Further detail - checking the firewall logs, I am unable to match up the timestamps between the VPN hack attempts and the firewall rules triggering. Notice the latest VPN hack attempts happened at 01:50:43 and 01:50:39 but the firewall rules are not triggered at the same time, instead triggering at 01:51:01 and 01:49:21.
Hmm. If so, that’s poor and confusing UI design for several reasons:
If Local Service Firewall rules apply First, then the UI for it should not be at the bottom of the firewall UI page. It should be located in front of (higher up) on the page than the Inbound Firewall Rules section.
The Help tag for Inbound Firewall Rules section needs to mention this. It currently reads:
This table displays all the configured inbound firewall rules and their details. Dragging a rule up/down can change its priority, higher position of a rule signifies higher precedence.
For every new inbound IP session routed to a host on the LAN (i.e. sessions coming from WAN side), rules will be matched from the top to bottom. The matching process stops when a rule is found to be matched.
The inbound firewall rules only apply to the following types of traffic:
Inbound WAN 1 traffic where the WAN 1 is in drop-in mode
Inbound traffic that is defined in Port Forwarding
Inbound traffic that is defined in Inbound NAT Mappings
If an inbound IP session does not match any of the rules listed, the Default rule will be applied.
I would suggest adding the following to the help:
Note: Local Firewall Service Rules (such as VPN access…) rules are applied before these rules.
The name itself, Local Service Firewall Rules is somewhat misleading - when I read “Local Service” my mind certainly does not jump immediately to “Remote VPN access”. “Local Service” sounds more like Bonjour or similar…
Martin, thanks for the solution - I ended up creating the rule in both sections (Inbound and Local) because I really want this Russian hacker blocked, and after creating the two rules, I can confirm this is working.
I’m changing the title of this post to reflect a better understanding.
An update on the ticket: Peplink Engineering says that my observations are correct, and the internal service firewall rule is not working currently for PPTP VPN connections. Tthey recommend switching to OpenVPN as a mitigation at the present time.