I’ll try to explain what this is:
These are from the Global rules tab of the Network Security Policy.
Allow UDP In/Out From Any to Any Source Port UDP 67/68 and Destination Port UDP 67/68
This is to allow UDP DHCP traffic In/Out the system so you can still get a dynamic IP Address assigned.
Allow TCP or UDP OUT from Any to Any and Destination Port 53
This is to allow DNS traffic to resolve names to ip addresses.
Allow IP Out from Any to IP Address of you VPN box you are connecting to.
This will allow all VPN Traffic to the VPN Box you are using so you can setup the connection.
Allow All the Traffic from the ip range inside your VPN tunnel if you need more ranges it would be easier to create a Network zone and add the ranges in there and then use that zone in this rule. So also replace this by the ranges used in your VPN Tunnels.
Block All other traffic.
Use the logging option to see how it works, you can later remove these logging options from the rules.
You have to build your application rules based on MAC address instead of IP’s to make this work that way.
Use ‘ipconfig /all’ in a command-box to find your MAC address of your normal ISP interface and the VPN one, use those as source to filter between ISP and VPN traffic.
You can also add the MAC address of your gateways for ISP / VPN to the rules, verify the IP addresses they have and use ‘arp -a’ to find the MAC addresses of those.
You have to double check if your VPN interface always ends up in the same MAC address though.
Thanks for the quick reply, Ronny. I can’t get it to work that way as the VPN i connect to has dynamic MAC addresses.
I actually just got the firewall setup to work through the VPN, I just have to edit the one entry in the global rules list to the ip address of the VPN that I connect to it when I connect.
For instance, I’ll open up the firewall and enable it. Then I’ll open up OpenVPN and watch it get denied trying to access the IP of the VPN, then I’ll add that address to the global rules list (RULE 3 in your rules list post).
Having to do this seems tedious and there has to be a better way but that is the price of anonymity i suppose…
Have you tried to only use the source MAC of your VPN adapter and Deny the Source MAC of your other on the application that is only allowed out the VPN?
You shouldn’t need destination MAC, it’s an addition.
How do I know what the MAC address is of the VPN adapter? When I do a ipconfig /all I get a MAC for my wireless adapter (which I use to connect to the internet via my wireless router) and a MAC for a “Tap-Win32 adapter” which is what installed when i installed OpenVPN. Is that the MAC I should use?
When I do an ARP -A, in the list it shows the IP address of the computer I am connecting to with the VPN (somewhere in the Netherlands usually) and next to it, it shows the MAC address and says “DYNAMIC”… hence why I thought the VPN MAC address is dynamic.
Ok I tried that, and put it in the source field and left destination set at any and it did not work. It’s a funny thing because when I put the MAC address in the field it doesn’t work, but when I put the IP address in, which is the corresponding MAC address, it works.
I finally got it to work by doing the following. I noticed that even though the IP address of the VPN that I am connecting to always changes, the hostname is always the same. I don’t know why I didn’t see this before.
Allow TCP OUT from Tap32 MAC to (vpn hostname)
Block TCP/UDP/IP IN/OUT from MAC (of my wireless adapter) to ANY
These are basically the rules I have set up.
Its strange how it works this way because how is the Tap32 adapter working if I have my own physical wireless adapter being blocked. It has to piggyback it somehow.
Another crazy thing. When I do all of the who am i utilities online and speed tests, it shows my location as wherever the VPN is (sweden, the netherlands, etc) But when I do the W3C location test such as the google where am i test, it shows my real location. Why is this???