 

I agree about the SOHO things. They aren't a router, they are a NAT Device.
They can legitimately be called a firewall, however they would be a
"light-weight" firewall.

 

I would agree with the 'light-weight' definition if you mean 'one-way' or
'input/inbound only'.

 

We can bat words around all day, but the whole term "firewall" is just a
generic "slang" term to begin with. Cisco in their CCNA Certification
material refers to a regular LAN router as a "broadcast firewall" because it
blocks broadcasts from moving across subnets. Anything that prevents
packets from moving from point A to point B is technically a "Firewall".
Even RRAS on Server2000 & 2003 can be made into a "firewall" by using either
NAT or by using only packet filtering if NAT isn't required,...most often
both are combined together. A device is classified as a firewall by what is
does with the flow of data, not by having to meet someone's arbitrary
"quality standard".

Firewalls have been around long before anyone ever heard of "stateful
filtering" and any of the other modern concepts people think of today. There
were firewalls in private high security environments even before there was
an Internet for that matter.

 

Sorry if I am boring you.
I don't care if Cisco or MS or anyone else invents new definitions for the
old matter or marketing purposes every day and I wouldn't refer to a
/firewall/ word as a slang. Certainly it could be a slang word in some
closed communities of certificate holders ) but Firewall is "any thing"
used to block unsolicited traffic like a real fire wall blocks a real fire,
i.e. both ways, otherwise this is not a firewall but an imitation and
forgery.