Hi I managed with the assistance of Draytek Tech support, to install NORDVPN on 2962 router. I have a Cyren WCF installed. As a simple test I have setup block gambling gambling. I then try to access a gambling site. When I enable VPN I can access the gambling sites. It would appear VPN bypass WCF filters. Is there anyway to use both?

Hi Johnpa7,

Have you tried creating a 'Firewall Filter Rule' for the direction your traffic is flowing in; this is separate to the Firewall >> General Setup >> Default Rule page?

If you are connecting from inside your LAN to a VPN externally, you should be able to create a 'FW Filter rule' in that direction:

Firewall >> Filter Setup >> Edit Filter Set# >> Rule#:

Direction: LAN/RT/VPN -> LAN/RT/VPN
Advanced button: LAN? -> VPN (which LAN(s) to VPN)

Application Action/Profile
Filter: 'Pass if no further match'
Web Content Filter: 'Your WCF Profile'


Please also remember to check the 'Next Filter Set#' order, at the bottom right corner of each 'Set Page'; if not checked, your rules may not run.

(If I am understanding your particular setup correctly)

Hi I shall investigate your suggestion, thanks

I have setup firewall rule as follows

Direction LAN/RT/VPN -> WAN

Filter Pass Immediately

Web Content Filter 1-Default
DNS Filter 1-DNS Filter

If I try for example a betting site, I get the blocked message

If enable LAN to LAN VPN then I can access the betting site

Hi Johnpa7,

Ok, so you have a LAN-to-LAN VPN established, that’s good.

The filter rule you’ve created doesn’t match what you’re trying to achieve when it comes to the LAN-to-LAN traffic.

You want to block traffic travelling from your LAN to the VPN(LAN), which means you need to choose “LAN/RT/VPN -> LAN/RT/VPN” as your direction. Then, in the ‘Advanced’ button window, select the LAN’s tick-box (your local LAN, most likely LAN1) on the left pane and the VPN tick-box on the right pane.

If you set it to “LAN/RT/VPN -> WAN” that will only block/pass traffic travelling from your LAN -> WAN (your local internet connection), you want to block the traffic using the VPN internet connection; which isn’t classed as a WAN in this scenario, it’s a VPN (a VPN-WAN you could say).



(Also, try using ‘Advanced Mode’ rather than ‘Wizard Mode’ to set up your filter rules, it will present you with all the options clearly.)

HodgesanDY, thanks so much. Followed your instruction CYREN/ WCS working on VPN.
I must admit I find it difficult to get my head around Firewall rules

I take it you mean the Advanced in the Direction selection.

Clicking on advanced at the bottom of the page, only permits selection on codepage ANSI