What port numbers and type (TCP or UDP) do I need to open for VPN

Discussion in 'Windows Networking' started by Spin, Sep 16, 2004.

  1. Spin

    Spin Guest

    Gurus,

    What port numbers and type (TCP or UDP) do I need to open up on my Linksys
    Firewall/Router so that I can VPN into a computer sitting behind my
    Firewall/Router. I know how to do port-forwarding, I just need the VPN port
    numbers and type.
     
    Spin, Sep 16, 2004
    #1
    1. Advertisements

  2. It's not as simple as port forwarding. If you want to connect to a pptp
    server behind a NAT router, the router has to actively support pptp server
    publishing. If your router does not have that feature, it isn't going to
    work. Same for IPSec.

    Normally the PPTP or IPSec tunnel endpoints are on the public interface, not
    inside NAT.
     
    Steve Bruce, mct, Sep 17, 2004
    #2
    1. Advertisements

  3. I assume you will be using pptp unless you are using Windows 2003 Server as a VPN
    server and have the NAT-T client installed on the VPN client machines which would
    also need computer certificates for l2tp. If that is correct you need to port forward
    port 1723 TCP to your VPN server/computer accepting inbound and allow protocol
    47/gre. I believe Linksys has an option to enable pptp passthrough which enable
    protocol 47 access. I also suggest you configure the VPN client connectoid properties
    to use pptp in network type instead of auto if available. Windows 2000 for instance
    will try l2tp first if auto is selected. --- Steve
     
    Steven L Umbach, Sep 17, 2004
    #3
  4. Spin

    Jetro Guest

    If you have VPN connections using PPTP, you will need to allow TCP port 1723
    and IP protocol port 47 to pass through your firewall. If you are using
    L2TP/IPSec, you will need UDP port 500 and IP protocol port 50 to pass
    through the firewall. If you are using AH/ESP in your IPSec policies, you
    will also need IP protocol port 51 to pass.

    Doubtful that any SOHO router supports the flexible rules for IP protocol.
    One of my Linksys routers has just one radio button for IPSec pass-through
    and another one for PPTP pass-through. Certainly this is not a firewall but
    Swiss cheese.
     
    Jetro, Sep 17, 2004
    #4
  5. No, it could mean the opposite. Less features mean less opportunity for
    flaws and vulnerabilities. The more "feature filled" and complicated a
    Device becomes, the greater the chance of security problems. That's why the
    "Keep it simple" philosophy is such a good motto to live by.
     
    Phillip Windell, Sep 17, 2004
    #5
  6. Spin

    Jetro Guest

    I prefer to know what's going on behind the curtain and keep my hands dirty.
    Anyway, SOHO "router" is neither a router nor a firewall as you perfectly
    awared :) and isn't too configurable, that was my point as always.
     
    Jetro, Sep 17, 2004
    #6
  7. I agree about the SOHO things. They aren't a router, they are a NAT Device.
    They can legitimately be called a firewall, however they would be a
    "light-weight" firewall.
     
    Phillip Windell, Sep 17, 2004
    #7
  8. Spin

    Jetro Guest

    I would agree with the 'light-weight' definition if you mean 'one-way' or
    'input/inbound only'.
     
    Jetro, Sep 17, 2004
    #8
  9. We can bat words around all day, but the whole term "firewall" is just a
    generic "slang" term to begin with. Cisco in their CCNA Certification
    material refers to a regular LAN router as a "broadcast firewall" because it
    blocks broadcasts from moving across subnets. Anything that prevents
    packets from moving from point A to point B is technically a "Firewall".
    Even RRAS on Server2000 & 2003 can be made into a "firewall" by using either
    NAT or by using only packet filtering if NAT isn't required,...most often
    both are combined together. A device is classified as a firewall by what is
    does with the flow of data, not by having to meet someone's arbitrary
    "quality standard".

    Firewalls have been around long before anyone ever heard of "stateful
    filtering" and any of the other modern concepts people think of today. There
    were firewalls in private high security environments even before there was
    an Internet for that matter.
     
    Phillip Windell, Sep 17, 2004
    #9
  10. Spin

    Jetro Guest

    Sorry if I am boring you.
    I don't care if Cisco or MS or anyone else invents new definitions for the
    old matter or marketing purposes every day and I wouldn't refer to a
    /firewall/ word as a slang. Certainly it could be a slang word in some
    closed communities of certificate holders :eek:) but Firewall is "any thing"
    used to block unsolicited traffic like a real fire wall blocks a real fire,
    i.e. both ways, otherwise this is not a firewall but an imitation and
    forgery.
     
    Jetro, Sep 18, 2004
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.