RV016 Protocol Binding & Access Rules do not work on PPTP

Unanswered Question
Jun 1st, 2010

Hi


I am Enabled PPTP Server and connection success, but can’t block the internet service by Protocol Binding and Access Rules for PPTP client.


The PPTP Server:
192.168.1.150~160


Protocol Binding:
HTTP [TCP/80~80] -> 192.168.1.150~160(0.0.0.0~0.0.0.0)


Access Rules:
1; Enable; Deny; HTTP [80]; LAN; 192.168.1.150~160; Any; Always


Firmware Version: 3.0.0.19-tm


I tried to test the setting by local PC connect the router directly. The rule is running.
But by PPTP, it can go to internet. And confirmed the VPN IP is 192.168.1.150

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
juunda Mon, 06/07/2010 - 13:40

Greetings,



     It seems like you need to check your DNS on the client machines, make sure that you manually configure your ethernet adapter to do so by going to network properties---> TCP/IP Internet Protocol---->Properties, in there instead of using obtain dns automatically specify the DNS address of the router or simply use the LAN IP of the router, that way the rules will apply properly to your clients.  If that does not work then check the ACLs priority and lastly feel free to give us a call at 1-866-606-1866 so we can further assist you.


Regards,

joechohk81 Mon, 06/07/2010 - 20:32

Juunda


Thankx


I have tried to manually configure the DNS on client machines. But it is not the correct way to fix this problem. Because thay know the IP of the web service, they still can key in the IP.


So, do you have any suggestion?


Joe

Iwan Krastew Tue, 06/08/2010 - 03:44

Hello Mr. Wong,


What are you trying to achieve seems to be not possible. I will try to explain why.


Whenever a PPTP connection is established, the client still uses it's own DNS configured servers (depending on your configuration they could be obtained by a DHCP server in your local network or manually configured). I assume, that the clients are connecting to the PPTP server through the Internet and therefore they still have access to websites. The data you are requesting from the Internet (websites) would not reach the remote Gateway (RV016) since your client already has direct connection to the Internet and it's own gateway. If you want to use the RV016 as your DNS point, you have to change the DNS settings locally on the clients so they can use the remote side as a DNS server and so the ACL's you've created will be active for the IP range.


When you disable the traffic on certain IP addresses with the ACL you mentioned in your post, that means that they would not be able to request any data which includes the HTTP protocol through the PPTP connection. They still can access the websites via the IP address because their Default Gateway is still pointing to the local Internet Service Provider and not to the RV016. In case you change this with the one of the RV016, you won't be able to connect through PPTP, because you will lose Internet connectivity. The only way to perform the task is to restrict the access for the clients on their local router that connects to the Internet Service Provider. If your topology differs, please excuse me, but I didn't knew.


Please feel free to send me your feedback!


Best regards,

Iwan

joechohk81 Tue, 06/08/2010 - 21:24



st1\:*{behavior:url(#ieooui) } /* Style Definitions */ table.MsoNormalTable {mso-style-name:表格內文; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

HI  Mr Krastew.

Thank you for your reply.

But i am not looking stop internet web service on my client side only.

May be I explain more here.

The client PC is running on intranet, that mean client network stopped all service [1~65535: TCP/UDP] pass through WAN. At this moment, the client network allows the PPTP Port 1723 pass through it only. And the Client PC is running on manual configure No DNS.

And the client requests that client PC NO intranet service when PPTP VPN connected. So I can't Disable Using Remote Network Default Gateway on TCP/IP Configure.


And Server (RV016), half of pc allow connect to internet.

The Local PC in server LAN can control by ACL.

The client connected by PPTP and the IP still within the ACL. But it can access internet all service. (e.g. FTP, HTTP).

So I want to know it is my configure problem? Or the router own problem? Or my design problem?

Now, I key in wrong DNS on client PC to Cheat the user for temporary.


Best regards,

Joe Wong

peandree Thu, 06/10/2010 - 06:25

Here is one possible solution:

Extract from the User guide:

--------------

Custom rules can be created to override the above default

rules, but there are four additional default rules that will


be always active and cannot be overridden by any custom

rules.



HTTP service from the LAN to the Router is always

allowed.


DHCP service from the LAN is always allowed.


DNS service from the LAN is always allowed.


Ping service from the LAN to the Router is always

allowed.

....



---



peandree Thu, 06/10/2010 - 06:47

continue from the previous post...

....

1. First: Click the

Restore to Default Rules to restore the default

rules and delete the custom access rules.

2. All the default rules can be erased and removed as stated into my previous post.

3. Add your rule to deny the pool - 150-160 addresses (Source: LAN, Destination: interface WAN1 or WAN2)from accessing the HTTP service on the router.

  3.1 Keep the default rules but set priority 1 to your rule. If the router does not block your pool of addresses,

  3.2 try to disable the default rules.

4. Add another rule to permit for the other PCs on your LAN to be able to access the HTTP or any other service you want to allow.

----

Q:Each PPTP client must have an access to LAN of the RV016, but to restrict the access to interface WAN1(service: HTTP or another), right?

Q: Is there any protocol binding to a particular WAN1 or WAN2 interface service(HTTP or another service) done or not?

----

Let me know if this works and if I understood your configuration right.

---

Petar

joechohk81 Thu, 06/17/2010 - 22:09

Hi Petar,


Thank you for your help first!


Q:Each  PPTP client must have an access to LAN of the RV016, but to restrict  the access to interface WAN1(service: HTTP or another), right?

YES


Q:  Is there any protocol binding to a particular WAN1 or WAN2 interface  service(HTTP or another service) done or not?

YES, 80 and 21 already blinding.


Restore to Default Rules already DONE but still no success.

1. The Default Rules can't erase or remove.(They still alive)

2. Already set the 1;Deny;80;WAN 1;192.168.1.150~159;ANY;always

But.......

Do you have anymore suggestion?

Joe

davbarre Fri, 07/16/2010 - 16:16

Hi Joe,


Can you please post the tracert output from PC that is PPTP VPN'd into the RV016 to a website that they are able to access?  This way we can verify the packets are or are not going through the RV016.

davbarre Fri, 07/16/2010 - 17:03

Hi Joe,


After further testing in my lab I have resolved your PPTP/ACL issue.


When I wrote the ACL rule, I changed the source interface from LAN to WAN and destination to my WAN IP address.  This then blocked my HTTP traffic when PPTP VPN'd into the RV016 but still allowed the PPTP clients to access nodes on the internal LAN.  The ACL states that with a source IP in my ACL/PPTP range, and destination of the WAN IP on the HTTP Protocol, it will be blocked.


Depending on the behavior you would like will depend on the Source Interface you choose.  With ANY selected, if a client on the inside of your network has an IP address in the same scope of your ACL, or a PPTP client they will not be able to access HTTP.  I also tested with the source as just WAN, and it still blocks the PPTP client from accessing the internet, while allowing a client on the inside of your network to have an IP address in the ACL range and still access the internet.



Please verify this works on your end as well and report back if you have any further issues.


Dave

Attachment: 
joechohk81 Fri, 07/16/2010 - 21:03

Hi davbarre,


I tried to follow your suggestion to set the ACL. But it still no success to block HTTP function.

And tracerted it. confirm it is past through MY RV016 router out.

192.168.1.1 is RV016

192.168.20.1 is WRV200


And RV016 Still have other Gataway to Gateway VPN connection to other network.

But tested, it seem won't pass through other gateway to the internet.


And the tracert my pc photo attached

Attachment: 
davbarre Wed, 07/21/2010 - 05:15

Hi Joe,


I'm sorry that didn't work for you.  There must be something else you have configured that is allowing the traffic through.


Can you please call into the SBSC center so that a service request can be made for you and we can setup your configuration in our lab and determine the cause of this?  Our number is 1-866-606-1866.


Thanks!


Dave

Actions

This Discussion