PepVPN and Firewall Rules

Product Discussion
1

I’m sure this will be an easy answer for someone. I’ve read many of the other topics on PepVPN in the knowledge base, but haven’t seen this one directly answered. Other users (Martin and Don) have provided great information on firewall rules and setting up PepVPN.

I’m in the process of slowly getting a PepVPN connection going between a SOHO and Balance One. I was having issues getting them to establish a connection over the internet, so for the time being, I’ve moved them both to a local router to help eliminate that as a potential issue.

I have a PepVPN connection now being established between the SOHO and Balance One. The SOHO and Balance One both have multiple VLANs defined. I can see the OSPF information show up on the PepVPN Status screens for each of the VLANS.

I can ping from the Balance to the IP address on the SOHO defined on the VLAN. But I can’t ping from the Balance to the IP address of a device on any of the VLANS. I believe this comes down to internal firewall rules (discussed greatly earlier by Martin and Don in one of the posts).

The rules are fairly strict on the SOHO and Balance One. The Internal Network Firewall Rules is where I believe my issue is at. The default rule is DENY and there is a handful of ALLOW rules. I believe this is preventing the communication. Martin mentioned how the default rule is ALLOW when the default settings are used. I’m on the side Don represents, where this is set to DENY and I know rules have to be created to allow specific traffic.

Here’s the big question. Let’s say there’s a machine on VLAN “A” on the SOHO trying to view a web page on a machine on VLAN “B” on the Balance One, are the Internal Network Firewall Rules checked on BOTH the SOHO and the Balance One? Or are the rules only checked when the traffic leaves the SOHO or when it arrives at the Balance One? I did not get a chance to test this situation this week and it’ll be another week or two before I have the opportunity to do so. I was looking to see if I could get a little more background before attempting the testing.

Thank you,
Niel

2

Hi Neil.
The Firewall is stateful. This means that if I am on one subnet / vlan and I am allowed by the firewall rules on my router to route traffic to a webserver on another subnet then that same firewall will allow traffic back from the web server I have tried to reach (it remembers the state of access). This works fine when your subnets/vlans are all connected to the same firewall/router.

However. If that web server sits behind its own Peplink (at the other end of a PepVPN tunnel), then that peplink firewall would also need an inbound rule that allows the remote device to send its request into the webserver.

Best of luck!

3 Likes
3

Hi Martin,

Thanks for the info and examples!

This situation is new for me on two levels. The first is I’ve never done a site-to-site VPN (only using it as client to server setup). The second part is learning about how peplink implements their PepVPN (along with the implementation with OSPF). Where my uncertainty was, is how the network is connected/linked together (for lack of a better phrase) after the two routers establish the VPN connection. Clearly I expected the internal firewall rules would come into play, but I wasn’t sure how with the implementation PepVPN (do the two internal firewall tables get merged, one overrides the other, etc).

From the sounds of it, I’ll be adding rules to both the Balance and SOHO routers (actually I could probably just open up the ranges a little more on the rules currently in place, and I believe it would have the same effect, but I’ll need to think that through).

Thanks again for the help and I’ll keep you posted on how it goes.

Niel

1 Like