VPN only rules problem

Hello all,

First, sorry for bad english. Here is my problem:
I use a VPN (vpntunnel.se). I want to block firefox traffic when not connected to the VPN.
So I googled tips and find this:

  • application rule:
    allow ip in from any to ip_vpn
    allow ip out from ip_vpn to any
    block ip in/out from any to any
  • where ip_vpn is the vpn range adresse ( 5.254.x.x), defined as a network zone.
    When applied, that block all the firefox traffic!!! I did a “whatismyip.com”, and it say 5.254.x.x…
    I tried with the mac adress of the “tap adapter” instead of ip_vpn, same think…
    Why??? Global rules are standard after install.
    I use last version of CIS, firefox, windows 7 64.
    It run if I put the local loop (127.0.0.1) instead of ip_vpn, but of course run too when not connected to the VPN…
    Any idea???
    Thanks a lot!

Welcome to the forum.

If you’re just trying to limit a single application, you should use Application rules, not Global. Apply the same rules you’ve listed to firefox.exe under Application rules.

Hello,
That’s what I did (bad english is a problem, for sure!).
The rules are applied to firefox, not global.

No worries. Can you post some screen-shots of your vpn network zone and your firewall application and global rules.

Here are some screens (attached).
The IP address with VPN is not always the same, but is in the range shown.
Thanks!

[attachment deleted by admin]

I did this try, which allow firefox to connect (using or not using the VPN, so it solve not my problem).
I change the rule applied to firefox:
Allow IP out from “local loop” to “local loop” any
Block IP in/out from any to any
“local loop” is a network zone with one IP ( 127.0.0.1 / 255.0.0.0).

Why can firefox to connect to the internet with that?
I dont understand.
???

Apologies for the delay getting back to you.

There’s two things here:

  1. When you install this vpn service and connect, it’s changes the routing table so that all Internet traffic is sent and received using the VPN. If you want to use split tunnelling, you’ll have to make changes. Best to ask on their forum about this.

  2. The appearance of being able to connect to the Internet with only loopback rules is not what not what it seems. if you change your firewall settings to Custom Policy mode it should prompt.

Hello,

No problem with the delay!

If I understand correctly, what is said in this post ( https://forums.comodo.com/firewall-help-cis/allow-connection-only-through-vpn-with-comodo-firewall-how-t46042.0.html ) is not relevant for ME with THIS VPN provider?

Thanks

From what I can see from the vpntunnel website/forum their solution is a fully routed, which basically means that once you connected to their service, with their client, you don’t need to do any thing else. However, I’d make sure I to test for DNS leaks - there are a number of topics on their forum about this.

OK.

Only for “knowledge” purpose, why doesn’t the “mac address” rule work?
The traffic goes thru this adapter? Is it a comodo’s bug?

Thanks.

Without having access to the vpn client, I’d guess it’s simply the way full routing tends to work. If you could use the openvpn adapter directly, bypassing their client software, you would have better control over network connectivity.

Ok thanks.

I will try “openVPN”, which is used I mean by their client. Perhaps it will work.

You could take a look at Prevent leaks with Windows & Comodo see if it helps…

Same result with “Open VPN”…
In the link you gave to me, the rule number 9 is enough (rule 6 activated, no other rules needed!) to allow access to the internet… with or without VPN.

In theory, if I am not using the VPN, how to allow access to the internet using a rule with the “default adapter” mac address?
Something like this with 2 rules:
1- allow Ip out from “default adapter mac address” to any
2- block IP out from any to any doesn’t work.

I really mean there is a bug!