Firewalla VPN and rules

Comments

15 comments

  • Avatar
    Firewalla

    The VPN part has some special treatments for sure.  What kind of rules that you see not working?

    0
    Comment actions Permalink
  • Avatar
    Blake

    From my brief testing none of my custom block rules, including block all internet was working and neither was the Firewalla social block.  I'm not sure if anything was being done as far as I could tell.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    just double check, are these blocking rules applied to a specific device or "all devices"?

    0
    Comment actions Permalink
  • Avatar
    Blake

    Specific devices.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    Specific devices won't work, only the rules with "All Devices" will take effect on VPN connection.

    0
    Comment actions Permalink
  • Avatar
    Blake

    That is a huge bummer.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    The reason is VPN side, there is no concept of a 'device' since the device connecting MAC address is not exposed.

    0
    Comment actions Permalink
  • Avatar
    Robby

    I agree with Blake; This is hugely annoying. In my experience a VPN should allow a remote device to connect to a network and then the device and network will behave the same as if the device was connected locally to that network. The Firewalla VPN doc cleverly don't quite say that and instead just say 'surf the web as if you are at home when you are not' , however that comment doesn't fly if I set a standard firewall rule 'deny from the internet' for all devices, because then the VPN'd device cannot access the web. It seems that the only way to overcome this is to:

    1. Set a 'deny from the internet' rule for every device and/or group

    2. Set an Allow rule for the NAS for the IP range that appears to be what the OpenVPN clients use 

     

    So, questions:

    1. Will there ever be a way to identify VPN'd devices so that rules can be applied to VPN traffic (not necessarily identify a VPN'd device as an already known device)

    2. Is it possible to set a rule that allows VPN'd devices (unknown devices) access to the internet? At least then I could set a 'deny all from the internet' for all devices but then still allow VPN traffic to access the web

    3. Dumb question: Is a 'deny all from the internet' for all devices rule even needed? I assume so because a VPN'd device is an unknown device, and the aforementioned rule will deny it access to the web

    Robby

     

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    1. 1.972 will have the ability to break down VPN into devices, so you can control traffic there just as if VPN sessions are devices.  This work is in progress.

    2. The deny all from internet rule will block everything, except VPN traffic, which has the firewall open if set. (Gold).  The Gold's rule blocking all internet has a direction, so once your VPN is in, as long as you don't have a block outbound traffic, you should be able to surf the web.

    3. "deny all from the internet" is your inbound firewall.  

    0
    Comment actions Permalink
  • Avatar
    Blake

    This is fantastic news. Thank-you!!

    0
    Comment actions Permalink
  • Avatar
    Robby

    Thanks for the quick response.  FYI I have the Blue edition.

    It's great news that the VPN rules issue is already being addressed :)

    Can you please clarify responses #2 and #3:

    1. 'The deny all from internet rule will block everything, except VPN traffic, which has the firewall open if set.'. What does 'which has the firewall open if set' mean? If I set a 'deny all from the internet' rule then VPN clients cannot access the internet. Is that expected?

    2. ' "deny all from the internet" is your inbound firewall.' . Are you referring to a global default, or maybe the Blue's or the router's basic NAT function? If so then what's the purpose of setting a rule to 'block from the internet'?

    Thanks again

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Firewall rules (from and to the internet) are directional and stateful.   Example

    Block from internet:  block all sessions initiated from the internet, but not block sessions initiated from inside the home.

    Block to internet: block all sessions initiated from your home to the internet, but not block sessions initiated from the outside.

    If you apply both rules, then you block internet.

     

    0
    Comment actions Permalink
  • Avatar
    Robby

    I don't intend to offend, but 'duh!'. My point is that I'm seeking an answer to my original query:

    3. Dumb question: Is a 'deny all from the internet' for all devices rule even needed? I assume so because a VPN'd device is an unknown device, and the aforementioned rule will deny it access to the web

    I don't think that you understand what I'm asking. The logic of the Rules UI is maybe leading me to the wrong conclusions. Ok, It's possible to set an All Devices rule to block 'from the internet' which suggests that it would have an additional effect on top of the basic NAT firewall function. Is that true, and if so then what? It does effect VPN traffic because it will prevent VPN'd devices from accessing the internet, I assume because the device cannot be identified as a known device because no Mac Address can be discovered, and so its traffic is assumed to be 'from the internet.

    I hope that my question makes more sense now.

    I can't find an docs on this and so I'm trying to figure out the logic myself my playing with the UI 

     

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Likely we are looking at problems very differently.   (your questions is pretty interesting, once we resolve it, we will get someone to record a tutorial on packet flows)

    Here is the picture for packet flow from outside in:

    Internet Traffic -----> [Ingress Firewall <block all from internet>] <---> NAT <--->[Other Firewalla Rules]<---> Devices

    The Ingress Firewall and NAT are different things.  (To us, NAT is not a firewall ...)

    When you VPN in, Firewalla VPN server will automatically open a port in the Ingress Firewall.  There is no NAT, since the traffic is for the router.

    When traffics comes in it will be likely any local traffic, 

    [Local Traffic]--->Rules--->NAT--->[Egress Firewall, <block traffic to internet>] --->Internet

    So in this flow, the VPN traffic is local traffic, it will go through rules, but not NAT, it will hit the egress firewall if you setup one. (most people don't). The ingress firewall is not in the picture, since the traffic initiated from inside

     

     

    0
    Comment actions Permalink
  • Avatar
    Robby

    Ah, that helps :) 

    When you say:

    Internet Traffic -----> [Ingress Firewall <block all from internet>] <---> NAT <--->[Other Firewalla Rules]<---> Devices

    In that is the block in [Ingress Firewall <block all from internet>] a hidden and non-user-changeable block or a result of the user setting a 'block all from the internet' rule themselves? I'm guessing that user-settable rules are part of [Other Firewalla Rules] ?

    0
    Comment actions Permalink

Please sign in to leave a comment.