Port forwarding on a specific VPN interface?

Comments

7 comments

  • Avatar
    Will

    I have a port forward on a VPN interface but the forwards are blocked by the main interface (ISP WAN) and are not allowed! Might be a bug.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Hi David, 

    Can I just clarify your use case? 

    You have VPN Client set up with a third-party VPN provider. It sounds like you are trying to connect from outside your network via VPN Server and be forwarded to the VPN Client. Am I even close? 


    0
    Comment actions Permalink
  • Avatar
    David Koppenhofer

    @Michael

    That's mostly right. I have a port forwarded on a 3rd party VPN that Firewalla is connected to.

    My Firewalla is port forwarding from one of those 3rd party VPN interfaces to a device on my LAN.

    Firewalla correctly rejects incoming requests to that port unless it's being requested via the port forwarded by the 3rd party VPN.

    The issue I was questioning is that it doesn't matter which 3rd party VPN interface I specify on the Firewalla port forwarding, I'm allowed in regardless of which location my Firewalla is connected to.

    For example, Firewalla is connected to the 3rd party VPN location in Canada. Incoming connections are allowed even if the Firewalla port forwarding external interface is the 3rd party VPN connection to France, not Canada.

    I'm now guessing that Firewalla can't distinguish between locations, possibly due to how my provider has their VPN port forwarding set up.

    Not a deal breaker, but not the behavior I was expecting.

    David

    0
    Comment actions Permalink
  • Avatar
    David Koppenhofer

    @Will

    That's what I would expect to happen.

    If the external interface that's set up on the Firewalla port forwarding doesn't match where the connection is coming from, I think Firewalla should reject that connection.

    David

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @David,

    Thanks for the feedback!

    We've confirmed that there is a bug that if all VPN interfaces have the same VPN virtual IP (could happen if they are from the same VPN ISP), the port forwarding will be allowed on all VPN interfaces. The bug only happens when the VPN interface, that has this port forwarding enabled in the app, is up running. If this one is already turned off, the port forwarding will not take effect on other VPN interfaces.

    We'll fix this in future updates.

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @David did you use All WANs or a specific VPN as the interface? I'm not positive, but I think the VPN Client would have to be active, but I don't think any devices would have to be selected on it. 

    0
    Comment actions Permalink
  • Avatar
    David Koppenhofer

    @Michael

    I have a specific VPN (location) as the interface in FW port forwarding. 

    Are you saying that the internal device accepting connections doesn't need to be connected to the VPN client at all for the connection to work?

    (My ingress rule makes that the case since it's for the same group that's connected to the VPN.)

    0
    Comment actions Permalink

Please sign in to leave a comment.