How do I enable Internet Protocol 47 (Generic Routing Encapsulation) on a Netgear N600 router?

3

1

I'm trying to create a home VPN on Windows 10 using a Netgear N600 router.

All goes well, setting up the host and client, up until connection time. I receive an error that states the host is not configured to accept GRE (Generic Routing Encapsulation) packets on Internet Protocol 47. It says that opening IP 47 might help. But how does one do that? I can't find any setting within the router to open it. Is this a port, and therefore can it be port forwarded? (I'm guessing that it is not a port because port forwarding 47 did not make any change.)

hmc_jake

Posted 2015-08-09T01:41:54.127

Reputation: 133

Answers

1

No, it's not a port. It's one layer down from that. It's an IP Protocol Number. For example, TCP is IP Protocol Number 6 and UDP is 17.

If the admin UI for your router doesn't mention protocol number forwarding anywhere, try making your VPN server the "DMZ host" or "Default Server". Different products call it different things, but it basically lets you specify one machine on the private LAN side of your router to which your router will forward all new incoming traffic that the router doesn't know what to do with (that is, that it doesn't already have a static or dynamic mapping for). Most routers I've worked with will forward packets with unknown IP protocol numbers to the DMZ host.

Note that GRE is used for PPTP style VPNs, so see if any of your router's PPTP VPN gateway/pass through features/settings can help or hinder you.

Spiff

Posted 2015-08-09T01:41:54.127

Reputation: 84 656

Won't setting my computer as the DMZ create a security hazard? – hmc_jake – 2015-08-09T02:36:30.900

Interesting! Setting the host as DMZ allowed the connection to complete. However everything I've heard about DMZ has been very bad. Is keeping this set a bad thing? – hmc_jake – 2015-08-09T02:38:52.397

@hmc_jake Connecting a machine to the Internet without a firewall is risky, yes. So run a personal firewall software package on that machine to make up for the fact that your router isn't acting as a firewall for it anymore. – Spiff – 2015-08-09T04:25:01.300

@hmc_jake BTW, just to confirm, is your VPN a PPTP VPN? If so were you already forwarding TCP port 1723 to the VPN server? Because PPTP needs that too. If you weren't already forwarding it, that could have been your problem, and the error message may just have been misleading. Also, some routers are smart about PPTP VPN servers behind the router, and know to forward GRE to the host getting 1723/TCP. Or with a more advanced router or aftermarket Linux-based firmware distro, you can write smarter firewall rules yourself. – Spiff – 2015-08-09T04:35:04.547

Yes it is PPTP and yes I had portforwarded 1723 on both the router and system. Apparently the router has no VPN settings at all. So I suppose setting it as DMZ is all I can do. Also, does the connection being used have any effect on whether or not you can connect to a VPN? (Slightly off-topic, but still slightly on.) – hmc_jake – 2015-08-09T04:43:35.370

Asked: 2015-08-09T01:41:54.127

Viewed: 23 260 times

Active: 2016-05-09T10:52:22.843