Hi @marcwa122 

Thanks for posting in our business forum.

marcwa122 wrote

  @Clive_A Hi,

thank you for the answer. We managed to set it up like you mentioned. Thanks.

One more question:
Im using an other Site2Site VPN Connection, which is connecting the remote site (/24 network) and the local site (/24 network) together, but i want to have some ACL restrictions "in between".

For example, i want that all Clients on the Remote-Site (Fritzbox) are accessible by the local site, but no client on the local site (Omada) should be accessible by the remote site (except for the NAS device).

I tried to use an Switch ACL without success (using IP-Groups for local and for remote-network ranges).
I also tried to use a LAN->LAN ACL on Gateway ACL.
All without success. What is the way of doing this kind of acl? I Also tried a WAN IN Type on Gateway ACL. 

Restricting the VPN Tunnel itself is also an option, but there are some troubles using IKEv2 for Fritzbox....
So i decided to create the site2site between the two /24 networks.

Thank you and best regards!

Then you should use a client-to-site VPN. IPsec site-to-site is bidirectional.

If you use ACL, it should never be SW ACL because it is not stateful. You need a stateful ACL which is GW ACL.

If I did not recall it wrong, ACL is effective for the VPN subnets. But you should create a subnet on the Omada router to match the subnet on the other end. LAN - LAN ACL.

But I still think if you need to use it in that way, you should use client-to-site to save performance for other stuff. ACL would sacrifice partial performance.