Balance One VPN Passthrough

Hello, have been struggling with this for a few days now, and am at wits end, just cannot get connected to our Server 2016 hosted VPN through the router. I’ve got it narrowed down to the router’s firewall, I think, as I can connect immediately if I simply allow all incoming traffic. I can immediately turn firewall back on after I connect, and it stays connected, and I can see the activity on the log, but when firewall is on it simply won’t connect, and I’ve exhausted all ideas I can think of to try. Is there something I’m missing to allow VPN to connect?

Hello rtv-it,

Welcome to the forum.

When connecting to the Server 2016 hosted VPN, are you connecting from another client device directly to the 2016 Server? If so, do you have any other VPNs running? Do you have the port for the VPN to the server open when you have the firewall filtering traffic?

It may be worth running a packet capture from the router’s support.cgi page
when the VPN can connect to see what ports it’s using to connect and make sure you have that port open on the Balance’s firewall.

1 Like

What type of VPN are you using? Assumedly L2TP over IPSEC?
If so you’d need to forward 1701 TCP and 500 UDP
you need to make sure IPSEC NAT-T is enabled in Network | Misc Settings > Service Passthrough
you want to make sure Remote User Access on the Balance One is not enabled (or at least you’re not trying to use L2TP and IPsec on the balance one at the same time as using it on the windows server.


Thanks! Sorry I wasn’t more specific in post, but I’m connecting via laptop>Server through the Balance One. No other VPNs are running. Thanks for the info about how to do network capture, was hoping to see more in the event log, but it only shows activity when VPN is connected (after disabling firewall). I did a capture, but files seem to be proprietary format?

Thanks! Honestly not sure on type, using Routing and Remote Access on Server 2016, and can’t find where it says what type or any way to change it? When I could get it to connect (when firewall down), I was using PPtP, so I guess that one?

OK so for For PPTP you need to open / port forward 1723 TCP and Protocol 47 GRE
I assume you are port forwarding to the server right?

1 Like

Correct, those have already been done, access rules on firewall and ports forwarded to server. I just connected again, when I allow all incoming traffic, but with it set as default with those ports only open, it won’t connect.

Can you share a screenshot showing the current firewall ruleset please.

1 Like

FYI I am asking for information on the firewall rules as you don’t typically need to add any rules to make port forwarding work.

Otherwise you need to do a network capture, filter by the source IP of the device that is trying to connect and see what traffic is getting blocked by the firewall so you can add the needed port forwarding.rules.

1 Like

The capture should be a standard .pcap file. Wireshark is probably the most common program used to review pcap files but you can also use Netresec NetworkMiner, WinDump, tcpdump, and I’m sure other programs exist.

I would recommend Wireshark.

1 Like

Here are current settings, which blocks connecting, and it I turn the Default to allow all, I can connect, then turn it back to block but remain connected. I just tried removing the inbound rules I had added, leaving just the port forwarding set up, and it still won’t connect. Trying the network capture again. Thank you!

Ah yes, haven’t used that in a while, have it on my PC, but not on server where capture was done. I ran a capture and opened it successfully, seeing mostly UDP ports 65305 > 56593? How do you tell what’s getting blocked? Thanks for your help!

Change the default rule to allow, add a new rule above of any to any deny all and then turn on event logging on the new deny all rule. That will show you whats being blocked. Even better, set the deny rule to just deny traffic from your remote IP you are connecting from with the VPN client which will give you fewer event logs to process.

1 Like

Great idea, was wondering how to get more to show up in event log! So it’s blocking the connection on port 1723, even though it’s open in firewall still, and port forwarded to server:

DST= LEN=52 TOS=0x00 PREC=0x00 TTL=123 ID=16642 DF PROTO=TCP SPT=50481 DPT=1723 WINDOW=17520 RES=0x00 SYN URGP=0 MARK=0xb

Current firewall rules:

So confused, but at least getting closer, thanks so much for your help!

Source port should be any in the rule as you have no control over what port the VPN requests leave the remote client on. Eg In the log we can see its leaving on port 50481.

1 Like

Well I feel a bit ignorant, but it works! I assumed both ends would be using the same port to create a tunnel. So one last question, leaving a rule with source as any/any to one port on destination is OK security-wise? Maybe I’m just thinking about it wrong, but this seems like it’s basically allowing all incoming TCP connections? Thanks again for all your help, of course it was something this basic, guess I really need a refresher on some of this stuff.

Its an easy mistake to make. Services listen on specific ports for inbound connections. Outbound connections to those services can come from any port pretty much. This of course means that you can create multiple outbound sessions to many VPN servers (and any other service like web servers) at the same time which is useful.

Security is about reducing your attack service and then layering authentication / protection. The attack surface on this rule is a single port that at an application layer needs to be authenticated before an outside actor can do anything interesting.

However is someone compromised the internal server, disabled VPN and used the 1723 port on that server to host another service (SSH, FTP etc) then yes that service could talk to any ip on any port and is a risk, but a manageable one I would think (keep the windows server updated, restrict access to it etc).


Makes sense, thanks for the explanation, and thanks again for all your help!