Firewalla VPN and rules
I was under the impression that running a VPN server on the Firewalla and connecting back to it when out of the house would be like accessing the internet from inside my home network. However, what I'm finding is that none of the rules are being applied to devices that are connecting over VPN. Did I misunderstand?
-
I agree with Blake; This is hugely annoying. In my experience a VPN should allow a remote device to connect to a network and then the device and network will behave the same as if the device was connected locally to that network. The Firewalla VPN doc cleverly don't quite say that and instead just say 'surf the web as if you are at home when you are not' , however that comment doesn't fly if I set a standard firewall rule 'deny from the internet' for all devices, because then the VPN'd device cannot access the web. It seems that the only way to overcome this is to:
1. Set a 'deny from the internet' rule for every device and/or group
2. Set an Allow rule for the NAS for the IP range that appears to be what the OpenVPN clients use
So, questions:
1. Will there ever be a way to identify VPN'd devices so that rules can be applied to VPN traffic (not necessarily identify a VPN'd device as an already known device)
2. Is it possible to set a rule that allows VPN'd devices (unknown devices) access to the internet? At least then I could set a 'deny all from the internet' for all devices but then still allow VPN traffic to access the web
3. Dumb question: Is a 'deny all from the internet' for all devices rule even needed? I assume so because a VPN'd device is an unknown device, and the aforementioned rule will deny it access to the web
Robby
-
1. 1.972 will have the ability to break down VPN into devices, so you can control traffic there just as if VPN sessions are devices. This work is in progress.
2. The deny all from internet rule will block everything, except VPN traffic, which has the firewall open if set. (Gold). The Gold's rule blocking all internet has a direction, so once your VPN is in, as long as you don't have a block outbound traffic, you should be able to surf the web.
3. "deny all from the internet" is your inbound firewall.
-
Thanks for the quick response. FYI I have the Blue edition.
It's great news that the VPN rules issue is already being addressed :)
Can you please clarify responses #2 and #3:
1. 'The deny all from internet rule will block everything, except VPN traffic, which has the firewall open if set.'. What does 'which has the firewall open if set' mean? If I set a 'deny all from the internet' rule then VPN clients cannot access the internet. Is that expected?
2. ' "deny all from the internet" is your inbound firewall.' . Are you referring to a global default, or maybe the Blue's or the router's basic NAT function? If so then what's the purpose of setting a rule to 'block from the internet'?
Thanks again
-
Firewall rules (from and to the internet) are directional and stateful. Example
Block from internet: block all sessions initiated from the internet, but not block sessions initiated from inside the home.
Block to internet: block all sessions initiated from your home to the internet, but not block sessions initiated from the outside.
If you apply both rules, then you block internet.
-
I don't intend to offend, but 'duh!'. My point is that I'm seeking an answer to my original query:
3. Dumb question: Is a 'deny all from the internet' for all devices rule even needed? I assume so because a VPN'd device is an unknown device, and the aforementioned rule will deny it access to the web
I don't think that you understand what I'm asking. The logic of the Rules UI is maybe leading me to the wrong conclusions. Ok, It's possible to set an All Devices rule to block 'from the internet' which suggests that it would have an additional effect on top of the basic NAT firewall function. Is that true, and if so then what? It does effect VPN traffic because it will prevent VPN'd devices from accessing the internet, I assume because the device cannot be identified as a known device because no Mac Address can be discovered, and so its traffic is assumed to be 'from the internet.
I hope that my question makes more sense now.
I can't find an docs on this and so I'm trying to figure out the logic myself my playing with the UI
-
Likely we are looking at problems very differently. (your questions is pretty interesting, once we resolve it, we will get someone to record a tutorial on packet flows)
Here is the picture for packet flow from outside in:
Internet Traffic -----> [Ingress Firewall <block all from internet>] <---> NAT <--->[Other Firewalla Rules]<---> Devices
The Ingress Firewall and NAT are different things. (To us, NAT is not a firewall ...)
When you VPN in, Firewalla VPN server will automatically open a port in the Ingress Firewall. There is no NAT, since the traffic is for the router.
When traffics comes in it will be likely any local traffic,
[Local Traffic]--->Rules--->NAT--->[Egress Firewall, <block traffic to internet>] --->Internet
So in this flow, the VPN traffic is local traffic, it will go through rules, but not NAT, it will hit the egress firewall if you setup one. (most people don't). The ingress firewall is not in the picture, since the traffic initiated from inside
-
Ah, that helps :)
When you say:
Internet Traffic -----> [Ingress Firewall <block all from internet>] <---> NAT <--->[Other Firewalla Rules]<---> Devices
In that is the block in [Ingress Firewall <block all from internet>] a hidden and non-user-changeable block or a result of the user setting a 'block all from the internet' rule themselves? I'm guessing that user-settable rules are part of [Other Firewalla Rules] ?
Please sign in to leave a comment.
Comments
15 comments