Hi everyone. I am a relative novice when it comes to understanding network flows and protocols so excuse me in advance if I am not explaining this well.
I have a FWG+ in front of my home network. I have a computer that I connect to work via a fortinet vpn connection, and my son has to connect to his school network via some other type of VPN based connection - unclear exactly what.
Since the FWG+, both of these connections seem to drop with relative frequency and need to be reconnected. I suspect this is because some type of flows are being blocked that are necessary.
Is there some type of “routing” or setting I can use that allow these devices (basically 2 laptops), to have unrestricted access to the internet to bypass whatever the blocking is that is occurring? Or something that allows unrestricted access when accessing their specific target networks?
You can go into the flows for the devices and see what’s blocked. However I highly doubt the Firewalla is blocking flows, because that would cause the VPN to just not connect. Once the VPN is established, firewalla has no knowledge of the flows at that point because it’s all running in the tunnel, and it cannot block it. Depending on how the VPN is setup, some things may “split tunnel” ie go straight out to the internet vs over VPN, but that wouldn’t break your VPN.
Yes you could turn rules off, but you’re chasing the wrong solution to the wrong problem. You need to look at the flows and see what is being blocked if anything. It should stand out pretty well if its blocking your work or his school because those will go to your.work.com or his.school.com etc etc if that last part makes sense.
I believe fortinet VPN needs certain ports open on your router. You can try turning on UPnP (Network->NAT settings->Port forwarding->UPnP) to see if it works with that enabled. If you see your computer open ports when you enable your vpn client that is what is happening. UPnP is a bit of a security problem so what you can do is monitor what ports are opened and manually add those and then turn it back off or you can place your work laptop in a separate VLAN and only enable UPnP for that.
Makes sense, thanks for the advice.
In addition, check out the NAT Passthrough parameters as well, depend on your protocol, you may need to turn them on https://help.firewalla.com/hc/en-us/articles/360046703673-Firewalla-Feature-Guide-Network-Manager#h_01EDNZT093KGHYNZND0X6BB73P
(scroll a bit down, you will see NAT passthrough)
Yes indeed! OP probably needs IPSEC passthrough.