Believe it or not, PPTP is the simplier VPN setup. You really don’t want to go near an L2TP/IPSec VPN unless you have to. (But then, if you have to, you really really need that kind of VPN security)
Yes, [VPN] and [Multicast] are address ranges. We’ll need to set these up as CFP network zones.
To do that in CFP, click Firewall → Common Tasks, My Network Zones. The Add → A New Network Zone. All you do here is give the new zone a name. There are two zones, so two names.
The for each new zone, there will be a line under each that says “add addresses here”. Right-click that line, and select Add.
For the VPN zone, we’ll take the wide view, and use an IP address mask of 10.10.11.0/255.255.255.0. That will cover all addresses from 10.10.11.0 thru 10.10.11.255
For the Multicast zone, we’ll use IP address mask again, with 188.8.131.52/240.0.0.0. That will cover all addresses from 184.108.40.206 thru 220.127.116.11. Multicasting is a weird beast. It’s like a write-only address, needed to make some things work. Best to define it, and not need it, than to leave it out, and wonder what is is that is keeping things from working, sometimes.
Since your machine is a remote client to the VPN server, you’ll get assigned an address by that server when you get a connection. That uses the standard DHCP protocol, thru the initial stages of the tunnel setup. So, we will need to allow traffic to the DHCP broadcast address of 255.255.255.255.
So, in your Global Rules, you’ll have these rules at the very top, and in this order (CFP processes rules from the top down, first math wins. So order matters, a lot)
allow IP In&Out from any to singleIP[255.255.255.255] where protocol is any
allow IP In&Out from zone[VPN] to zone[VPN] where protocol is any
allow IP In&Out from zone[VPN] to zone[Multicast] where protocol is any
block&log IP In&Out from zone[VPN] to any
block&log IP In&Out from any to zone[VPN]
That should be enough to get you connected to the VPN server.
Note these rules don’t do any firewalling within the VPN. If you trust the LAN the VPN server is on, and what the LAN is that the server is making available to you, then these rules are likely enough. If you have the possibility of an attack/probe from another VPN client, then some more rules will be needed.
The blocking rules, as I mentioned earlier, keep the VPN traffic to the VPN only. Your LAN can’t talk to the VPN, and the VPN can’t talk to your LAN. And you can’t go thru the VPN to reach the Internet. To do any of that, the blocking rules need to be changed.
Does this make any kind of sense?