IX. NAT Related Features

FTP, PPTP and IPsec VPN PassThrough on DrayTek Routers

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2765
Show all

Keywords:
ALG
Application Layer Gateway
FTP
IPsec
Show all

DrayTek Vigor routers have a number of built-in services such as IPsec, PPTP and FTP servers that are operated internally by the router. When using other LAN servers on your network to provide these services, the router's in-built services must be turned off for these to pass-through, for instance IPsec pass-through to a Windows Server operating as a VPN server.

To perform pass-through of these services, the router utiliises internal Application Layer Gateways (ALG), which handle the routing of specific services that are otherwise difficult to route through from the Internet, into the router's NAT, the LAN server and out again.

These ALG services are:

 Service PortALG
PPTP 1723/TCP Protocol 47(GRE)
IPsec 500, 4500/UDP   Protocol 50(ESP)
FTP 21/TCP  FTP data port

There are some protocols such as GRE and ESP that can not be specified when setting up port forwarding, because of the way that they operate. Therefore the router is designed to understand the connection process of FTP, PPTP and IPsec connections, routing the GRE, ESP and FTP packets accordingly.

To set up the port forwarding for these services to your LAN server, go to [NAT] > [Open Ports] and set up a profile for the server that the services will be routed to:

  • PPTP: TCP 1723 (the router will also forward GRE protocol 47 automatically)
  • L2TP: UDP 1701
  • IPsec: UDP 500 and UDP 4500 if NAT-T is used (the router will also forward ESP  protocol 50 automatically)

Once the port forwarding is configured for the required service, the router's internal services need to be disabled to allow these ports to be forwarded to the LAN server.

Disabling a DrayTek Router's FTP service

To disable the FTP server on the router, go to the [System Maintenance] > [Management] menu, check whether the "Allow management from the Internet" is enabled.

Allow management from the Internet is not enabled No change is required, your LAN's FTP server will be accessible from the Internet and the router's FTP-ALG will help it to route FTP packets.
Allow management from the Internet is enabled Ensure that the FTP Server option is unticked, which will enable the FTP-ALG for the FTP server on your LAN.

When changing settings on this page, click OK and the router will prompt to restart to apply the changes. Click OK again to restart the router and apply that change.

Disabling a DrayTek Router's IPsec & PPTP services

To disable the IPsec or PPTP server on the router, go to the [VPN and Remote Access] > [Remote Access Control] menu.

Enable PPTP VPN Service
Uncheck this to enable allow your LAN server to respond to PPTP connections with assistance from the router's ALG for PPTP
Enable IPSec VPN Service
Uncheck this to enable allow your LAN server to respond to IPsec connections with assistance from the router's ALG for IPsec

Click OK to save and apply changes, which will require the router to restart for changes to take effect.

Enabling IPSEC Passthrough

IPSec passthrough can be enabled / disabled via a CLI  command. On some models this may be disabled by default because IPSec passthrough is not compatible with DrayTek NAT-T support of the routers internal VPN server. The DrayTek NAT-T support allows remote VPN clients that are behind a NAT router to more easily connect via VPN.

There is a CLI (ssh/telnet) command to enable IPSEC passthrough. The command is srv nat ipsecpass on. If the command is enabled then DrayTek's internal VPN server's NAT-T Support is disabled.

How do you rate this article?

1 1 1 1 1 1 1 1 1 1