Welcome
Welcome to vistafirewallcontrol

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

VPN Rules

VPN Rules

Postby broadband » Mon Jan 30, 2017 12:05 am

I'm having trouble defining VPN rules to allow access for my NordVPN cllient. I started with the default VPN rules and tried to white list the blocked ports and URL's that showed up in the balloon notifications. I can now establish a connection but web surfing is painfully slow and at times non-existent. Also, if another zone is blocking access to the VPN-specific rules, how do I supersede those rules, i.e. C:\windows\system32\dashost.exe blocks outgoing 255.255.255.255 UDP, even thought my VPN rule allows UDP access. How to I supersede that? On another subject, it would be nice if we could right click on the balloon events or in the event tab and copy the info on the blocked sites to create a new rule.
broadband
 
Posts: 5
Joined: Mon Sep 21, 2015 7:13 pm

Re: VPN Rules

Postby sp4096 » Mon Jan 30, 2017 9:21 pm

Here's what I would do, so try it:
On the Programs tab find and select your application that needs it.
Click on Zone in the upper right.
Fill in:
Name - Broadast
Protocol - UDP
IPv4/v6 - 255.255.255.255
Port - if needed, look at the events
Direction - fill only if relevant, look at the events
Click Enable.
Click OK
Yes to apply to this copy only and not the VPN set of rules in the default list in zone.

OT: In my opinion Sphinx has unfamiliar designations if you come from another firewall, such as:
Enable means allow this communication, not enable/disable a rule.
Zone on the Programs tab really means application rules.
sp4096
 
Posts: 85
Joined: Tue Apr 26, 2016 2:57 am

Re: VPN Rules

Postby VistaFirewallControl » Tue Jan 31, 2017 10:35 am

>I'm having trouble defining VPN rules to allow access for my NordVPN cllient. I started with the default VPN rules and tried to white list the blocked ports and URL's that showed up in the balloon notifications.

The general approach is enabling the VPN client itself to allow the VPN server access at least or even worldwide (via EnableAll)
All the other programs should be made VPN aware as well.
If you have Plus or above edition it can be done via Settings/AllApps by adding the VPN IP range enabling rule to AllApps

>I can now establish a connection but web surfing is painfully slow and at times non-existent.

Most probably because, the web browser is not enabled enough via the VPN.
If order to make a more useful suggestion we would need more details: VPN IP range, your existing configuration and what you would like to achieve finally. Please do not hesitate to contact us directly or reply.



>Also, if another zone

Rather “another rule”. Every application may have only a single zone applied, so there can be no clashing in the zones principally.

>is blocking access to the VPN-specific rules, how do I supersede those rules, i.e.

Please review the Rules Precedence in the manual (on the Zones page).
The rules priority starts from the top to the bottom.
So of you need to supersede a rule, place the new rule at the bottom of the rules list.


>C:\windows\system32\dashost.exe blocks outgoing 255.255.255.255 UDP, even thought my VPN rule allows UDP access. How to I supersede that?

Could you please clarify what zone is applied to dahost and to VPN client.
Probably you hardly applied VPN rule to dahost, so dahost has it’s own zone (set of rules), so the rules can be managed separately.


>On another subject, it would be nice if we could right click on the balloon events or in the event tab and copy the info on the blocked sites to create a new rule.

If you right click an event in the Events pane and choose an item form the menu, WxFC will create the corresponding rule automaticall. The rule is already ready to be inserted. Most probably you actually do not need copy an info manually.
The above is valid for Plus Edition. The lower editions have no ability to customize the rules, so the info could be hardly used within the program. If so, you may want to review access.log file where the complete network access history is stored
VistaFirewallControl
Site Admin
 
Posts: 1417
Joined: Fri Mar 27, 2009 11:25 am

Re: VPN Rules

Postby broadband » Tue Jan 31, 2017 10:21 pm

Sorry forgot details:
I have the Net/Cloud registered version 8.1.0.16
If i choose "enable all" for both the NordVPN client and service executables, it does work as expected. However, I was trying to be a little more restrictive and not give the app cart blanc online access. But if that's what I need to do, so be it.
Thanks for the right-click explanation, I was always choosing "edit" and got frustrated when I couldn't cut and paste the URL and port. But I see that choosing one of the specific blocked items will automatically create a rule, awesome. 8-) Outstanding firewall by the way.
broadband
 
Posts: 5
Joined: Mon Sep 21, 2015 7:13 pm

Re: VPN Rules

Postby VistaFirewallControl » Wed Feb 01, 2017 9:21 am

>If i choose "enable all" for both the NordVPN client and service executables, it does work as expected. However, I was trying to be a little more restrictive and not give the app cart blanc online access. But if that's what I need to do, so be it.

Actually you can avoid using EnableAll and set a more restrictive permission.
It could be hardly a predefined rule, as WxFC is not aware of every VPN could be used, so you will have to create a custom rule/zone.
Most probably VPN client and (local) services will need locahost (127.0.0.1) accessibility,
DNS and DHCP related access and the main access to the related VPN server.
So you will have to create a new zone, add localhost, DNS, and DHCP rules (using the repository) and add an enabling (per-IP or per-name) rule for the VPN server.
What is the VPN servers’s IP/name? We have no any related information unfortunately.
But the information can be obtained easily.
When you add localhost, DNS, DHCP rules only, apply the zone to the VPN client part (all the related programs) and try to connect, you will be blocked. The blocked event will show you the required name/address, you will just have to add the address to the zone.
If the IP is mutable you will have to make some iterations, but anyway a more restrictive zone is definitely possible.

Needless to say that the above may be a bit redundant.
Imagine if a program (VPN client for instance) never tries to access a server, there would be hardly a sense to block a connection that will be never established. So maybe using EnableAll for the VPN client is safe enough as well.


>Thanks for the right-click explanation, I was always choosing "edit" and got frustrated when I couldn't cut and paste the URL and port.

The feature is scheduled, but the implementation is delayed unfortunately.
The main reason is per-IP rules are strict and unambiguous always.
Per-name settings may be not too obvious, so any related automation may not give expected results right away.
VistaFirewallControl
Site Admin
 
Posts: 1417
Joined: Fri Mar 27, 2009 11:25 am


Return to My App is blocked, What to do

Who is online

Users browsing this forum: No registered users and 1 guest

cron
suspicion-preferred