Typically, VPNs are used to allow access to internal resources from remote locations. However, there are some cases where access to the Internet must be made through a VPN tunnel for example, if you want remote users to go through the Firewall first when browsing to the Internet on remote networked devices.
You may find that such users are blocked from accessing the Internet this way. Even ping
commands may fail.
Due to the extensive Firewall changes, an explicit rule must be added to allow access from the IPSec or SSL VPN interface to the external network.
- Go to Network > Firewall > Firewall rules.
- Create a firewall rule, noting the following:
- Inbound interfaces Select the interface that handles all your VPN traffic
- Outbound interfaces Select the interface externally-bound network traffic is routed through
Tip: If you have more than one external interface and want to route traffic through them all, choose All external interfaces here. This option is still valid even if only one external interface exists.
- Action From the drop-down list, select Accept.
Tip: Firewall rules are applied in a top-down approach. Move this rule above any block rules you have in place.
The above creates a basic internal → external VPN rule. With the new consolidated firewall, you can also:
- Specify the Source IP addresses to match traffic originating from those specified. Leave this parameter blank to match traffic coming from all IP addresses.
- Specify the Destination IP addresses to which access is permitted. Leave this parameter blank to allow traffic all IP addresses.
- If using an IP address range or subnet for Source IP address or Destination IP address you can exclude IP addresses in that range from matching the rule.
- Specify the Services that matching traffic uses.Leave this parameter blank to match traffic using any service.
- Specify the Applications (Apps) that are used by the matching network traffic. Leave this parameter blank to match traffic from any application.
- Specify the user Groups that matching traffic originates from.Leave this parameter blank to match traffic from any group.
- Choose whether to Log matching traffic to the Firewall log.
- Choose whether to drop or reject (Action) all matching network traffic
For a detailed description of how to create and manage firewall rules, see our help topic, Adding new Firewall rules.