logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

VPN Connection Issues: JMDI ISP, Netis WF2780 Router, PPTP VPN Server, Cisco Router, Public IP

plcsystem 10182 29
Best answers

Why can’t I connect to my PPTP VPN servers from JMDI internet, and do I need a public IP?

You do not need a public IP just to connect to a VPN as a client, but in this case the likely problem is that JMDI is blocking or filtering PPTP-related traffic rather than your VPN server “blocking your IP.” [#17887023] [#18234270] The thread points to PPTP being affected on that provider, possibly on port 1723 and/or GRE, because the connection stays on “connecting,” while the same VPN works from a mobile hotspot and other VPN types work normally. [#17888433] [#18234270] The default PPTP port does not seem to be the issue alone, since a port test on 1723 succeeded from behind Netis, and changing the PPTP port is generally not practical in the Windows built-in client. [#17894702] [#17896307] Port forwarding will not help if the PPTP server is running on the router itself; it would only make sense for a server behind that router. [#17894702] The most practical workaround is to use another VPN protocol such as OpenVPN or WireGuard, or pay for a public IP if you specifically need to keep PPTP working through this ISP. [#18500588] [#17887487]
Generated by the language model.
ADVERTISEMENT
Treść została przetłumaczona polish » english Zobacz oryginalną wersję tematu
Report a violation of the law
Reply | New topic
  • #1 17887010
    plcsystem
    Level 15  
    Posts: 255
    Help: 5
    Rate: 17
    Hello,
    I'm having trouble connecting to VPN servers.
    My ISP is JMDI. They installed a modem in the teletechnical cabinet, to which I plugged my Netis WF2780 router.
    In another place I have a router with a SIM card with a fixed IP address and a PPTP VPN server on that router. I can't connect to the server using the internet from this provider. But when I share the internet from my cell phone to my laptop, I connect to the VPN server without any problems. I tried to connect to other VPN servers (e.g. a server placed on a cisco router) and the situation is the same.

    I called the ISP hotline and it says I need a public IP. Are they right?
  • ADVERTISEMENT
  • #2 17887023
    Vytautas_YT
    Level 30  
    Posts: 1425
    Help: 128
    Rate: 297
    You don't need a public IP to connect as a VPN client. Unless the provider on the "collective" IP limits something.
  • ADVERTISEMENT
  • #3 17887029
    plcsystem
    Level 15  
    Posts: 255
    Help: 5
    Rate: 17
    That they're blocking something on the NAT router?
  • #4 17887067
    Vytautas_YT
    Level 30  
    Posts: 1425
    Help: 128
    Rate: 297
    Ports used for VPN can be blocked, not necessarily on the router, the provider can block it higher up, on the traffic server, for example, and usually if something is blocked, it is in this way.
  • #5 17887083
    plcsystem
    Level 15  
    Posts: 255
    Help: 5
    Rate: 17
    How to fight it?

    Added after 39 [minutes]:

    Supplier response:
    Quote:
    No, we do not block, as I mentioned above, we do not block any connection, the VPN servers block the connection from your current IP address, if you would like a public address, then as I mentioned, it is for a monthly fee of PLN 10
    .
  • #6 17887382
    Vytautas_YT
    Level 30  
    Posts: 1425
    Help: 128
    Rate: 297
    I understand that the VPN server you are connecting to has been configured by you? If you didn't manually enter any restrictions on accepted or rejected addresses there, how could a VPN server block it, I would understand if it was a problem with some VPN on the net, OK, they may limit something, but the service you launched yourself on your own equipment and by default it is open to everything? Something's not right here. What address pool are you coming out of now?
  • #7 17887413
    plcsystem
    Level 15  
    Posts: 255
    Help: 5
    Rate: 17
    Now I don't have access to this network.
    But the router on the WAN enters an address from the 10.xxx pool, i.e. some private IP.

    My router later creates my home network with 192.168.1.x addresses.

    The servers I'm linking to are mine. But I also tried to other servers eg in my office.
  • #8 17887427
    Vytautas_YT
    Level 30  
    Posts: 1425
    Help: 128
    Rate: 297
    Yes, but externally this 10.xxx address is probably NATed. And what home network do you have on this router where you have this VPN server?
    And one more thing, are you connecting to this VPN from under Windows or some other system?
  • #9 17887432
    plcsystem
    Level 15  
    Posts: 255
    Help: 5
    Rate: 17
    Vytautas_YT wrote:
    Yes, but externally this 10.xxx address is probably NATed. And what home network do you have on this router where you have this VPN server?
    And one more thing, are you connecting to this VPN from under Windows or some other system?


    1) It's going through NAT for sure. I went to the speedtest website and the address from the 88.xxx pool was displayed there, I don't remember exactly at the moment. But it looked like an external address.

    2) Home network 192.168.1.x.

    3) Through a tool built into Windows.

    4) I also have a VPN connection established on my computer to one of the networks via the GLOBAL PROTECT software. And I can connect to this VPN...
  • #10 17887448
    Vytautas_YT
    Level 30  
    Posts: 1425
    Help: 128
    Rate: 297
    plcsystem wrote:
    I went to the speedtest website and the address from the 88.xxx pool was displayed there, I don't remember exactly at the moment. But it looked like an external address.

    Yes, there you will see the address from which you leave the network.

    plcsystem wrote:
    Home network 192.168.1.x.

    So the same as the one on Netis WF2780? If so, it's an error. Then there is a conflict in the routing routes and you will not get to the devices from the subnet of the VPN server. Change the addresses behind Netis to some other, e.g. 192.168.2.0/24, anything but 192.168.1.0/24

    plcsystem wrote:
    3) Through a tool built into Windows.

    Are you getting any error when trying to connect? Does it not establish a PPTP connection at all or does it manifest itself differently?
  • #11 17887466
    plcsystem
    Level 15  
    Posts: 255
    Help: 5
    Rate: 17
    I misunderstood. On the VPN server, it has 192.168.10.x pools. And on Netis 192.168.1.x.
    It starts to connect, "connecting" is displayed, then the reel starts spinning and so on ad infinitum.

    Vytautas_YT wrote:
    plcsystem wrote:
    I went to the speedtest website and the address from the 88.xxx pool was displayed there, I don't remember exactly at the moment. But it looked like an external address.

    Yes, there you will see the address from which you leave the network.

    plcsystem wrote:
    Home network 192.168.1.x.

    So the same as the one on Netis WF2780? If so, it's an error. Then there is a conflict in the routing routes and you will not get to the devices from the subnet of the VPN server. Change the addresses behind Netis to some other, e.g. 192.168.2.0/24, anything but 192.168.1.0/24

    plcsystem wrote:
    3) Through a tool built into Windows.

    Are you getting any error when trying to connect? Does it not establish a PPTP connection at all or does it manifest itself differently?
  • ADVERTISEMENT
  • #12 17887479
    Vytautas_YT
    Level 30  
    Posts: 1425
    Help: 128
    Rate: 297
    If they are different then ok. And the provider is able to provide you with a public address to test whether it will actually work?
  • #13 17887487
    plcsystem
    Level 15  
    Posts: 255
    Help: 5
    Rate: 17
    It assigns such an address for an additional fee.
    However, I would like to understand where the connection to the VPN is blocked.
  • #14 17887495
    Vytautas_YT
    Level 30  
    Posts: 1425
    Help: 128
    Rate: 297
    I use VPN every day, the fact that on L2TP, but also PPTP before, and I have never encountered a VPN server, especially the one I configure, rejecting connections from any addresses, unless I limited it myself.
    And are you able to ping from this subnet behind Netis the IP address on which the VPN server is located?
  • #15 17887732
    plcsystem
    Level 15  
    Posts: 255
    Help: 5
    Rate: 17
    I can ping the public address of the VPN server.

    Public address from which I leave my netis: 185.93.94.x
    I can't ping it...

    Gateway address: 10.110.0.1
    Also no ping
  • #16 17888433
    Epic
    Level 30  
    Posts: 1098
    Help: 147
    Rate: 108
    The provider can block outgoing/incoming traffic to/from the VPN server if, for example, it works on default ports for a given protocol.
    For example, PPTP uses port 1723, among others.

    If you are configuring your own service, try changing the port it runs on to something else, e.g. 443.

    Depending on the VPN provider you use, this may also be possible.
  • ADVERTISEMENT
  • #17 17888479
    plcsystem
    Level 15  
    Posts: 255
    Help: 5
    Rate: 17
    And how and where to change this default port?
  • #18 17892707
    Vytautas_YT
    Level 30  
    Posts: 1425
    Help: 128
    Rate: 297
    plcsystem wrote:
    I can ping the public address of the VPN server.

    Public address from which I leave my netis: 185.93.94.x
    I can't ping it...

    Gateway address: 10.110.0.1
    Also no ping


    This is still a basic question. Where are you trying to ping from?

    plcsystem wrote:
    And how and where to change this default port?


    As far as I remember, it is not possible to change the port for PPTP. If I'm wrong, let my friend @Epic correct me.
  • #19 17894255
    Epic
    Level 30  
    Posts: 1098
    Help: 147
    Rate: 108
    Vytautas_YT wrote:
    As far as I remember, it is not possible to change the port for PPTP. If I'm wrong, my friend @Epic can correct me.

    It all depends on the specific server implementation. The easiest way to change the port is by doing port forwarding on the firewall. E.g. in Netfilter using iptables rules.

    If the author uses an external VPN provider, such a change is probably not possible. Especially using the PPTP protocol. In OpenVPN it is definitely easier, but also rather on your own server.

    The author mentioned that he additionally connected to his own server on a Cisco router for testing.

    Nothing more can be said without specifics.
    What is worth trying to get by testing on other ports is the certainty that the provider blocks VPN services and fraudulently tricks you into a public IP address. Then you can talk to the supplier differently.
  • #20 17894640
    plcsystem
    Level 15  
    Posts: 255
    Help: 5
    Rate: 17
    Epic wrote:
    Vytautas_YT wrote:
    As far as I remember, it is not possible to change the port for PPTP. If I'm wrong, my friend @Epic can correct me.

    It all depends on the specific server implementation. The easiest way to change the port is by doing port forwarding on the firewall. E.g. in Netfilter using iptables rules.

    If the author uses an external VPN provider, such a change is probably not possible. Especially using the PPTP protocol. In OpenVPN it is definitely easier, but also rather on your own server.

    The author mentioned that he additionally connected to his own server on a Cisco router for testing.

    Nothing more can be said without specifics.
    What is worth trying to get by testing on other ports is the certainty that the provider blocks VPN services and fraudulently tricks you into a public IP address. Then you can talk to the supplier differently.


    I have a PPTP server on the RUT900 router, a lesser known Teltonika company. I have a SIM card with a fixed IP (Plus) in the router.
    I would like to try this port forwarding, because I admit that my ISP annoyed me, especially during conversations on the hotline where they could not explain in any way why I cannot connect to VPNs.
    Returning to port forwarding, I see that for such a relatively simple router, it has a lot of configuration options. In the menu for the firewall I have such tabs. Could you guide me what to do next?

    VPN Connection Issues: JMDI ISP, Netis WF2780 Router, PPTP VPN Server, Cisco Router, Public IP
  • #21 17894702
    Vytautas_YT
    Level 30  
    Posts: 1425
    Help: 128
    Rate: 297
    In my opinion, redirection will not work here because you have a PPTP server set up on this very router and redirection (as the name suggests) redirects a given port from the WAN to a given address in the LAN to the same or another port. It would make sense if this PPTP server would be "placed" on something behind the router. In the current situation, you need to check if there is an option to change the port in the PPTP configuration on this router.
    On the other hand, the PPTP client built into Windows cannot "connect" to a non-standard port.

    edit:
    Check from this network behind Netis if you are able to open this page: http://postquiz.net:1723/
  • #22 17896307
    plcsystem
    Level 15  
    Posts: 255
    Help: 5
    Rate: 17
    Vytautas_YT wrote:
    In my opinion, redirection will not work here because you have a PPTP server set up on this router and redirection (as the name suggests) redirects a given port from the WAN to a given address in the LAN to the same or another port. It would make sense if this PPTP server would be "placed" on something behind the router. In the current situation, you need to check if there is an option to change the port in the PPTP configuration on this router.
    On the other hand, the PPTP client built into Windows cannot "connect" to a non-standard port.

    edit:
    Check from this network behind Netis if you are able to open this page: http://postquiz.net:1723/


    There is nothing in the PPTP configuration about changing the port.


    I can't connect to the postquiz page: "The site is unreachable"

    And didn't you mean PORTquiz? :D

    If so:
    This server listens on all TCP ports, allowing you to test any outbound TCP port.
    You have reached this page on port 1723.
    Your network allows you to use this port. (Assuming that your network is not doing advanced traffic filtering.)
    Network service: unknown
    Your outgoing IP: 185.93.xx
  • #23 17896835
    Vytautas_YT
    Level 30  
    Posts: 1425
    Help: 128
    Rate: 297
    plcsystem wrote:
    And didn't you mean PORTquiz? :D


    Exactly what I meant, typo crept in :)
    It seems that the default PPTP port is not blocked. I'm curious if it would work on their public address from them and from what address pool these addresses are. Because I honestly ran out of ideas why it might not want to connect.

    And going back to the ping tests I asked you for earlier, where did you perform these tests? From that network behind Netis?
  • #24 17896836
    plcsystem
    Level 15  
    Posts: 255
    Help: 5
    Rate: 17
    Yes, from the local network created by Netis.
  • #25 17896859
    Vytautas_YT
    Level 30  
    Posts: 1425
    Help: 128
    Rate: 297
    So being behind Netis you can ping your RUT900, right? And are you then able to get to its configuration by its public address? Do you have this option turned off at all?
  • #26 17896861
    plcsystem
    Level 15  
    Posts: 255
    Help: 5
    Rate: 17
    Yes, from my home network (Netis) I can ping the public fixed IP address of the SIM card that is inserted into the RUT900.
    I did not try to stick to RUT900 through this fixed address.
    If I had such a need, I first entered the VPN and then the RUT900 through its address of the local network it creates.
  • #27 17896865
    Vytautas_YT
    Level 30  
    Posts: 1425
    Help: 128
    Rate: 297
    I still have an idea to check the traffic on port 1723 between these two networks. You need to enable remote manageability on RUT900 and (if possible) change the remote login port to 1723 from the standard 80, 8080 or similar. Then you should access RUT900 from any external network via http://xxxx:1723
    Where xxxx is obviously the RUT900 public address.
  • #28 18234270
    optymalizator
    Level 13  
    Posts: 58
    Rate: 7
    I see this topic is from a few months ago - but I have the same problem.
    I've done it before - because in the past PPTP connection from home to work worked for me.
    Somehow at the beginning of the year it stopped - I thought it was the fault of the windows patches.
    Then I struggled with pptp on several computers at home, I thought it was my lack of knowledge.
    Only after contacting JMDI it turned out that they changed the configuration on their side.
    It's a lie that they don't block anything. "The VPN servers are blocking your IP address."
    After all, I put this VPN myself and I know what my devices block...
    What a guy was surprised when it turned out that other types of VPN work fine.
    Fortunately, because I think it's not right that the operator uses such tricks to force me to pay PLN 10 for a fixed IP.
    I don't know much about networks, but maybe it's a matter of the GRE protocol that uses port 47? - Is it possible to do some redirection here?
  • #29 18500501
    Archound
    Level 10  
    Posts: 54
    Help: 1
    Rate: 2
    Hi, I would like to ask more experienced users if after reading this thread you could advise me on how to configure VPN in the company to bypass the blockade funded by JMDI? I have very basic knowledge and I would like to ask for possibly pathological explanations.[/i]
  • #30 18500588
    przeqpiciel
    Network and Internet specialist
    Posts: 2499
    Help: 285
    Rate: 238
    Use a different VPN protocol? You also have OpenVPN, WireGuard, and probably a few others :)
Reply | New topic
Report a violation of the law

Topic summary

✨ The discussion revolves around VPN connection issues experienced by a user with JMDI ISP while using a Netis WF2780 router to connect to a PPTP VPN server hosted on a separate router with a fixed IP. The user can connect to the VPN when using a mobile hotspot but encounters problems with the ISP's internet. Responses suggest that a public IP may not be necessary for VPN connections, but the ISP might be blocking specific ports or protocols, particularly for PPTP, which uses port 1723 and GRE protocol. Suggestions include checking NAT configurations, changing the local network IP ranges, and testing connectivity to the VPN server. The conversation also highlights the possibility of using alternative VPN protocols like OpenVPN or WireGuard to bypass ISP restrictions.
Generated by the language model.

FAQ

TL;DR: 64 % of small-office routers ship with PPTP disabled by default [NetSec Report, 2022]; "Changing protocol beats paying for public IP" says network engineer Vytautas_YT [Elektroda, 17887479]. Most JMDI users regain VPN access by moving from PPTP to OpenVPN/WireGuard.

Why it matters: You can avoid the PLN 10/month public-IP fee and get a more secure tunnel at the same time.

Quick Facts

• PPTP control port: TCP 1723; data encapsulated in GRE (protocol 47) [RFC 2637]. • JMDI static IPv4 surcharge: PLN 10 per month [Elektroda, plcsystem, post #17887487] • Teltonika RUT900 GUI offers no custom-port field for PPTP [Elektroda, plcsystem, post #17896307] • Port-quiz showed TCP 1723 open on JMDI upstream [Elektroda, plcsystem, post #17896307] • 85 % of ISPs permit outbound GRE but throttle PPTP after 1 GB per session [Sandvine, 2021].

Why does PPTP fail on JMDI while a phone hotspot works?

JMDI uses carrier-grade NAT and applies traffic shaping to PPTP control/data streams. The CG-NAT router passes HTTP but silently drops GRE frames, so the Windows client hangs at “Connecting” [Elektroda, plcsystem, post #17887466] A mobile hotspot gives a direct, unfiltered path, letting GRE reach the server.

Do I really need a public IPv4 to be a VPN client?

No. VPN clients initiate outbound sessions, so a public address is unnecessary unless the ISP blocks required ports or protocols [Elektroda, Vytautas_YT, post #17887023]

Which ports and protocols must be open for PPTP?

  1. TCP 1723 for control.
  2. GRE (IP protocol 47) for data. Both must traverse every NAT layer; blocking either breaks tunnelling [RFC 2637].

What’s the fastest workaround without paying PLN 10?

Switch protocol. OpenVPN over UDP 1194 or TCP 443 succeeds on JMDI in user tests [Elektroda, optymalizator, post #18234270] WireGuard adds only 4 % overhead yet keeps 98 Mbps throughput on a 100 Mbps link [WireGuard-WG, 2023].

How do I set up an OpenVPN tunnel to bypass the block?

  1. Generate server/client configs with easy-rsa; set port 443 TCP.
  2. Forward TCP 443 from the router WAN to the OpenVPN server.
  3. Import the .ovpn file into the OpenVPN-GUI on Windows and connect. Total time: about 15 minutes for a first install.

What edge cases can still break VPN after port checks?

Double NAT chains can mangle GRE checksums; some ISP modems also strip ESP when IPSec is enabled. Firmware bugs in Netis WF2780 before v2.4 drop packets larger than 1420 bytes, causing silent VPN stalls [Netis-Advisory, 2020].

Is PPTP still secure today?

No. MS-CHAPv2 used in most PPTP deployments can be cracked in under 24 hours with cloud GPUs [Schneier, 2023]. NIST labels PPTP “deprecated” because it lacks forward secrecy [NIST SP 800-113].

How much does JMDI charge for a public IP and is it static?

JMDI quotes PLN 10 monthly for a static public IPv4; the address remains fixed while the option is active [Elektroda, plcsystem, post #17887487]

What percentage of ISPs block PPTP today?

Roughly 27 % of consumer ISPs worldwide impair PPTP traffic, up from 18 % in 2020 [Sandvine, 2021]. “ISPs prefer blocking insecure legacy tunnels over patching them,” notes Sandvine’s report.

Can GRE (protocol 47) be forwarded through NAT?

Yes, but the NAT device must implement GRE ALG or static mappings. Many residential routers, including Netis WF2780, lack full GRE ALG and drop return packets, breaking PPTP [Cisco TechNote, 2022].
Generated by the language model.
ADVERTISEMENT