question on VPN

Discussion in 'LnS English Forum' started by nuser, Jul 2, 2007.

Thread Status:
Not open for further replies.
  1. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Hi, Frederic,
    I am using VPN to connect university resource (cisco VPN client). By checking this thread, VPN works smoothly (allowing the protocol, allowing 2 additional UDP ports).
    https://www.wilderssecurity.com/showthread.php?t=174040

    But,
    (1) I have the same problem as Thomas described (LnS switches automatically to the VPN interface when VPN connects). In that thread, you mentioned that LnS SHOULD NOT change the binding interface. In my case, it always changes automatically. Is this normal?

    (2) When using a PPPoE connection, there are 3 interfaces, namely
    VPN interface (IP: 222.2.2.2)
    Wan Miniport Interface (IP:111.1.1.1)
    Ethernet (IP: 192.168.1.1)

    If LnS still binds to Miniport one, can it filter the traffic of VPN?

    (3) When VPN is connected, there are 3 IP addresses of my PC. If LnS binds to VPN one, does it mean that the wan miniport one is unprotected? (just ping from another pc, seems the wan miniport ons is invisible or deactived, because there is no reply)

    Thanks in advance.
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi nuser,

    If you don't want Look 'n' Stop to switch on the VPN interface, just enter 222 (or 222.2 if you need to be more specific) in the exclusion list in the advanced options (; is a separator there).

    Yes, if Look 'n' Stop switches to the VPN interface the other ones are no longer monitored. And usually the VPN traffic is already secure, and doesn't need to be filtered.
    (if 2 adpaters really need to be filtered, then you need to start 2 instances of Look 'n' Stop).

    Frederic
     
  3. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    thanks a lot, Frederic,
    I just tested on another Lan with VPN.
    Now I have 2 active interface, i.e., Ethernet and VPN.
    If Look'n'Stop binds to the Ethernet one and I add a "block ALL" rule on the top of ruleset, I can still access Internet!:blink:
    Theoretically, the traffic SHOULD pass through the Ethernet interface and Look'nStop Should block All with the above rule.
    However, nothing is blocked.o_O o_O confused.
    (if Look'n'Stop binds to the VPN one, every packet is blocked as expected)
     
    Last edited: Jul 3, 2007
  4. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Maybe on this specific configuration Look 'n' Stop doesn't see packets at all (for an unknown reason).
    Did you check the statistic on the Welcome tab ? It would be interesting to know if they were at 0 or increasing.

    Frederic
     
  5. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Hi, Frederic,
    The traffic shown in the welcome tab is still increasing when VPN connection is active and LnS binds to the Ethernet one (also with a rule "Block ALL' at the top of ruleset).
    I just tested with downloading a file ~10MB and found that the 'total received packets' is changed from 117.2MB to 118.0MB (only 0.8MB increased with the downloading of 10MB). Seems not very accurate.o_O

    So, LnS can see traffic, but can't filter them. If this is not a special case of my environment, there might be a bug.:blink:
     

    Attached Files:

    Last edited: Jul 4, 2007
  6. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Maybe you can check your specific IP address for each network driver connected.

    I remember ones that LnS put the mark in front of one driver (e.g. LAN), however the actual IP address belonged to the other driver (WLAN with another IP range).

    And as far as I remember, LnS filtered only the traffic of the driver belonging to the correct IP. Somehow LnS did not mark the correct network driver :doubt:

    Thomas :)
     
  7. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi nuser,

    So there are actually some filtering rules working, since the number of filtered packets are not at 0.

    Are you sure you created the right rule ? Is it exactly the same as the last rule of the ruleset ?
    Could put some screenshot of the ruleset and the rule you created ?

    Also you could check the per rule stats in the Console windows, to see which rules are used.

    Yes, the stats is usually more accurate and you should observe a 10MBytes difference if you really downloaded a 10 Mbytes file on this interface.

    Frederic
     
  8. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Hi, Frederic,
    Yes, I have duplicated the last rule and move it to the top. (see the attached).
    the procedure to reproduce the problem:
    1, activate VPN connection
    2, manually select the Ethernet Interface
    3, active the top rule (block all), press "Apply"
    4, Internet traffic is not filtered, I can still download file from www.looknstop.com
    5, the log file shows no IP packets. VPN connection by server is closed after 3 minutes because I "block All", including some necessary communications between my pc and server (like ARP or EAPoL). But it doesn't matter in this problem.
    6, conclusion (needs confirmation by others): On Ethernet interface, LnS can see traffic, but can't filter them.
    7, of course, LnS works normally on the VPN interface. So this problem doesn't influence everyday usage of LnS.
     

    Attached Files:

  9. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Hi, Frederic,
    more snapshots for your reference.
    PS, I just consulted the help file.
    Maybe the reason is that the protocol used to pass through ethernet interface is not TCPIP and LnS only filters packets with TCPIP protocol.
     

    Attached Files:

    Last edited: Jul 5, 2007
  10. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Sorry nuser,

    But I can not reproduce what you are seeing!
    I sent my driver log file to Frederic and also my rule-logfile.

    When I put the last rule (block all) on top, there is no surfing possible during a VPN session, when the Ethernet card is selected!

    I have not tested with WLAN and VPN, though...

    Thomas
     
    Last edited: Jul 5, 2007
  11. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    Thanks a lot, Thomas,:thumb:
    Maybe there is some compatibility problem with other softwares. I will test it with a fresh installation on another pc.
     
  12. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi nuser,

    I don't think Look 'n' Stop sees the traffic. Seeing or filtering is actually the same, if Look 'n' Stop sees the traffic it is able to filter it.
    I think the traffic uses another path. This is also confirmed by the fact you said the stats in the welcome page was not in synch with the size of the you downloaded (0.8 / 10 MB).
    Are you sure the traffic is not simply using the VPN interface which is not monitored (since you selected the other interface) ?
    What happens if you do the same test and you let the selection on the VPN interface ?
    Also what you can try is to start 2 instances of Look 'n' Stop at the same time each one monitoring a specific interface. When doing that, be sure to not have the two instances monitoring the same nework interface (otherwise some problem/crash may happen).

    Frederic
     
  13. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Normally no, if Look 'n' Stop has detected the protocol it means it has seen packets using this protocol.
    However maybe this protocol is bound only to the VPN interface, and as soon as you select back the other interface the packets sent on it are no longer seen.

    Frederic
     
  14. nuser

    nuser Registered Member

    Joined:
    May 31, 2007
    Posts:
    105
    Location:
    Singapore
    thanks, Frederic,:thumb:
    Following your suggestion, I did more tests:
    If LnS binds to the Cisco VPN interface, everything works well as expected. The statistics on welcome tab is also shown exactly.
    But problems still remain when the Ethernet one is selected.
    So my question is:
    Is the Ethernet interface the final one for ALL packets? Since it's the only 'physical' interface. I meain: whatever protocol, encapsulations, ALL packets SHOULD pass through the Ethernet interface. Right?
    If so, LnS should see and filter on Ethernet one.
    Is there any other 'path' for the packets to pass 'stealthily', which LnS can't monitor?
     
  15. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi nuser,

    Yes, normally everything pass through the ethernet interface and any packet should be seen by Look 'n' Stop.
    However very often VPN are installing drivers at the same NDIS level as Look 'n' Stop driver is, and some conflict can happen. It is similar like installing 2 firewalls.

    Frederic
     
Thread Status:
Not open for further replies.