Smart Firewall blocking connections

Archive
1

Greetings all,

Firstly I know a few terms/things but that is thanks to Google, I am by no means an expert and I am not trying to sound like one.  That being said, here is my issue I am trying to resolve (and forgive the long explanation but I want to make sure I give enough info that maybe someone has the answer on the first try).

I had an old Asus router that had a VPN server using PPTP.  Once logged in, I could access devices on my network including my computer which has a couple of folder/drive shares that I could access remotely from my mobile device using the native file browsing app.

I could also access the folders/drives via the app (uses SMB) while at home on the Wi-Fi network.

Android eventually went away from PPTP so I could no longer VPN in and knew eventually I would need to upgrade the router that supported IPsec VPN.  Fast forward to today and I replaced my old Asus Router with a new one that uses IPSEC.  I created a VPN profile on Android and can successfully access my router/network.  I can still access the share folders/drives on my computer via my mobile device without an issue when I am actually at home and connected to my home network/router via Wi-Fi.  If I VPN in (disable WiFI and use my mobile data), I can't access them.  At first I thought maybe an issue with the router/VPN setup perhaps.  My devices LAN all have the usual private network IP's starting with 192.168.X.X and when connected via VPN, my device gets a subnet virtual IP of 10.0.X.X.   I was banging my head with the settings of the router but what was confusing me was when I am VPN'd in via mobile data, I can access the WebGUI interface for the router, I can access my printer's WebGUI via it's local IP address on the network, and if I do out to the web, my IP address showing is that of my home internet's, not my mobile carrier's.  So it seemed the ASUS router is doing everything it should.

So why can't I access the shares when on VPN but I can if I am on the actual Wi-Fi I???  I think the old PPTP method when using it the router gave me a local 192.168.X.X IP address.  So, with more GoogleFu, I began wondering if I was getting blocked at the computer somewhere.  So just for fun, I temporarily disabled my Norton 360 smart firewall on my computer and VIOLA!!!!  I could access the shared folders/drives while VPN'd in.  If I re-enabled the firewall, access denied immediately.  FBI calls that a clue.  So it would seem, if I get a local 192.168.X.X because I am on the Wi-Fi (or the old PPTP method), my computer/Norton Firewall does not block my app/me when I access the Shares via SMB.  If I am on the VPN now (which is a different network), it does.

So it would seem I need to change something on the firewall settings but not sure what.  I would think there is something that would allow/trust my mobile device but still provide the protection I should have.  I would think it would be hard to hack the VPN so I think there should be something that will allow it but still provide proper protection.  Probably is a simple solution that I just can't figure out.

Thanks.

2

That's great, many thanks. Works for me as well.

Ironically i have been doing exactly the same, but didnt move the rule up and the connections kept being blocked.

But all working fine now, many thanks again.

3

So yes I figured it out I think because it's working fine.  After I read your pdf (thanks for that!) I had an idea.  What I had to do is create a rule that was based on yours but not select "any computer in the local subnet".  See I think (again I'm not a network guy) PPTP VPN creates/gives the VPN'd device an IP on the local network.  For example, if your LAN has an IP range using 192.168.1.XX, your device using PPTP would also get a 192.168.1.XX IP so Norton saw it as another device on the local LAN and allowed it.  However, with IPsec, you get a different subnet.  On the ASUS (and I assume other router makes may have this also) you get a different subnet that you can specify the IP range (as long as it is different than the local LAN IP range).  So for example, your computer your trying to reach on your LAN is 192.168.1.XX and your other device if VPN might get 192.168.0.XX IP address.  When VPN'd in that device will be treated by Norton as a device on a different subnet and not the local and blocks it.  So the key was two things.  At first I created a new rule and when it came to the rule on which computer I chose "only the computers and sites listed below."  This should give security as this would be only trusted local IP's could access it (assuming your router passwords/network is not compromised).  Click Add and selected "using a range."  You will need to see what IP range your router assigns devices connected via the VPN.  In this example, I added the beginning of the range 192.168.0.0 and ended with up 192.168.0.10 for multiple devices logged in (overkill BTW as I can't see myself doing it more than one or maybe two devices at a time).  The rest is as yours was.  Now at first it did not work but then I remembered I had to "up" the priority of the rule and moved it up above the Netbios and SMB default blocks.  This applies the trusted IP's but should block everything else (WAN IP's).  I gave permission using only the same UDP and TCP protocols vs any protocol but when it came to the specific ports, I kept trying 137-139 and 445 which is what SMB appears to use but it would only work if I allowed any communication port.   But again, since the VPN login is protected via a certificate as well as a pretty strong password, it should be secure.

 

Hope this helps

4

Hi, I have the same problem. Did you by any chance figure out a solution?

About 2 years ago, i had a VPN set-up via PPTP, I have contacted support and they have configured for me Traffic rules to pass through Smart firewall.

(If it helps, i have made print-screens of those settings...) Although this works for PPTP, not via IPSec.

Those rules are set-up in Norton/Settings/Firewall/Traffic rules/Add a new rule.