Looks like we’re going to need to restructure your rules a bit. The default CFP rules, which you had as a basis, were set up assuming a single machine connecting thru a modem. Your setup is a bit more complicated.
First, let me make sure that I’m understanding your network, and that it is something like this:
RemotePC ------- Internet --------cablemodem ---------- This PC -------- other PC’s on LAN
where RemotePC is connecting thru a VPN to ThisPC
and
where ThisPC is being used as an Internet Connection Host (a gateway) for other PC’s on your LAN to gain access to the Internet
and
where your connection to the Internet is thru a cable modem
All of that is taken from your postings so far, and what I read from your network rules snapshot.
If that is mostly right, then I’m going to suggest that we take things in stages, make sure the CFP rules are working, and build on those working rules to the next stage.
The first stage then, is to have ThisPC secure your LAN, so your local PCs can see ThisPC and each other and have everything work.
The basic structure of the rules for your LAN is like this (and this replaces all your existing CFP rules)
-
Allow IP In&Out from zone[MyLAN] to zone[MyLAN]
-
Allow IP In&Out from zone[MyLAN] to zone[Multicast]
-
Allow IP Out from zone[MyLAN] to any
-
Allow ICMP In from any to any where ICMP detail message is “Net Unreachable”
-
Allow ICMP In from any to any where ICMP detail message is “Port Unreachable”
-
Allow ICMP In from any to any where ICMP detail message is “Host Unreachable”
-
Allow ICMP In from any to any where ICMP detail message is “Time Exceeded”
-
Allow ICMP In from any to any where ICMP detail message is “Fragmentation Needed”
-
Allow ICMP In from any to any where ICMP detail message is “Protocol Unreachable”
-
Block&Log IP In from any to any
where zone[MyLAN] is the address range for your LAN. Windows seems to use 192.168.0.0 thru 192.168.0.255 for the Internet Connection Host provided LAN addresses.
Zone[Multicast] covers a special LAN-only broadcast address range from 224.0.0.0 thru 239.255.255.255. It gets used by a lot of networking stuff, including VPNs. Windows networking will also use it, mostly for UPnP devices which you might have in printers and wireless nodes and such.
Note that these 11 rules I’ve outlined above do not provide any VPN support. That’s the next step, after these LAN rules get in place, and known to be working.
Regarding your VPN, you’ve described IPSec. Is this VPN a product (for example, a Cisco VPN server/client package) or the native Windows L2TP/IPSec? Setup can differ among products, and the CFP rules may need to reflect the details.