I am not 100% sure how to make Comodo differentiate between the Internet and my LAN.
Given that all WAN related traffic is via my router at 192.168.1.1, do I simply set up my Home Network to be 192.168.1.2 - 192.168.1.254 - i.e, all internal IP addresses except for my router? The “Internet network” can then be defined as any traffic sent to or received from my router at 192.168.1.1. I know I would need to add rules to allow communication for DHCP to function correctly.
I can then set up rules to allow all communications possible between Home Network, and set up much more stringent rules for the Internet.
I would also then set up application specific rules for my VPN, which I think is easy enough to do.
Yes.Routers interconnect IP networks so they have two IP addresses (they’re multi-homed). The 192.168.1.x IP address is your home network, i.e. inside your router. The IP address on the Internet side of your router will be assigned by your ISP.
BTW. Your home network needs to include your router, your local DHCP server runs on there for example, so all hosts must be able to access is.
So if my router’s internal IP needs to be included as part of my home network, won’t that include all Internet traffic as well, as all Internet traffic is coming via 192.168.1.1. How does Comodo differentiate between local/LAN traffic and Internet traffic?
I guess what I am asking is that if I have a Global Rule that allows IP In/Out from Home Network to Home Network, would that allows all incoming Internet packets to be sent to any computer on the LAN, as traffic is coming from 192.168.1.1?
Yes your router LAN facing IP address is part of the Local network and not the WAN (internet) so your network zone needs to have all LAN IP addresses that are assigned to the local network. When creating the network zone use subnet mask type and for IP address put 192.168.1.1 and 255.255.255.0 in the mask address box.
To answer your question no, IP address do not get replaced as the packets are sent through a router. For example if you were to send an ICMP echo request to one of google’s assigned IP address, the echo reply source address will still be that of the google IP even though the request and reply is forwarded to and from your router. Just know that having a global rule that allows incoming connections from your home network will not allow incoming connections from the internet.
No you don’t need to create an internet zone, comodo will know the difference between LAN traffic and WAN traffic. What exactly are you trying to do? IF all you want is to be able to allow all connections from other devices in your home LAN but not from the internet, you can first set your ports to stealth mode by going to firewall tasks > stealth ports and select block incoming connections. Then use the manage networks task and select trust network button for the LAN that you are connected to then press ok.
You actually don’t have to worry about the Internet as a separate entity. The CIS firewall rules use a two-stage process; outgoing packets are filtered by the application rules first and then by the global rules, only if they pass both is the packet sent. Inbound packets are filtered first by the global rules and then by the application rules, only if they pass both is the packet delivered.
This means that you can have a global in/out rule to allow communication to/from your LAN and use the application rules to define what each application can communicate with. There’s no need to define “an Internet zone” at all.