dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1842
abalazs
join:2001-03-04
Allston, MA

abalazs

Member

Can't set up a VPN server behind Netgear WGT634U

Hi everyone, I have been looking for a solution to this problem but no one seems to describe it. There doesn't seem to be a PPTP passthrough option on the 634U router... consequently, I can forward the correct port to initiate a VPN connection from my laptop to the VPN server behind the router but it cannot verify my username/password and I get error 721. Does anyone know a workaround if there is no explicit PPTP passthrough option? I tried disabling the SPI feature of the firewall but it didn't help. Is the option called something else in Netgear routers? Is it simply not supported to run a VPN server behind this model Netgear?

Thanks in advance,
Alex

Jason Cohen
@brandeis.edu

Jason Cohen

Anon

I was having problems connecting to a PPTP VPN server through a Netgear WGR614v5. With SPI off, the router refused to forward packets to the server, and the client software said that it was attempting to verify the password and username. I eventually got an 800 error said it couldn't' connect to the router. I also noticed that even though I forwarded port 1723, all forwards were set to port 16 in the edit menu.

I solved this problem by turning on SPI. Apparently, on the WGR614v5, port forwarding requires SPI (I turned off SPI because it was lowering my download performance). Turn on SPI and see if that helps.

Otherwise, manually forward port 1723 and 500 (not sure if 500 is needed, but I've seen sites that say it is required). If that fails, contact Netgear.
Jason Cohen

Jason Cohen

Anon

Here's a useful method for ensuring that the problem is the router and not the VPN server.

I'm using the Microsoft XP Professional VPN server and client, so I'm not sure how this can be done with proprietary software. Setup a VPN on your internal network and attempt to connect to it from a machine on the LAN using the internal IP. If the VPN works you should be able to connect using the internal IP.

For example, I set the server as 192.168.1.5, and connected from client 192.168.1.6. This should work without port forwarding because all packets are being sent inside the network. If that fails, then it's not the router but the VPN setup.
abalazs
join:2001-03-04
Allston, MA

abalazs

Member

Thanks for the reply, I actually know it is a router issue just as you said because when the laptop is connected behind the router with the server and I connect to 192.168.1.2 (rather than the external IP) everything works fine. Now for the SPI, I tried it disabled but since it never worked I re-enabled it. As I said, I am forwarding the correct port (1723 and I also tried 500) to the server (I have already set up an FTP server with port forwarding so I know that aspect of the router works fine). For some reason VPN servers seem to need more than simple forwarding of ports (something about IP protocol 47 I believe?) and so a lot of routers will have a specific option to allow PPTP Passthrough..... This doesn't seem to be an option with the 634U. Netgear still hasn't gotten back to me on this question.

Alex

Jason Cohen
@brandeis.edu

Jason Cohen

Anon

Thanks for the reply. I'll speak with my contact in Level 2 Tech support next week and get back to you.
Jason Cohen

Jason Cohen

Anon

Release 1.2

Firmware version: 1.2.0.6
Firmware Size: 4,432,252 bytes

New Features

· Added PPTP support
· Enhanced partition recognition to support special partition formatting in certain memory flash drive

PPTP support should be as simple as forwarding ports 1723 and 500.

See »kbserver.netgear.com/kb_ ··· 1222.asp

"This document describes VPN support by model as tested by NETGEAR.

Depending on your ISP's configuration and other issues, you may need to open ports for passthrough to work. The ports are:

IPSec: 500
L2TP: 1701 and 500
PPTP: 1723 and 500
Each VPN passthrough must have its own 500 port open. The first port is opened normally, as described in port forwarding documents. The other instances of port 500 must each be opened by selecting a unique range of ports that include 500, e.g., 499-501, 498-502, etc."
abalazs
join:2001-03-04
Allston, MA

abalazs

Member

Hi Jason, so while I did see that they mentioned PPTP support in v1.2 (I'm using v1.4.1.5 so it has this) they do not call it passthrough which I believe to be different. The link you posted also shows a list in which the WGT634U doesn't show up, so I'm still not sure what the actual capabilities are.
I tried forwarding all of the ports you suggested including a range from 498-502 for IPSec and I still am getting the same Error 721 after it establishes an initial connection. In anycase, if you hear anything from your contact at Netgear please let me know.

Thanks,
Alex
Jason Cohen
join:2004-11-06
Waltham, MA

Jason Cohen

Member

You're forwarding 1723 & 500 TCP ports- not UDP, correct? From what I read, on the WGT634U, you can't open the same port on both UDP & TCP so you have to choose. If you forwarded UDP ports, it won't work.

Do you have any software firewalls on your network- Microsoft's ICF perhaps? This could be causing your problems. You have to forward ports 1723 and 500 on the software firewall as well. This probably isn't an issue, but it's best to consider all possibilities.
Jason Cohen

Jason Cohen

Member

Port forwarding and pass through in this case mean the same thing because PPTP runs on static ports- 1723 and 500.

When a PC on the Internet sends a request to connect to your VPN, the router checks to see if the packet meets certain rules set out in your router's configuration. Let's say you forward ports 80, 1723, and 500. If packets are sent to other ports, they will be ignored and dropped. However, if a packet is being sent to 1723,500, or 80, it will be forwarded or passed through to the predesignated server on your internal network. That server could very well have its own software firewall which could then drop the packets.

When you tested VPN on your internal network, the software firewall probably allowed all packets through because both PCs on the network were trusted, and since the packets never came from the internet, the Netgear router doesn't check them.

VPN Passthrough however is different from basic forwarding with IPSEC because the ports aren't static.

»expertanswercenter.techt ··· ,00.html

"On the other hand, a SOHO network device that supports VPN pass-thru simply means that it can support "passing through" packets that originate from VPN clients (typically on laptops or PC's) out through a VPN server on the Internet. A special feature like this is needed because: 1) these SOHO devices are involved with NAT and PAT, 2) VPN protocols like IPsec (the data path is called ESP) doesn't have a specific port number for the device to multiplex the port address translation back to your laptop or PC 3) that's why this feature enables some special processing of packets that are IPsec ESP data packets and allows the device to keep a table of active connected VPN tunnels."
Jason Cohen

Jason Cohen

Member

Here's another interesting website on the subject:

"If you're using Microsoft's PPTP protocol, TCP port 1723 is the port you'll need to forward to allow PPTP control traffic to pass. Figure 2 shows the Forwarding screen on a Linksys BEFSR41 set to forward this port to a client with IP address 192.168.5.100."

"PPTP also needs IP protocol 47 (Generic Routing Encapsulation) for the VPN data traffic itself, but note that this is a required protocol, not a port. The ability to handle this protocol must be built into the router's NAT "engine"—which is true of most present-generation routers."

According to this PPTP doesn't need 500- only IPSEC, and IPSEC requires 500 to be opened as a UDP port.
Jason Cohen

Jason Cohen

Member

Link to article:

»www.smallnetbuilder.com/ ··· age1.php
Jason Cohen

Jason Cohen

Member

I had the same 721 error with SPI off and Port Forwarding on. The client would sit at "verifying usernmane and password" and then gave the error.

When I stop forwarding TCP port 1723, I get an 800 error saying that the server is unreachable. I verified that TCP port 1723 is the only port necessary for PPTP to work.

Check to see if the router is correctly forwarding other ports. You said earlier that you use port forwarding for FTP on port 80. From what I have read, it seems 80 is ALREADY OPEN on the WGT634U. Try forwarding another port to ensure that port fowarding works generally.
Jason Cohen

Jason Cohen

Member

Correction: I read that port 21 (not 80) was open on the WGT634U to allow for easier FTP setup. Thus, forwarding port 21 isn't necessary to allow for FTP access to the attached HD.
abalazs
join:2001-03-04
Allston, MA

abalazs

Member

Hi Jason, thanks for all your suggestions... I am however quite sure that this is a router specific issue. I am only forwarding TCP ports in these cases. I do not run any sort of firewall software ever on my computers as I find it to slow things down too much (this includes disabling the ICS/Firewall services in XP) and I find myself capable of configuring my router firewall to the point that it is secure without needing additional software solutions. I am running my FTP server on a non-standard port and am doing so using PASV mode that requires a range of ports to be opened. This only works when I set up port forwarding so the router's forwarding is working. Additionally, like you, if I don't forward port 1723 then I get error 800 when connecting the VPN instead of error 721. This shows that clearly the port is being forwarded, but that either more ports are necessary (which I don't think so at this point) or the router doesn't understand how to handle the IP Protocol 47 packets that are needed for VPN.

Did your contact at Netgear say anything?
Alex
Jason Cohen
join:2004-11-06
Waltham, MA

Jason Cohen

Member

The last time I spoke to my contact was on Friday when he told me that a WGT634U would be sent Advance Standard to replace my WGR614v5. The router should arrive Tuesday or Wednesday of this week. I will immediately check to see if I can access my VPN when I receive the router, and will inform you of my experience. If it doesn't work, I'll try to get an explanation from Level 2 and I'll post what I learn on this forum.
abalazs
join:2001-03-04
Allston, MA

abalazs

Member

Thanks Jason. So just to be clear, your VPN server is currently behind your router and you were able to log into it from the internet?

Alex
Jason Cohen
join:2004-11-06
Waltham, MA

Jason Cohen

Member

Correct, I can access my VPN from the Internet. Currently, I access the VPN from my University wireless/wired network. I also accessed my VPN off campus at my home 300 miles away through both my router and the University network.

Jason
Jason Cohen

Jason Cohen

Member

Well, I think you were absolutely right. The WGT634U doesn't seem to support the PPTP.

Here's the pertinent parts of my email to my contact:

"I just received and setup the WGT634U and I’m having several issues. First, Port Forwarding doesn’t seem to work. I forwarded TCP port 1723 and UDP port 500 to use a PPTP VPN. When pointing to the public IP I can not access the VPN, but it connects fine connected to the private IP. I’ve tried both with SPI on and with it off. I confirmed that the VPN can be accessed from its Public IP a few minutes later using the WGR614v5 router. Another WTG34U owner posted on a forum with the same issue. I use my VPN to access my file and print server, so it’s very important I get this working."

Second email after more troubleshooting:

"I’ve tried using Universal Plug’N Play, Port Forwarding, and even put 192.168.0.9 in the DMZ. I’ve tried each of these settings both with SPI on and with it off. It always gives the same 800 error saying that it can’t connect to the firewall. I’ve tried firmware 1.4.15, 1.4.0.6 (horribly unstable. Refused to assign an ip so I couldn't’t access the router or internet until I restarted- did this several times) and 1.3.0.6. It seems that the hardware on the WGT634U doesn’t support protocol 47 which is needed for PPTP. I believe I saw the VPN client say “opening port” before it refused the connection with UPnP enabled, and the packets certainly would have been sent to my computer using DMZ."

As you can see, I tried everything I could think of to get PPTP working. Three firmware upgrades later, I realize it's not possible. I tried every possible combination. UPnP with and without SPI. I did the same for Port Forwarding and DMZ. During these tests, I turned off the AP on the WGT634U, hooked the ethernet cables into my WGR614V5- and voila, VPN worked.

I haven't received a response from my contact. I'm going to call this evening at 9 pm (free minutes). I'll tell you what I find but I doubt he'll have a solution. This is going to require either a firmware upgrade or more likely another router. The firmware is already supposed to support PPTP.
Jason Cohen

Jason Cohen

Member

I used Symantec online security analysis to check if port 1723 was open. Not surprisingly, it is. Port forwarding on the router works fine. I guess the WGT634U simply doesn't support the protocol needed for PPTP.

mboy
Premium Member
join:2001-04-13
Little Falls, NJ

mboy to abalazs

Premium Member

to abalazs
Jason is correct in the fact that you do not need Port 500 (and it would be UDP not TCP 500) for Ipsec VPN, PPTP does not need it, so you may want to close it ion the router.
Since routers are dirt cheap now, why not spring for one that is known to fully support PPTP?
Jason Cohen
join:2004-11-06
Waltham, MA

Jason Cohen

Member

Because I'm going to make Netgear send me a router that supports PPTP. I originally purchased the WGR614 and that supported it. If they advertise their products as supporting a feature, they should be held to their word, and so far they've been quite good with helping to solve my problems.
Jason Cohen

Jason Cohen to mboy

Member

to mboy
What Netgear routers support PPTP? The WGT634U obviously doesn't. The WGR614s do but I've had too much trouble with them to request another. How about the WGT624 or WGU624?
Jason Cohen

Jason Cohen to abalazs

Member

to abalazs
I spoke to my contact at Level 2 tech support. He said my email covered all the bases as far as troubleshooting goes and there is indeed a problem with the firmware. Fortunately, he's having a meeting with Level 3 (the engineers who write the firmware) today, so he's going to tell them about the issue. I'm hoping they'll incorporate it into the XR/Adaptive Radio update which should be forthcoming. The RP614 wired router had a similar problem and it took 3 months to get a fix.
Jason Cohen

Jason Cohen

Member

The WGT634U doesn't seem to work with any VPN server. I used OpenVPN which uses a 2048 bit preshared key and tunnels over UDP port 1194. I figured it was sufficiently different from PPTP which is a TCP tunnel on port 1723 that it might work. Well, it doesn't.

I was able to get a tunnel working using my WGR614v5 router, but it couldn't connect with the WGT634U.

Anyone know if ssh works with the WGT634U?
Jason Cohen

Jason Cohen

Member

I heard back from my contact at Level 2 support. Based on my emails and calls, the Engineers are making the assumption that VPN passthrough simply doesn't work on the WGT634U with the current firmware, and they will be working on a firmware update to resolve the issue. In the mean time I was told I could keep both the WGR614v5 and the WGT634U. I plan to run the WGT614v5 as a wired router and the WGT634U as an access point. Hopefully that will give me stability, high transfer speeds and VPN until this issue is sorted out.

On a side note, I also asked about when the XR/Adaptive Radio features will be added to the WGT634U. As I suspected, the update was held back by the problems on the WGT624 and it should be forthcoming, but no date was given.
Jason Cohen

Jason Cohen

Member

I'm also expecting a call from Level 3 tech support in the next few days about this issue. If you want me to raise any points or ask any questions, tell me.
Jason Cohen

Jason Cohen

Member

I setup the WGR614v5 as a wired router (IP 192.168.0.1), and the WGT634U as a wireless access point (IP: 192.168.0.9, DHCP OFF). So far the setup is working great. Both are running stable. Transfer speeds are excellent, and VPN pass through works again. This setup has also increased download speeds off the internet on the wireless computers to 1.9 MB/s (15 mbit/s), while LAN transfers remain at 24 mbit/s from wired to wireless and 26 mbit/s from wireless to wired. I’m very impressed with the performance of the WGT634U and surprised at its stability thus far. I think I'll get a WG511T to take full advantage of the Super-G feature.
Jason Cohen

Jason Cohen

Member

I just compared the supported features on the WGR614v5 box and the WGT634U box. The WGR614v5 box states that the router supports "VPN pass through (IPSec,L2TP,PPTP),NAT,PPTP,PPoE,DHCP (client & server). Puzzled as to why the box mentioned PPTP I checked my WGR614 basic settings page. PPTP apparently is a method for dialing a DSL modem used in Austria and other European nations, as opposed to Peer to Peer Tunnel Protocol used to securely encapsulate and transmit encrypted data.

The WGT634U states support for "VPN Pass Through (IPSec,L2TP),NAT,PPTP,PPPoE,and DHCP (client & server)". I guess PPTP VPN passthrough wasn't an advertised feature after all.
abalazs
join:2001-03-04
Allston, MA

abalazs

Member

Hi Jason, I've been out of town so I couldn't reply. Thanks for all your work on this issue. I'm glad to see it's not just my hardware that's the problem. Seems that a lot of things are good about the 634U hardware but the software just needs to catch up a bit. I suppose I will simply wait for these guys to add support. As long as you're on the phone with the Level 3 guy, you could mention that I would love it if they added write support for NTFS partitions connected to the router. Right now, you have to format your drive to FAT32 to have it be writable over the network. Also, performance of the SMB sharing of the drives is pretty dismal... wonder if they plan on making this work well? The idea is nice but in practice they seem to have a lot of issues with the feature set they propose.

Alex
Jason Cohen
join:2004-11-06
Waltham, MA

Jason Cohen

Member

Do you have a cheap wired/wireless router laying around? You probably can get one for $20 or so and use that to pass through your VPN traffic. The MR814 is only $20 after rebate and was stable when I used it. The Netgear VPN link I posted earlier says it supports PPTP passthrough.

I'll make sure to bring up the NTFS write support when I get the call from Level 3, but I'm not sure it's necessary. I believe I read on Netgear's site that their planning on adding NTFS write support in the next firmware upgrade.

I agree about the NAS feature. It sounds cool but it's implemented horribly. Personally, I'm happy with my fileserver + secure VPN link. It's more secure, faster, and more reliable than NAS. Even with VPN, I've been able to stream high quality divx movies (ones i've purchased) off my machine (1400 mb) using a cable connection and my server doesn't slow in performance. I just don't see the need for NAS. The only thing I might use it for is as a temporary storage area for documents when my server is off.