D-Link Forums
D-Link Wireless Routers for Home and Small Business => Information => Archive => Topic started by: cpraha on February 05, 2010, 12:48:19 PM
-
My apologies if this has been covered elsewhere, I have been able to find the answer that applies to my case.
I have a DIR-655 with firmware 1.21, connected to a DSL232B modem. I have two computers that I wish to connect to my school's VPN with. I have only been able to set the router to allow one OR the other machine, but never both. The two machines are connected with separate static IP's. However, currently I cannot connect at all.
Checking the log on the router I see the following events when I try to connect:
- Dropped GRE packet from 192.168.x.x to xxx.xxx.1.141 as unable handle packet header
- Blocked incoming GRE packet from xxx.xxx.1.141 to (my router's ISP-assigned IP address)
My VPN client is Windows XP for both machines.
One machine is connected by wire, the other is wireless.
I can get a machine to connect with the following settings (some of which may be redundant)
- Virtual server rule for other protocol 47) for one machine's IP address. (The router won't let me enable concurrent rules for both machines.)
- Port Forwarding (1723) for one machine's IP address. (Again, the router won't let me enable concurrent rules for both machines.)
- Application Filter for port 1723 (both 'Trigger' and 'Firewall'), TCP traffic, always enabled
- WAN traffic shaping enabled
- QOS enigne disabled
- Access control disabled
- Inbound filter set to 'enabled' for the range of VPN server IP addresses the school uses.
- SPI enabled
- UDP Endpoint Filtering is address restricted
- TCP Endpoint Filtering is address and port restricted
- Anti-spoof checking enabled
- Application Level gateway configured for PPTP, VPN, RTSP, and SIP
- WISH disabled
- Multicast enabled
-
to follow up and further clarify.
- I can otherwise access the Internet without problems.
- I can ping the VPN server both by name and by IP.
- I have since disabled SPI, , turned off the 1723 port forwarding and enabled it as a virtual server entry, and I still get the same log messages for GRE.
-
- Virtual server rule for other protocol 47) for one machine's IP address. (The router won't let me enable concurrent rules for both machines.)
No virtual server needed - it is an outgoing connection. not an internal VPN server - - disable it
- Port Forwarding (1723) for one machine's IP address. (Again, the router won't let me enable concurrent rules for both machines.)
The router is capable of VPN pass through without any Portforwardings.
Portforwarding is only needed for incoming connections. - disable it
- Application Filter for port 1723 (both 'Trigger' and 'Firewall'), TCP traffic, always enabled
Not needed, the ALG will recognize and handle the connection - disable it
- WAN traffic shaping enabled
Try disabling traffic shaping, it can affect the VPN packets negativly.
QOS enigne disabled
- Access control disabled
OK
- Inbound filter set to 'enabled' for the range of VPN server IP addresses the school uses.
Not needed for VPN - disable it
- SPI enabled
Try disabling SPI, it may drop packets
- UDP Endpoint Filtering is address restricted
Set to Endpoint independent
- TCP Endpoint Filtering is address and port restricted
Set to address restricted
- Anti-spoof checking enabled
- Application Level gateway configured for PPTP, VPN, RTSP, and SIP
- WISH disabled
- Multicast enabled
OK
Please try these settings.
-
Thanks! I can now connect with the wireless machine. I will have to try the other machine later tonight though.
Of the settings I just changed, are there specific ones I could or should try to change back in order to have a higher level of security?
-
....
Of the settings I just changed, are there specific ones I could or should try to change back in order to have a higher level of security?
SPI and Endoint Filtering are the only security settings here. You can try to set them back one by one.
But as the router still has its NAT firewall, it is not a must. You are still secure.