How to block all but RDP to a certain computer in the network when connected to PPTP VPN
I am using the omada software controller and the ER8411 as my omada managed router and I'm having some trouble trying to accomplish the following with ACLs:
I want to make sure that nobody can make inbound connections to the Office PC (static IP already assigned) UNLESS you are on the PPTP VPN and I want to allow RDP only. This includes making sure that nobody inside the network can access that PC either. ONLY a user on PPTP VPN should have access and only through RDP. What I have been trying is this:
1. Create a block all from any to the Office PC in the switch ACL
2. Create another switch ACL (above the block) that allows RDP port from the IP Group I created that contains the IPs you may get on VPN to the Office PC.
This does not work no matter what I've tried (Using IP group for the VPN IPs to the Office PC, etc.). This is difficult in Omada for some reason. Can anyone provide some guidance on this type of setup? Maybe it isn't possible?
Thanks!
UPDATE: I was able to get RDP working when on PPTP VPN but I can't limit it to just the RDP port (IP Port Group doesn't work).
I had to use IP groups and the source had to have 2 IP groups in it:
1. IP Group: GATEWAY - the IP of the router
2. IP Group: PPTP IPs - the IP subnet given out by the PPTP VPN
Both of the above had to exist or it wouldn't work, I tried every combination.
Those go to destination:
1. Office PC - an IP group with just the Office PC IP in it.
This essentially allows ALL traffic when on the PPTP VPN to go to the Office PC and not just limited to RDP. Close, but not quite.
Then I have a 'deny' ACL just below the above that denies any to Office PC which produces the blocking portion outside of the 2 IP groups defined above
Here is what my switch ACLs look like. The one named "Allow RDP" actually allows everything from the PPTP VPN IP/GATEWAY
