[SOLVED] PPTP (1723) misteriously closed...
Posted: Thu Nov 19, 2009 6:10 pm
One of my Mikrotik routers has as usual a PPTP Server interface on and couple of PPP users ready to connect in...
In this router I have many rules to do port forwarding and filtering...
But the firewall seems to block port PPTP (reported as closed by nmap on linux and "connection refused" if i try a telnet router1 1723) and I added at top of the input chain a accept from anywhere dst-port=1723 protocol tcp and accept protocol gre. Those two rules seems not sufficient to open the port and leave connection coming in...
Looking at the router the only differences from others rotuer I have in place are: UPnP activated (I don't use it but router is in production and I don't know if disabling it can do something bad...). Eth1 is external others are internals
Two public ip on eth1 interface... IPs are written as address: 11.11.11.11/24 network:11.11.11.0 and 11.11.11.255 broadcast...
I'm connection from 12.12.12.12 Office 2 mikrotik.
If needed I can post full firewall rules detail...
0 ;;; Allow from Office 1
chain=input action=accept src-address=13.13.13.13
1 ;;; Allow from Office 2
chain=input action=accept src-address=12.12.12.12
2 ;;; Allow SSH on 22
chain=forward action=accept protocol=tcp dst-port=22
3 ;;; Allow 21 for port forward
chain=forward action=accept protocol=tcp dst-port=21
4 ;;; Allow 80 for port forward
chain=forward action=accept protocol=tcp dst-port=80
5 ;;; Allow Forward 4949
chain=forward action=accept protocol=tcp dst-port=4949
6 ;;; Allow Forward 9999
chain=forward action=accept protocol=tcp dst-port=9999
7 ;;; Added by webbox
chain=input action=accept protocol=icmp
8 ;;; Added by webbox
chain=input action=accept connection-state=established
9 ;;; Added by webbox
chain=input action=accept connection-state=related
10 ;;; Allow PPTP
chain=input action=accept protocol=tcp dst-port=1723
11 ;;; Added by webbox
chain=forward action=jump jump-target=customer
12 ;;; Added by webbox
chain=input action=drop in-interface=ether1
13 ;;; Added by webbox
chain=customer action=accept connection-state=established
14 ;;; Added by webbox
chain=customer action=accept connection-state=related
15 ;;; Added by webbox
chain=customer action=drop
Any ideas...
In this router I have many rules to do port forwarding and filtering...
But the firewall seems to block port PPTP (reported as closed by nmap on linux and "connection refused" if i try a telnet router1 1723) and I added at top of the input chain a accept from anywhere dst-port=1723 protocol tcp and accept protocol gre. Those two rules seems not sufficient to open the port and leave connection coming in...
Looking at the router the only differences from others rotuer I have in place are: UPnP activated (I don't use it but router is in production and I don't know if disabling it can do something bad...). Eth1 is external others are internals
Two public ip on eth1 interface... IPs are written as address: 11.11.11.11/24 network:11.11.11.0 and 11.11.11.255 broadcast...
I'm connection from 12.12.12.12 Office 2 mikrotik.
If needed I can post full firewall rules detail...
0 ;;; Allow from Office 1
chain=input action=accept src-address=13.13.13.13
1 ;;; Allow from Office 2
chain=input action=accept src-address=12.12.12.12
2 ;;; Allow SSH on 22
chain=forward action=accept protocol=tcp dst-port=22
3 ;;; Allow 21 for port forward
chain=forward action=accept protocol=tcp dst-port=21
4 ;;; Allow 80 for port forward
chain=forward action=accept protocol=tcp dst-port=80
5 ;;; Allow Forward 4949
chain=forward action=accept protocol=tcp dst-port=4949
6 ;;; Allow Forward 9999
chain=forward action=accept protocol=tcp dst-port=9999
7 ;;; Added by webbox
chain=input action=accept protocol=icmp
8 ;;; Added by webbox
chain=input action=accept connection-state=established
9 ;;; Added by webbox
chain=input action=accept connection-state=related
10 ;;; Allow PPTP
chain=input action=accept protocol=tcp dst-port=1723
11 ;;; Added by webbox
chain=forward action=jump jump-target=customer
12 ;;; Added by webbox
chain=input action=drop in-interface=ether1
13 ;;; Added by webbox
chain=customer action=accept connection-state=established
14 ;;; Added by webbox
chain=customer action=accept connection-state=related
15 ;;; Added by webbox
chain=customer action=drop
Any ideas...