Skip to main content

    Support

    Offers

U
user_58cb69
1st Topic

Visitor

 • 

2 Messages

Tuesday, February 7th, 2023 2:43 AM

Closed

PPTP - Enable GRE protocol using xfinity mobile app

To get PPTP to work, I understand you need to run two steps in the xfinity mobile app:

1. Port forward 1723/tcp (I figured out how to do that).
2. Enable the GRE protocol

How do you enable the GRE protocol in the xfinity mobile app?
Past forum posts show how to do this in the web app, but the web app is no longer an option.

Thanks.

PS: I will use PPTP at my own risk (for historical purposes and educational use)
and I understand OpenVPN is the recommended choice for most users.
However I am still interested in using PPTP for educational and retro computing purposes.

Question

 • 

Updated 

2 years ago

592

1

0

flatlander3

Problem Solver

 • 

1.5K Messages

2 years ago

There's nothing magical about GRE protocol, other than you're adding extra data to the headers.  You're still TCP.  If the port is open, it's open.  If the crippled Xfinity app isn't opening the port, it won't work.  Try a portscan with nmap to port 1723 from somewhere else (phone hotspot....other network) and see if you can even get something other than "filtered" for a response.  ONLY scan one port at a time.  Firewall software may block the source if you hit more than one port, or sweep them.

You can run into a problem with MTU over 1500.  You will be at 1,524 unless you are shortening payload, otherwise you've got a reassembly problem and bad performance.  Set the payload to 1436 to accommodate the extra headers -- but that's just optimization, not functionality.

(edited)

2

0

user_58cb69

Visitor

 • 

2 Messages

@flatlander3​ Thanks for the various tips!

To create a test environment, I have segmented my network with another router+firewall unit. I am able to PPTP to my private network from inside successfully, so at least I know I have a working PPTP/GRE setup with 2 firewalls between my 2 networks (gateway firewall and the default client windows firewall).

From the outside, I tested "dangerously" and I turned off all firewalls.
Then I tested again with all firewalls back on.

Unfortunately from the outside I get the same failed results:

Verifying username and password
Error 721: Remote PPP peer is not responding

PPP was attempted but the remote computers did not respond.

So that same 721 error shows up even with all firewalls turned off.

From my RRAS server, I was running netstat and I do see Active Connections:

Proto  Local Address  Foreign Address           State
TCP     myserver:1723 172.59.129.175:35171  ESTABLISHED

So it looks like some type of dial-tone is making it to my RRAS server.

As for the MTU over 1500 suggestion, I did some googling and found that I can change the MTU size through the registry:
https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/change-default-mtu-size-for-ppp-vpn-connection

I'd like to try this as a last resort. Not sure if I'm up to editing the registry directly. 
I'm also hesitant because I got PPTP working internally, the only difference being the xfinity router when trying to get this to work from the outside.

I also tried using the Xfinity router DMZ feature instead of Xfinity port forwarding 1723/tcp but I get the same results: "Error 721"

2 years ago

0

flatlander3

Problem Solver

 • 

1.5K Messages

@user_58cb69​ You're not quite boned yet.  One more if you don't want to test the regedit.

It's been quite some time since I've tried PPTP.  You are also battling modern firmware that may see type 47 packets as frags or runts.  Or perhaps broken TCP, although the checksum should actually match ok.  Dunno for sure on how packet assembly would work these days.

Try hooking the server up directly to the gateway/modem and put the gateway in bridge mode.  Reboot both the gateway/modem and your sever then.  Your PPTP server gets the external IP address so it's running bare naked.  No port forward involved.  Yeah, that disables wifi on your gateway -- everything else too.  It's IP will probably end up being 192.168.100.1 then or factory default to change it back to gateway mode when you are done.

Yep.  You are really old skool at that point, but it may show you if your local and remote connection could possibly work -- if you had other equipment.  Maybe your solution is buying a straight modem, and doing the firewall with something else.  Pfsense/opnSense/linux as a front end.....ect.  Do your WiFi with something else.  BSD and Linux can both do GRE.  Linux is probably easier with IPTABLES rules for your PPTP and you should find a lot of info out there in legacy linux land.  Might even be in the kernel by default, so you don't need to load a module but don't know for sure.

This stuff is pretty old. 

2 years ago

0

forum icon

New to the Community?

Start Here