cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3684
Views
0
Helpful
11
Replies

RV016 Protocol Binding & Access Rules do not work on PPTP

joechohk81
Level 1
Level 1

Hi

I am Enabled PPTP Server and connection success, but can’t block the internet service by Protocol Binding and Access Rules for PPTP client.

The PPTP Server:
192.168.1.150~160

Protocol Binding:
HTTP [TCP/80~80] -> 192.168.1.150~160(0.0.0.0~0.0.0.0)

Access Rules:
1; Enable; Deny; HTTP [80]; LAN; 192.168.1.150~160; Any; Always

Firmware Version: 3.0.0.19-tm

I tried to test the setting by local PC connect the router directly. The rule is running.
But by PPTP, it can go to internet. And confirmed the VPN IP is 192.168.1.150

11 Replies 11

juunda
Level 1
Level 1

Greetings,

     It seems like you need to check your DNS on the client machines, make sure that you manually configure your ethernet adapter to do so by going to network properties---> TCP/IP Internet Protocol---->Properties, in there instead of using obtain dns automatically specify the DNS address of the router or simply use the LAN IP of the router, that way the rules will apply properly to your clients.  If that does not work then check the ACLs priority and lastly feel free to give us a call at 1-866-606-1866 so we can further assist you.

Regards,

Juunda

Thankx


I have tried to manually configure the DNS on client machines. But it is not the correct way to fix this problem. Because thay know the IP of the web service, they still can key in the IP.

So, do you have any suggestion?

Joe

Hello Mr. Wong,

What are you trying to achieve seems to be not possible. I will try to explain why.


Whenever a PPTP connection is established, the client still uses it's own DNS configured servers (depending on your configuration they could be obtained by a DHCP server in your local network or manually configured). I assume, that the clients are connecting to the PPTP server through the Internet and therefore they still have access to websites. The data you are requesting from the Internet (websites) would not reach the remote Gateway (RV016) since your client already has direct connection to the Internet and it's own gateway. If you want to use the RV016 as your DNS point, you have to change the DNS settings locally on the clients so they can use the remote side as a DNS server and so the ACL's you've created will be active for the IP range.

When you disable the traffic on certain IP addresses with the ACL you mentioned in your post, that means that they would not be able to request any data which includes the HTTP protocol through the PPTP connection. They still can access the websites via the IP address because their Default Gateway is still pointing to the local Internet Service Provider and not to the RV016. In case you change this with the one of the RV016, you won't be able to connect through PPTP, because you will lose Internet connectivity. The only way to perform the task is to restrict the access for the clients on their local router that connects to the Internet Service Provider. If your topology differs, please excuse me, but I didn't knew.

Please feel free to send me your feedback!

Best regards,

Iwan

HI  Mr Krastew.

Thank you for your reply.

But i am not looking stop internet web service on my client side only.

May be I explain more here.

The client PC is running on intranet, that mean client network stopped all service [1~65535: TCP/UDP] pass through WAN. At this moment, the client network allows the PPTP Port 1723 pass through it only. And the Client PC is running on manual configure No DNS.

And the client requests that client PC NO intranet service when PPTP VPN connected. So I can't Disable Using Remote Network Default Gateway on TCP/IP Configure.

And Server (RV016), half of pc allow connect to internet.

The Local PC in server LAN can control by ACL.

The client connected by PPTP and the IP still within the ACL. But it can access internet all service. (e.g. FTP, HTTP).

So I want to know it is my configure problem? Or the router own problem? Or my design problem?

Now, I key in wrong DNS on client PC to Cheat the user for temporary.

Best regards,

Joe Wong

Here is one possible solution:

Extract from the User guide:

--------------

Custom rules can be created to override the above default

rules, but there are four additional default rules that will

be always active and cannot be overridden by any custom

rules.

HTTP service from the LAN to the Router is always

allowed.

DHCP service from the LAN is always allowed.

DNS service from the LAN is always allowed.

Ping service from the LAN to the Router is always

allowed.

....

---

continue from the previous post...

....

1. First: Click the

Restore to Default Rules to restore the default

rules and delete the custom access rules.

2. All the default rules can be erased and removed as stated into my previous post.

3. Add your rule to deny the pool - 150-160 addresses (Source: LAN, Destination: interface WAN1 or WAN2)from accessing the HTTP service on the router.

  3.1 Keep the default rules but set priority 1 to your rule. If the router does not block your pool of addresses,

  3.2 try to disable the default rules.

4. Add another rule to permit for the other PCs on your LAN to be able to access the HTTP or any other service you want to allow.

----

Q:Each PPTP client must have an access to LAN of the RV016, but to restrict the access to interface WAN1(service: HTTP or another), right?

Q: Is there any protocol binding to a particular WAN1 or WAN2 interface service(HTTP or another service) done or not?

----

Let me know if this works and if I understood your configuration right.

---

Petar

Hi Petar,

Thank you for your help first!

Q:Each  PPTP client must have an access to LAN of the RV016, but to restrict  the access to interface WAN1(service: HTTP or another), right?

YES

Q:  Is there any protocol binding to a particular WAN1 or WAN2 interface  service(HTTP or another service) done or not?

YES, 80 and 21 already blinding.

Restore to Default Rules already DONE but still no success.

1. The Default Rules can't erase or remove.(They still alive)

2. Already set the 1;Deny;80;WAN 1;192.168.1.150~159;ANY;always

But.......

Do you have anymore suggestion?

Joe

Hi Joe,

Can you please post the tracert output from PC that is PPTP VPN'd into the RV016 to a website that they are able to access?  This way we can verify the packets are or are not going through the RV016.

David L. Barrett, Jr.

Hi Joe,


After further testing in my lab I have resolved your PPTP/ACL issue.

When I wrote the ACL rule, I changed the source interface from LAN to WAN and destination to my WAN IP address.  This then blocked my HTTP traffic when PPTP VPN'd into the RV016 but still allowed the PPTP clients to access nodes on the internal LAN.  The ACL states that with a source IP in my ACL/PPTP range, and destination of the WAN IP on the HTTP Protocol, it will be blocked.

Depending on the behavior you would like will depend on the Source Interface you choose.  With ANY selected, if a client on the inside of your network has an IP address in the same scope of your ACL, or a PPTP client they will not be able to access HTTP.  I also tested with the source as just WAN, and it still blocks the PPTP client from accessing the internet, while allowing a client on the inside of your network to have an IP address in the ACL range and still access the internet.

Please verify this works on your end as well and report back if you have any further issues.

Dave

David L. Barrett, Jr.

Hi davbarre,

I tried to follow your suggestion to set the ACL. But it still no success to block HTTP function.

And tracerted it. confirm it is past through MY RV016 router out.

192.168.1.1 is RV016

192.168.20.1 is WRV200

And RV016 Still have other Gataway to Gateway VPN connection to other network.

But tested, it seem won't pass through other gateway to the internet.

And the tracert my pc photo attached

Hi Joe,

I'm sorry that didn't work for you.  There must be something else you have configured that is allowing the traffic through.

Can you please call into the SBSC center so that a service request can be made for you and we can setup your configuration in our lab and determine the cause of this?  Our number is 1-866-606-1866.

Thanks!

Dave

David L. Barrett, Jr.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: