DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
VPN and Vlan
- lectrician
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 72
- Thank you received: 0
11 Jun 2010 13:08 #62312
by lectrician
VPN and Vlan was created by lectrician
I have a 2800 router at work and one at home, linked with an IPsec VPN.
All works well.
I have a lodger who wants internet access.
I can create a Vlan for him easily so he has internet access and no access to my home network, but how do I prevent him having access to the VPN'ed computers at my office?
Thanks in advance!
All works well.
I have a lodger who wants internet access.
I can create a Vlan for him easily so he has internet access and no access to my home network, but how do I prevent him having access to the VPN'ed computers at my office?
Thanks in advance!
Please Log in or Create an account to join the conversation.
- voodle
- Offline
- Big Contributor
Less
More
- Posts: 1139
- Thank you received: 0
11 Jun 2010 15:25 #62314
by voodle
Replied by voodle on topic VPN and Vlan
Since it's just one IP address, you'd need to create a firewall rule that blocks the IP addresses of the other end of the VPN i.e.
Direction: LAN to WAN
Source IP: the IP you want to block - subnet is /32
Destination IP: 192.168.3.0 (your VPN's remote IP range goes here) - subnet is /24
Action: Block immediately
That should stop them from accessing any of those VPN addresses.
Direction: LAN to WAN
Source IP: the IP you want to block - subnet is /32
Destination IP: 192.168.3.0 (your VPN's remote IP range goes here) - subnet is /24
Action: Block immediately
That should stop them from accessing any of those VPN addresses.
Please Log in or Create an account to join the conversation.
- lectrician
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 72
- Thank you received: 0
14 Jun 2010 15:33 #62344
by lectrician
Replied by lectrician on topic VPN and Vlan
Thanks.
I have not setup advanced rules on the router before - do I put the rule in the DATA or CALL filter, or am I not meant to be putting it there?
My home local subnet is 192.168.4.0 /24
My remote office subnet is 192.168.3.0 /24
Sorry!
Actually, when I think of it, is there away to stop all DHCP addresses having access, and only a single static (MAC bound) IP from having access to the VPN? There is nothing to stop the lodger from plugging in a a second PC or laptop and recieving another DHCP IP.....
Cheers for the help.
I have not setup advanced rules on the router before - do I put the rule in the DATA or CALL filter, or am I not meant to be putting it there?
My home local subnet is 192.168.4.0 /24
My remote office subnet is 192.168.3.0 /24
Sorry!
Actually, when I think of it, is there away to stop all DHCP addresses having access, and only a single static (MAC bound) IP from having access to the VPN? There is nothing to stop the lodger from plugging in a a second PC or laptop and recieving another DHCP IP.....
Cheers for the help.
Please Log in or Create an account to join the conversation.
- voodle
- Offline
- Big Contributor
Less
More
- Posts: 1139
- Thank you received: 0
14 Jun 2010 17:52 #62346
by voodle
Replied by voodle on topic VPN and Vlan
You'd put the rule in the default data filter, call filter isn't for firewalling so much.
You can lock IPs to MAC addresses by using the Bind IP to MAC under the LAN menu, set it to Strict Bind, add yours and their IP addresses to that list and that'll stop them changing IP address.
You can separate them by making sure your IP address is outside of the DHCP pool, by changing the DHCP start IP and IP pool count so that they won't overlap, then you can set the source address of the firewall to just cover that range of IPs.
You can lock IPs to MAC addresses by using the Bind IP to MAC under the LAN menu, set it to Strict Bind, add yours and their IP addresses to that list and that'll stop them changing IP address.
You can separate them by making sure your IP address is outside of the DHCP pool, by changing the DHCP start IP and IP pool count so that they won't overlap, then you can set the source address of the firewall to just cover that range of IPs.
Please Log in or Create an account to join the conversation.
- lectrician
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 72
- Thank you received: 0
14 Jun 2010 20:50 #62347
by lectrician
Replied by lectrician on topic VPN and Vlan
Sorry, I am trying to figure it out in my head.
I know how to setup the DHCP server range and bind IP's.
How do I specify in the firewall the IP range of the DHCP server to be blocked?
I must admit, this has gone a little over my head - I am ok with IP's, but the subnet ranges confuse me a tad.
I need to get this sorted for tomorrow, so will have to read up on subnets!
If you could point me a little closer that would be great!
Your advice is greatly recieved!
I know how to setup the DHCP server range and bind IP's.
How do I specify in the firewall the IP range of the DHCP server to be blocked?
I must admit, this has gone a little over my head - I am ok with IP's, but the subnet ranges confuse me a tad.
I need to get this sorted for tomorrow, so will have to read up on subnets!
If you could point me a little closer that would be great!
Your advice is greatly recieved!
Please Log in or Create an account to join the conversation.
- voodle
- Offline
- Big Contributor
Less
More
- Posts: 1139
- Thank you received: 0
14 Jun 2010 21:08 #62348
by voodle
Replied by voodle on topic VPN and Vlan
ah I forgot the 2800 can only do subnets, the easiest way is to use something like this: http://www.subnet-calculator.com/
change around the hosts per subnet amount and you'll see how you can limit it to specific ranges, although subnet is a slightly awkward way of doing it.
change around the hosts per subnet amount and you'll see how you can limit it to specific ranges, although subnet is a slightly awkward way of doing it.
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek