I am using OpenVPN to connect to my VPN.
OpenVPN uses the TAP-Win32 Adapter V9.
Now when I start OpenVPN and set svchost.exe to allow outgoing UDP traffic from the MAC address of the TAP Adapter to the outside net the firewall will keep asking me to allow traffic from MAC any instead of sticking to the rule that is in place, telling the firewall to allow traffic going out from the MAC address of the TAP adapter.
Only when I have a rule Allow outgoing traffic from MAC any to MAC any it will not ask me when using the VPN. Naturally this is NOT wanted as this breaks my intention to only allow traffic through the MAC address of the TAP adapted to the VPN and further to the outside net.
How can I make the firewall understand that if the traffic originates from the MAC address of the TAP adapter it does not need to ask me again but really stick to the rule I set?
Example:
For a simple DNS request I have this in place:
Allow And Log UPD Out From MAC (MAC address of the TAP adapter) to IP 209.222.18.218 Where Source Port Is In (Non Privileged Ports = 1025-65535) And Destination Port Is 53.
When I fire up OpenVPN the firewall will tell me that svchost.exe is trying to connect to 209.222.18.218 on remote port 53. When I check the log the originating IP is the IPv4 Address, e.g. 10.125.1.10(Preferred) of the TAP adapter.
ONLY when I set svchost.exe to specifically allow outgoing traffic from e.g. IPv4 10.125.1.10 (IP of the TAP adapter) to 209.222.18.218 to port 53 it will not ask me. HOWEVER since every time I log on to the VPN the (Preferred) IP of the TAP adapter changes. Now I tried connecting and disconnecting the VPN a few times to find out if there is a network range but it really is quite big and another IP starting with 10… every time.
Why does the firewall not eat my rule that if the traffic is from the physical MAC address it can allow it without asking me?
I have also tried making a Network Zone with the MAC address of the TAP adapter and then setting svchost.exe to use that Network Zone (e.g. VPN TAP) but it still keeps asking me and if I click allow and remember the rule will be Allow UPD out from MAC Any To…
Why is this happening and how can I tell the firewall to really use any IP that the MAC address of the TAP adapter makes instead of allowing any other network adapter (MAC any…) to make this request?
Thank you for your help.
EDIT:
here is a screenshot showing you that the network zone is set up correctly as given by the ipconfig /all command, the TAP physical address (MAC address) is entered into the zone VPN TAP and then used with the svchost rules but you see in the logs that the firewall keeps asking to make a new rule, given at the top of the svchost rules as you can see, and that is MAC Any and THAT is what I do not want. How can I change this to work please?
https://lh5.googleusercontent.com/-_xjK170WBB8/U9qWWq2wzRI/AAAAAAAAB_Q/EEmEs0oW6J0/s0/.png