I’ve got a weird problem with CFP using a VPN. When I try to bind certain apps especially to my VPN connection, CFP completely blocks all connection requests made by that app.
My rules are as followed
Network Zone: VPN IP Range
Application Rules for mIRC.exe
Allow IP In From IP Any To In [vpn] Where Protocol Is Any
Allow IP Out From In [vpn] To IP Any Where Protocol Is Any
Block And Log IP In/Out From IP Any To IP Any Where Protocol is Any
In that exact order.
The program can’t connect though and I dont know why. The Firewall lists all the outgoing requests as blocked, although the Source IP is within the defined Network Zone. As soon as I remote the last policy, it works.
Where my mistake?
thanks in advance
For Application Rules, there is some bit more that has to be done.
Windows Operating System, and svchost.exe need access to the VPN in order to do the proper setup. And maybe something else also, but I can’t recall what it is offhand. Your CFP logs will likely tell you.
I dont quite understand what you mean. WOS and svchost have access to the VPN, everything works fine when I’m going online using the VPN, except for when I introduce those policy. As soon as I delete the “Block IP ectpp” rule on that program, it works.
So it must have something do to with that rule, which I dont understand, because both rules allowing connections are above it and configured for the correct Network Zone (which btw disappears every time I reboot).
Then it would seem that something later on down the line needs that blocking rule gone, in order to work. The question then is, what is that something? That is going to take going thru your Application Rules.
Two ways come to mind of doing that.
The first is, to put the blocking rule in place, and then move applications upward in the CFP ruleset so they are above the blocking rule. When things resume working, you’ve found the application that needed to be moved. Just as a guess, I’d start with Windows system stuff first.
The second, is to run the CFP Config Reporting Script (in the sticky topic at the top of this forum page), and post the resulting report here. That way, a bunch of eyeballs can go over it, and see what’s the likely problem.
Okay, got it now.
Looks like its a bug in the latest CPF version, another user had the exact same problem with it and he resolved it by manually entering the IP ranges in each rule instead of using the Network Zone feature. The rules are the same, just replaced the Network Zone with the IP Range for that Zone in both of the Allow rules and it works for me now too.
Glad that it’s working for you now. There have been some bug reports for version 3.0.25.x about network zone definition problems. The prior 3.0.24.x was working, and apparently something broke in the change.
Yep, thanks for your help anyway :-TU