@Clive_A  Thank you for the response.

I haven't tried a Gateway ACL yet.

I did setup an IP-Port Group for the subnet of the VPN users. The ACL using that Group blocks access to the web login page for the NAS on that subnet but not the Omada itself. It seems like I'm missing (or overlooking) something very simple.

In your screenshot above, in the Destination section, how did you get an option for Gateway Management Page? I can't find that option using Gateway ACL or Switch ACL. It's not a Type of group that I can select.

  @Clive_A  Thank you. An older firmware version is likely the reason for my problem. I don't have time to check at this moment but I am sure it's not the most recent one.

I won't have time to revisit this until later today or possibly tomorrow but I appreciate your help and will update once I have more info.

Cheers.

  @Clive_A  My ER7212PC is running on firmware:

1.0.3 Build 20230314

Rel.21018

Controller is v5.8.22

I guess I am up to date after all and I am reluctant to install a beta version at this time. I will try to manually add the IP-Port Group as suggested although I think I already tried that without success. Will update you in a day or two.

Cheers.

@Clive_A I tried again with all other ACL's disabled and I was able to get this to work (partially).

When logged in remotely to a laptop on that VPN user VLAN, I am unable to access the web login page for the NAS and the web login page for the Omada (using the gateway IP from both VLANs 30.30.30.1 and 192.168.68.1). This is good news.

However, when I make an actual VPN connection (using OpenVPN) I am still able to access the Omada login page using the gateway IP of 30.30.30.1.

EDIT:

I thought I read that the ER7212PC device will only allow 10 connections using L2TP and we're using those for staff (L2TP/IPsec with pre-shared key). Then a different connection method must be made for further VPN connections which is why we went with OpenVPN. But now I'm reading this:

Supports up to 20 x LAN-to-LAN IPsec VPN, 16 x OpenVPN, and 16 x L2TP/PPTP VPN connections.

I may have to change my course of action and use OpenVPN for staff and then the L2TP/IPsec with pre-shared key VPN option in Windows 10/11 for the other user group since they all require access to specific data.

  @Clive_A Thank you for the info. I have updated the firmware and now just need some time to test this. I will report back once I find out more.

Regards, Dave

  @Clive_A A few questions if you please:

1) When you're testing and connecting using OpenVPN, are you using an OpenVPN profile you created on the router? Or are you using OpenVPN Access Server to control your connection?

2) In your Gateway ACL you indicated you're blocking 10.10.20.1 /24 but your screenshot shows you tried accessing 192.168.200.1. I setup my Gateway ACL the way you indicated and it blocks me from accessing 192.168.68.1 but still allows me to get to the Management page when I enter 30.30.30.1 when connected to that VLAN.

3) When connecting using an L2TP VPN connection I now lose internet access once the connection is made. This wasn't the case prior to the firmware upgrade. I didn't find nothing in the release notes referencing this so am unsure why that would happen. It doesn't happen when using an OpenVPN connection. Assuming I may now have to add DNS info in the optional field? I don't recall seeing that before.