Topic: Opening firewall ports for NT VPN server

[Bill Talcott]

We have an NT4 PDC on a LAN behind an SME 5.0 (Update 4). We use the SME basically as a gateway and e-mail server, and still use the NT server for DHCP and authentication. I thought I'd try setting that up for VPN since it's already there... I need to open GRE protocol 47 and TCP port 1723 on the SME (per http://support.microsoft.com/default.aspx?scid=kb;EN-US;q162847). I can get TCP 1723 via the port forwarding panel in the server-manager, but what is the command line for opening up protocol 47? The command to undo it would probably be handy as well, in case it doesn't work the way we want. Any other firewall-related issues I should know about concerning NT VPN?

Thanks,
Bill

[Dan G.]

/sbin/ipchains --append input -p 47 -s 0/0 -d YourExtIPAddress -j ACCEPT
/sbin/ipchains --append input -p 47 -s 0/0 -d YourExtIPAddress -j DENY

[Geoff Bennion]

I personally would use the firewall as the vpn server.

[Bill Talcott]

I was having problems with using the SME as the VPN server, but I think it was just DUN issues on the client. Reinstalling DUN seems to have fixed it. It does pass on the domain login to the PDC as well, so everything seems to work the way we want it just by using the SME.

Is there any way to specify what IPs the SME hands out for VPN clients? As I said, we're using the NT PDC for DHCP, giving clients 10.0.100.x addresses. The SME (10.0.0.1) hands out 10.0.0.x addresses for VPN... It shouldn't cause any conflicts or anything this way, but it would be nice if I could specify a range in 10.0.100.x to use...