DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

VPN and Vlan

  • lectrician
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
11 Jun 2010 13:08 #62312 by lectrician
VPN and Vlan was created by lectrician
I have a 2800 router at work and one at home, linked with an IPsec VPN.

All works well.

I have a lodger who wants internet access.

I can create a Vlan for him easily so he has internet access and no access to my home network, but how do I prevent him having access to the VPN'ed computers at my office?

Thanks in advance!

Please Log in or Create an account to join the conversation.

More
11 Jun 2010 15:25 #62314 by voodle
Replied by voodle on topic VPN and Vlan
Since it's just one IP address, you'd need to create a firewall rule that blocks the IP addresses of the other end of the VPN i.e.
Direction: LAN to WAN
Source IP: the IP you want to block - subnet is /32
Destination IP: 192.168.3.0 (your VPN's remote IP range goes here) - subnet is /24
Action: Block immediately

That should stop them from accessing any of those VPN addresses.

Please Log in or Create an account to join the conversation.

  • lectrician
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
14 Jun 2010 15:33 #62344 by lectrician
Replied by lectrician on topic VPN and Vlan
Thanks.

I have not setup advanced rules on the router before - do I put the rule in the DATA or CALL filter, or am I not meant to be putting it there?

My home local subnet is 192.168.4.0 /24
My remote office subnet is 192.168.3.0 /24

Sorry!

Actually, when I think of it, is there away to stop all DHCP addresses having access, and only a single static (MAC bound) IP from having access to the VPN? There is nothing to stop the lodger from plugging in a a second PC or laptop and recieving another DHCP IP.....

Cheers for the help.

Please Log in or Create an account to join the conversation.

More
14 Jun 2010 17:52 #62346 by voodle
Replied by voodle on topic VPN and Vlan
You'd put the rule in the default data filter, call filter isn't for firewalling so much.
You can lock IPs to MAC addresses by using the Bind IP to MAC under the LAN menu, set it to Strict Bind, add yours and their IP addresses to that list and that'll stop them changing IP address.

You can separate them by making sure your IP address is outside of the DHCP pool, by changing the DHCP start IP and IP pool count so that they won't overlap, then you can set the source address of the firewall to just cover that range of IPs.

Please Log in or Create an account to join the conversation.

  • lectrician
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
14 Jun 2010 20:50 #62347 by lectrician
Replied by lectrician on topic VPN and Vlan
Sorry, I am trying to figure it out in my head.

I know how to setup the DHCP server range and bind IP's.

How do I specify in the firewall the IP range of the DHCP server to be blocked?

I must admit, this has gone a little over my head - I am ok with IP's, but the subnet ranges confuse me a tad.

I need to get this sorted for tomorrow, so will have to read up on subnets!

If you could point me a little closer that would be great!

Your advice is greatly recieved!

Please Log in or Create an account to join the conversation.

More
14 Jun 2010 21:08 #62348 by voodle
Replied by voodle on topic VPN and Vlan
ah I forgot the 2800 can only do subnets, the easiest way is to use something like this: http://www.subnet-calculator.com/
change around the hosts per subnet amount and you'll see how you can limit it to specific ranges, although subnet is a slightly awkward way of doing it.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami