Inbound firewall rule doesn't refuse connection

Product Discussion Peplink Balance
, ,
1

It appears that we occasionally are targeted by internet-wide scanning of hosts that listen for inbound IPSec VPN connection requests. On the IPsec VPN Event Log, it is clearly shown:

|Feb 19 18:11:15|IPsec: Refused connection request from 216.218.206.86.|
|Feb 19 17:59:02|IPsec: Refused connection request from 216.218.206.70.|
|Feb 19 17:17:56|IPsec: Refused connection request from 216.218.206.126.|
|Feb 19 11:12:15|IPsec: Refused connection request from 198.20.69.98.|
|Feb 18 19:21:13|IPsec: Refused connection request from 216.218.206.78.|
|Feb 18 18:52:24|IPsec: Refused connection request from 216.218.206.122.|

So in response to this, I have made an inbound firewall rule from the netblock of the most common offenders
Protocol: Any
WAN: Any
Source: 216.218.200.0/21
Destination: Any
Action: Deny

After saving and applying, log entries are still generated for addresses inside the netblock which should be denied by the firewall rule.

Please confirm if VPN connection listening takes place before or after firewall rules.

1 Like
2

The firewall rule is designed to block traffic type below only.

  • LAN to LAN
  • LAN to WAN
  • WAN to LAN

You do not have to worry about it because those IP addresses do not know your IPSEC pre-shared key. They will not be able to form the IPSEC VPN.

1 Like
3

The firewall should be able to block these incoming connection attempts, should it not? I am getting the same thing from the same IPs as above and the “answer” is not to worry?