Re: VPNs... general questions before setup

Author	All Replies
fenix_jn join:2006-12-28 Miami, FL Reviews: ·AT&T U-Verse ·Atlantic Broadband ·AT&T Southeast ·Sprint Mobile Br.. 4 edits	reply to SoonerAl Re: VPNs... general questions before setup Well I've playing with the expert section of ZA firewall. So far I specified a rule that follows: Mode: Allow Source: 192.168.10.0 to 192.168.10.10 Destination: 192.168.10.0 to 192.168.10.10 Protocols: TCP 1723 (PTPP) GRE 47 --- This is not a port. It is the protocol ID ICMP 8 (PING) --- Not a port. ICMP type: Echo req TCP/UDP 139 (SMB) TCP 445 (another SMB) So what happens is that both computers are able to connect fine but they can't trasnfer files. I can ping them but the file transfer does not happen. I set up the VPN address myself (192.168.10.x) since it was connecting to some 169.254.x.x (x = arbitrary values). It connected but I just did not like my private network over there. The DHCP on the server is active and the client must request an IP address so far is fine in there but the idea is to be able to transfer files "safely" over the internet not just to check if my PC is on (like what happens now). The network connections for the VPN are in the trusted zone inside the firewall.... I don't know what other port should I open. I mean it can connect but the firewall has to be offline. I don't want to risk my PC just because I want to transfer some files. Any ideas?? PS: I read somewhere that M$ PPTP was hacked.. is this true? ----------------------------------------------------------- UPDATE: I continued to play with ZA firewall rules and found this: windows SMB works with TCP/UDP 135 ~ 139, 445 so guess what? IT DID WORK! The idea is to define 2 rules: One for the initial connection (from foreign IP client side) and one for the private address (192.168.10.x) VPN side. Instructions for ZA: I assume that you already have created the VPN connection on both sides (server and client(s)). I also assume that you are trying to connect from 2 different (public) IP addresses. Always use passwords for your accounts. I also assume that you are using the following connection structure: PC(firewalled) - router - modem ~ internet ~ modem - router - PC(firewalled) The first rule must have the port TCP 1723 open so PTPP can connect to the server. Since this can be incoming from any IP the source must be set to ANY. Destination can be ANY (if your DHCP server assigns IP to the computer in your LAN) or the IP of your preference if you got a static IP (or single PC). Ok now we have to move on to the next stage: Windows SMB ports. For this you need to use the following settings: Source: -your private VPN IP range- Destination: -same as above- Ports: TCP/UDP 135 ~ 139 Windows SMB TCP/UDP 445 Windows SMB (it will use it) TCP 1723 PPTP (it will be used inside the internal VPN. Mainteinance??) GRE 47 (not a port. IT IS A PROTOCOL ID) ICMP 8 (not a port. ICMP type 8/echo. IF YOU WANT TO PING) It is very important that you define the internal VPN network for these ports and protocols. If you forget a single port the VPN won't work. If you forget to set up the IP addresses pointing to your VPN your PC and your entire network may be in a major security risk (Omit this if you don't have a router) If this is not enough you also may need to set the following on your router (SERVER SIDE ONLY): PTPP Passtrough ENABLED PTPP (1723) port forward to local IP Advanced routing: Mode: Gateway Source IP: -your private VPN initial IP address- Subnet: -self explanatory, VPN side- Destination IP: -your local (LAN) IP- ENABLED ---------------------------------------------------------- If these step does not work for you check your firewall logs (look for your VPN IP and Blocked lines) and make sure that you click the Apply button whenever you change your firewall settings. That should be enough. Happy file-transfering LOL Thanks to SoonerAl for giving me that great idea about windows file print and sharing. You gave me the idea of looking for the FP&S ports (NetBIOS/Windows SMB ports)
	to forum · permalink · 2007-02-12 15:17:07 ·
fenix_jn join:2006-12-28 Miami, FL Reviews: ·AT&T U-Verse ·Atlantic Broadband ·AT&T Southeast ·Sprint Mobile Br..	It doesnt allow me to edit so I have to post a new reply: UPDATE: After re-reading ZA firewall logs it seems that you dont NEED all 135-139 ports open. Just 139 TCP-UDP and 445 TCP/UDP. Remeber to open these ports only on VPN side (or to VPN internal address) You don't need to open them on router to make it work. 1723 must be opened on router, Everything else must be implemented to work.
	to forum · permalink · 2007-02-17 17:15:22 ·

Broadband Tech > Security > Security > VPNs... general questions before setup