Trying to allow a single IP in through WAN - is this possible with the default "block traffic from internet" rule?
I have a VPN appliance here at home that I use for work, and I'm seeing a ton of blocked flows from my work firewall's public IP. The VPN tunnel functions fine, so I don't need to unblock this IP to restore functionality - mostly I just want to clean up the the blocked flow log so that I can better identify what's getting blocked and what's getting through, as this IP is accounting for 20% percent of the blocked flows.
I've tried creating a bi-directional allow rule, but the "Block traffic from internet" IP filtering rule is taking precedence.
I'd like to keep that rule in place but just punch out a hole for this specific IP address.
Barring that, is there a way to dismiss or hide certain IPs from the Network Flows log?
-
I have the "Traffic from the Internet" (default) block rule as well, but the above definitely works in my case. Device, and Allow rules should take precedence over any block rule: https://help.firewalla.com/hc/en-us/articles/360008521833-Manage-Rules
I'm not sure how you would troubleshoot, but assume the blocked port/IP you see matches the rule?
Your Firewalla is your router?
-
I've tried creating a bi-directional allow rule, but the "Block traffic from internet" IP filtering rule is taking precedence.
Are you Allowing by IP or Domain? did you try IP:port?
Device rules take precedence over the All Devices.
Are you using the rule automatically created for you by the port forwarding or did you create it yourself? -
So maybe I'm doing something wrong. When I look in flows, here's what I see for the blocked flow in question:
Source: x.x.x.x
Port: 44xxxDestination: "WAN Interface"
Port: UDP "1234"
Direction: InboundBlocked Count: 1Blocked By: IP FilteringAnd I see that repeated thousands of times, all from the same source IP, all getting blocked at my WAN interface.
I created a rule the way you suggested:Action: Allow
Matching: Local Port UDP "1234" / Traffic from Internet
On: "Destination Device"And I'm strangely still seeing traffic blocked. -
What is the specific Alarm that is triggered? Perhaps using https://my.firewalla.com/ to mute the alarm will work for you.
-
The issue isn't a particular alarm, it's that:
1) This is legitimate traffic and should be allowed through, and
2) The blocks are absolutely flooding my "Blocked Network Flows"It's getting blocked sometimes 5-10 times per minute, which just muddies the water when trying to sort through blocked flows that may be of legitimate concern.
-
So the rule you show above is to block all inbound traffic on a Group. But you already have a block all inbound traffic on All Devices. That's a duplicate rule and I have found that can cause issues.
Can you describe the VPN appliance a bit more? What does it do exactly?
You have this traffic coming into your network but do you have port forwarding set up? How is the traffic getting to this VPN device?
-
There is only one rule blocking all inbound internet traffic to all LAN devices. There is a second rule that was auto-created as well that only applies to quarantine devices, that's not relevant in this instance.
It's a site-to-site VPN, using Meraki appliances. It allows remote access to internal networks. Data is flowing through the tunnel properly, but inbound traffic from the firewall's outside interface is being blocked.
The VPN is being handled on an appliance that sits between my work laptop and the Firewalla - it's not stood up on the Firewalla, so I don't believe port forwarding is necessary (but please correct me if I'm wrong).
-
I hadn't tried port forwarding, but I just did - still no dice.
I think the issue at the center of all this is that the traffic is being blocked coming into the WAN interface - it doesn't seem like any rules I'm applying are getting to it before it's caught up in the default IP filtering rule.
Please sign in to leave a comment.
Comments
20 comments