L2TP through an Airport Extreme

Question

Level 1

0 points

L2TP through an Airport Extreme

Hi, I just bought an airport extreme, which I connected to a public IP address and setup to act as firewall and DHCP server on my local network (AEBS is 10.0.1.1, my internal server with OD, DNS etc. is 10.0.1.2). The AEBS replaces an old and slow Belkin wifi router.
Everything seems to work, but I have a problem with VPN: I would like to connect from the internet to the internal server, but this appears to work only via PPTP, not via L2TP (and here in Italy there are ISPs which do not allow PPTP traffic, so I must get L2TP to work). I have set up port forwarding for 500, 1701, 4500 (all UDP) and 1723 (TCP).
As I said, connections via PPTP work fine, but L2TP requests are unsuccesful. If I do a port check from outside, I am told that 1723 is open, but the other three are closed. So, apparently, AEBS is ignoring my port forward settings on those three ports.
I have googled the issue a bit, and it appears to be common, but all refer to old postings. There are some suggestions to set the server as default host (effectively putting it in DMZ), but this does not work for me, and even if it were it would not be acceptable from a security point of view.
So, does anyone know the final word on this issue? Is there no way at all to use an AEBS for L2TP passthrough?

Thanks
Chris

MacMini Server, Mac OS X (10.6.2)

Posted on Jan 29, 2010 2:31 AM

Reply

Answer 1

Feb 8, 2010 7:15 AM in response to zCRP

I am having a problem like this as well. Though I have not solved it yet, I have some guesses that I'm going to try next. If you look in the AEBS log, do you see any messages about the port forwarding? Mine shows a failure to set the forwarding for port 4500 with the annotation [refused]. I have forwarding set for 1701 and 500 set as well, and they are not mentioned in the log at all. I also have other ports forwarded for other reasons, and they work fine.

Do you have Back to my Mac on your system? I do, and I believe that this is the conflict for port 4500. When I get a chance, I will either turn it off and retry the VPN server, or dig out another old system to run the VPN instead and see whether it works then.

Does any of this overlap with your conditions?

Reply

Answer 2

zCRP Author

Level 1

0 points

Feb 10, 2010 7:39 AM in response to Karl Puder

My Log shows nothing about ports (tried various levels of verboseness). I did try to use outside tools to check if ports are open, like http://www.canyouseeme.org/. I first opened port 22, which is confirmed by canyouseeme, and i can ssh through the aebs without problems. If I open the VPN related ports, canyouseeme tells me that the ports are closed. So, apparently, aebs is not opening the ports even if I explicitly tell it to do so.
I also read about Back to my mac using the same port as vpn (4500), but turning it off had no positive consequences.
I have since replaced th AEBS with another wifi router and everyhting works perfectly.

Reply

Answer 3

herlitz

Level 1

8 points

May 8, 2010 2:16 AM in response to zCRP

It works fine on my AEBS with software 7.5.1

500, both tcp and udp forwarded to server
1701, both tcp and udp forwarded to server
4500, both tcp and udp forwarded to server

Reply