Trying to allow a single IP in through WAN - is this possible with the default "block traffic from internet" rule?

Comments

19 comments

  • Avatar
    Rich T.

    How I do it for RDP access is:

    Allow

    Device (Local Computer) New Rule->Local TCP Port (3389 for me) ->Target IP (Work IP)  

     

    0
    Comment actions Permalink
  • Avatar
    Theodore Crawford

    So I tried that and it doesn't seem to have worked. I've got the port that IP address is trying to come in on opened up, but the IP is still getting outright blocked by the IP filtering rule.

    0
    Comment actions Permalink
  • Avatar
    Rich T.

    I have the "Traffic from the Internet" (default) block rule as well, but the above definitely works in my case. Device, and Allow rules should take precedence over any block rule: https://help.firewalla.com/hc/en-us/articles/360008521833-Manage-Rules

    I'm not sure how you would troubleshoot, but assume the blocked port/IP you see matches the rule?

    Your Firewalla is your router? 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    I've tried creating a bi-directional allow rule, but the "Block traffic from internet" IP filtering rule is taking precedence.

    Are you Allowing by IP or Domain? did you try IP:port? 

    Device rules take precedence over the All Devices.

    Are you using the rule automatically created for you by the port forwarding or did you create it yourself?

    0
    Comment actions Permalink
  • Avatar
    Theodore Crawford

    So maybe I'm doing something wrong. When I look in flows, here's what I see for the blocked flow in question:

    Source: x.x.x.x
    Port: 44xxx

    Destination: "WAN Interface"
    Port: UDP "1234"
    Direction: Inbound

    Blocked Count: 1
    Blocked By: IP Filtering
     
    And I see that repeated thousands of times, all from the same source IP, all getting blocked at my WAN interface.

    I created a rule the way you suggested:
     
    Action: Allow
    Matching: Local Port UDP "1234" / Traffic from Internet
    On: "Destination Device"
     
    And I'm strangely still seeing traffic blocked.
    0
    Comment actions Permalink
  • Avatar
    Theodore Crawford

    I've tried allowing by IP and domain, neither work.

    The "Block all traffic from internet" rule is the default one that was automatically created during initial config.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Are you using the rule automatically created for you by the port forwarding or did you create it yourself?

    0
    Comment actions Permalink
  • Avatar
    Theodore Crawford

    The rule to allow traffic from the specific IP / domain? Creating it myself.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Do you have any duplicate rules? Like block internet on ALL Devices and on a network or group?

    0
    Comment actions Permalink
  • Avatar
    Theodore Crawford

    I do not. The only other rules I have are regional ones that wouldn't affect this US address.

    0
    Comment actions Permalink
  • Avatar
    Theodore Crawford

    Anybody have any ideas?

    Here's the details of the blocked flow:

     

    As you can see, it's coming in via WAN, and getting blocked by the following default rule that was created at initial setup:

    No amount of Allow rules have been able to allow this traffic through.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    What is the specific Alarm that is triggered? Perhaps using https://my.firewalla.com/ to mute the alarm will work for you.

    0
    Comment actions Permalink
  • Avatar
    Theodore Crawford

    The issue isn't a particular alarm, it's that:

    1) This is legitimate traffic and should be allowed through, and
    2) The blocks are absolutely flooding my "Blocked Network Flows"

    It's getting blocked sometimes 5-10 times per minute, which just muddies the water when trying to sort through blocked flows that may be of legitimate concern.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    I'm confused, because you started out saying 

    The VPN tunnel functions fine, so I don't need to unblock this IP to restore functionality -

    So is it working or is it blocked? Does blocking the device entirely actually stop it from working? 

    0
    Comment actions Permalink
  • Avatar
    Theodore Crawford

    The VPN is up, but I believe this blocked flow is resulting in failed device health checks at the VPN concentrator at my office.

    So traffic is flowing, but it's upsetting the firewall at my work and massively cluttering network flow tracking on my Firewalla.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    So the rule you show above is to block all inbound traffic on a Group. But you already have a block all inbound traffic on All Devices. That's a duplicate rule and I have found that can cause issues.

    Can you describe the VPN appliance a bit more? What does it do exactly? 

    You have this traffic coming into your network but do you have port forwarding set up? How is the traffic getting to this VPN device? 

    0
    Comment actions Permalink
  • Avatar
    Theodore Crawford

    There is only one rule blocking all inbound internet traffic to all LAN devices. There is a second rule that was auto-created as well that only applies to quarantine devices, that's not relevant in this instance.

    It's a site-to-site VPN, using Meraki appliances. It allows remote access to internal networks. Data is flowing through the tunnel properly, but inbound traffic from the firewall's outside interface is being blocked.

    The VPN is being handled on an appliance that sits between my work laptop and the Firewalla - it's not stood up on the Firewalla, so I don't believe port forwarding is necessary (but please correct me if I'm wrong).

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Ah o.k. sorry I thought that was a Group rule. Gotcha. 

    Have you tried forwarding inbound traffic on the VPN port to that device?

    0
    Comment actions Permalink
  • Avatar
    Theodore Crawford

    I hadn't tried port forwarding, but I just did - still no dice.

    I think the issue at the center of all this is that the traffic is being blocked coming into the WAN interface - it doesn't seem like any rules I'm applying are getting to it before it's caught up in the default IP filtering rule.

    0
    Comment actions Permalink

Please sign in to leave a comment.