Hardware version and firmware version of your W8968?
Can you provide a screenshot of firewall page when it is enabled? What is the topology?

I've just updated the hardware and firmware versions in my original post. I'm not sure why they didn't come through originally - I was sure I had entered them:

Hardware Version : V1
Firmware Version : 0.6.0 1.7 v000e.0 Build 140919 Rel.52176n

The VPN server is on IP address 10.0.0.2 on the LAN, and I have forwarding rules and firewall rules for port 1723 to 10.0.0.2. I can establish the VPN connection from outside the LAN when the firewall is off fine - it's only when it's turned on there's a problem.

Here are my firewall settings (the IPV4 Firewall Rules and LAN Host pages) with the firewall turned off:





When I turn it on (the tick box), everything works fine except for the inbound PPTP VPN connection. I can Telnet to the server on port 1723 ok, but the PPTP connection just hangs for a while on 'Verifying user name and password', then comes back with the following error:





This suggests to me that GRE is passed through when the firewall is turned on. I'm not sure I can even do this since the firewall rules only give the option of TCP/UDP ports.

Thanks.

According to the error message, you should contact your ISP. And it seems that firewall settings related to GRE protocol are not configured properly...

Mavis wrote

According to the error message, you should contact your ISP. And it seems that firewall settings related to GRE protocol are not configured properly...

I can't see how it can have anything to do with the ISP. The PPTP connection works when the TD- W8980 firewall is off - it's only when the firewall is on that it won't.

So it's the TD- W8980 firewall that's the problem. As a device it seems that the TD- W8980 does PPTP passthrough - but only when the firewall is off. When the firewall is on I can open port 1723, but it seems to still be blocking GRE protocol.

It seems to me that this is something that needs to be addressed in a firmware update.

I've found another thread that indicates the same problem with the same modem:

http://forum.tp-link.com/showthread.php?79971-TD-W8980-PPTP-Passthrough-with-firewall
"On a TD-W8980 PPTP passthrough works fine when the firewall disabled. When I enable enable the firewall and an IPv4 Firewall rule to allow port 1723 IN it does not work."

Definitely a problem with the modem that needs to be addressed in a firmware update.

The same problem indeed. You should have read the explanation on #2 in that post, right?
Well, it is a mechanism issue, not a bug... To ensure VPN passthrough work, after we enable Firewall, we cannot use deny mode. Can you configure some proper allow rules and test if it works?

Tony Seaford wrote

The same problem indeed. You should have read the explanation on #2 in that post, right?
Well, it is a mechanism issue, not a bug... To ensure VPN passthrough work, after we enable Firewall, we cannot use deny mode. Can you configure some proper allow rules and test if it works?

Thanks for your comment, but what firewall 'allow' rules can I configure? There's no option to allow GRE as the firewall only allows TCP/UDP ports - GRE is a protocol.

When you say "after we enable Firewall, we cannot use deny mode" - there would be no point having the firewall enabled with a default 'allow' rule for everything to allow PPTP VPN. Wouldn't that be the same as having the firewall disabled?

I haven't had this problem with other modems I have used (e.g. Zyxel) which pass GRE through with the firewall enabled.

Just come late to this thread with exactly the same problem: PPTP blocked if default firewall action is set to Deny

Got round it by changing the default firewall action (and my mindset:)) to Allow

I rely on the Virtual Server (aka port forwarding?) to only pass through certain services: SMTP, SSL, PPTP, RDP

For RDP, I create a LAN host (192.168.5.3, 3389) and put in a firewall rule to allow access from one particular Wan host that I set up (secureremoteIP1)* followed, further down the firewall list, by a Deny rule from All WAN hosts to access the same LAN host
For SMTP, SSL and PPTP, I put in rules that allow access from All WAN hosts even though I don't technically need to

Checking with GRC's Shields Up gives the expected results


* add in additional Allow rules for more secure remote IPs

dave2ic wrote

Thanks for your comment, but what firewall 'allow' rules can I configure? There's no option to allow GRE as the firewall only allows TCP/UDP ports - GRE is a protocol.

When you say "after we enable Firewall, we cannot use deny mode" - there would be no point having the firewall enabled with a default 'allow' rule for everything to allow PPTP VPN. Wouldn't that be the same as having the firewall disabled?

I haven't had this problem with other modems I have used (e.g. Zyxel) which pass GRE through with the firewall enabled.