Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13
  1. #11
    That Which Lurks Below
    Join Date
    Jul 2018
    Posts
    143

    Default

    Quote Originally Posted by MP715 View Post
    Those rules look good except it appears rule 6 is trumping rules, 7, 8, and 9.
    I wouldn't say trumping, in this case. A rule only triggers if all its conditions are met, so rule 6 only takes precedence over rules 7 or 8 in a very specific circumstance: DNS lookups or RDP connections from OpenVPN to devices on the internal interface. If the session in question doesn't meet all four criteria, the rule is skipped.

    OP: What happened when you changed the value of the Username condition from the Local Directory username to the OpenVPN username?
    Græme Ravenscroft • Technical Marketing Engineer
    ('gram', like the unit of measurement)
    he/him
    Please don't reboot your NGFW.
    How can we make Arista ETM products better?

  2. #12
    Newbie
    Join Date
    Feb 2017
    Posts
    11

    Default

    Quote Originally Posted by gravenscroft View Post
    I wouldn't say trumping, in this case. A rule only triggers if all its conditions are met, so rule 6 only takes precedence over rules 7 or 8 in a very specific circumstance: DNS lookups or RDP connections from OpenVPN to devices on the internal interface. If the session in question doesn't meet all four criteria, the rule is skipped.

    OP: What happened when you changed the value of the Username condition from the Local Directory username to the OpenVPN username?
    Yup. That was essentially the issue. I was mis-reading every post/document and kept trying to put a literal username in that box which in this case I was focused on the Local Directory usernames that I had created.

    The end result was:
    1) Create a "block all" rule using Source Interface=OpenVPN, Destination Interface=Internal and keep it at the bottom.
    2) Above the "block all", I created VERY EXPLICIT allow rules per user as such:
    "Source Interface=OpenVPN, Destination Interface=Internal, Username=<name of vpn client>, Destination address=<ip address of workstation>, Destination port=3389" --> Pass, Flag

    It now works flawlessly. I'd say my biggest hurdle was getting over the misconception that the "Username" condition in the firewall rules was literally a user. Also, the "Pass" conditions needed to be more explicit (ie: included the port number).
    gravenscroft likes this.

  3. #13
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,767

    Default

    The rules are matched in order top to bottom. Rules work on first rule match, the rule matching exits.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2