Port forwarding on a specific VPN interface?
I have port forwarding set up on one particular 3rd party VPN interface and with my VPN provider.
When I'm not connected to the VPN, requests are correctly rejected.
I have a few VPN interfaces using the same provider for all of them, and it looks like the port forwarding works, regardless of which interface is in the port forward config or which one in connected to. I'm guessing it's because all VPN interfaces are for the same provider, so any of those interfaces will work.
That's not what I would expect, I would expect the VPN interface I'm connected to would have to be the exact one in the port forwarding configuration for it to work.
Does anyone else see something like this, or is it behaving as designed?
Thanks,
David
-
@Michael
That's mostly right. I have a port forwarded on a 3rd party VPN that Firewalla is connected to.
My Firewalla is port forwarding from one of those 3rd party VPN interfaces to a device on my LAN.
Firewalla correctly rejects incoming requests to that port unless it's being requested via the port forwarded by the 3rd party VPN.
The issue I was questioning is that it doesn't matter which 3rd party VPN interface I specify on the Firewalla port forwarding, I'm allowed in regardless of which location my Firewalla is connected to.
For example, Firewalla is connected to the 3rd party VPN location in Canada. Incoming connections are allowed even if the Firewalla port forwarding external interface is the 3rd party VPN connection to France, not Canada.
I'm now guessing that Firewalla can't distinguish between locations, possibly due to how my provider has their VPN port forwarding set up.
Not a deal breaker, but not the behavior I was expecting.
David
-
@David,
Thanks for the feedback!
We've confirmed that there is a bug that if all VPN interfaces have the same VPN virtual IP (could happen if they are from the same VPN ISP), the port forwarding will be allowed on all VPN interfaces. The bug only happens when the VPN interface, that has this port forwarding enabled in the app, is up running. If this one is already turned off, the port forwarding will not take effect on other VPN interfaces.
We'll fix this in future updates.
-
@Michael
I have a specific VPN (location) as the interface in FW port forwarding.
Are you saying that the internal device accepting connections doesn't need to be connected to the VPN client at all for the connection to work?
(My ingress rule makes that the case since it's for the same group that's connected to the VPN.)
Please sign in to leave a comment.
Comments
7 comments