ACLs to block OpenVPN client connections to specific VLAN
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Hi guys,
I don't have any more ideas what I'm doing incorrectly or what could be done differently so I would like to ask you for some help.
I have 3 VLANs on my ER70W router (IoT, Work, Home). This router is also hosting OpenVPN server for software clients (Windows, Android).
I would like to block access from OpenVPN clients to Home vlan. ALso I'm using OC200.
I'm setting it up in Gateway ACL section.
I've tried to do it with deny WAN IN as well as LAN to LAN . Using IP Groups, VLAN created for SoftVPN, not including Home network configuration in VPN Policy's Local Networks.
Nothing really works for me, I still can access Home VLAN from VPN client.
The only moment it worked for me, was when I was using ER706W in Standalone Mode and I was able to set rule: Block Access to Home from !Home.
But with OC200 I don't see an option to user ! in ALC configuration :(
How It should be configured properly? What I'm missing?
Best Regards :)
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
RaRu wrote
Hi,
I have used that option in VPN settings, but with full tunneling it doesn't really work.
In full tunneling I have access to all VLANs, no matter what I set there (manually by IP/mask or network interface).
It does work properly when I switch to Split mode. Then this setting takes effect and block VLANs access properly.
I was thinking about SSL VPN but unfortunately I don't have a possibility to issue a certificate. Without valid cert, end-user receive a Warning Message about lack of cert for this connection, which I would like to avoid (questions from end-users / owner of the solution).
There is a clear difference in split and full tunnel. You should get a clear idea between them.
I think what you have written so far shows that your use case is different from what's meant to be for the router. You want to set up the proxy but the proxy means everything is forwarding through the VPN tunnel and which means you can access everything on the server end. And using its gateway for Internet access. That's what full tunnel means.
If you have tried that, that would simply explains the ACL is not effective to the VPN tunnel and routing.
- Copy Link
- Report Inappropriate Content
OK, I have found out, that "not including Home network configuration in VPN Policy's Local Networks" works when the configuration of OpenVPN server is set to Split Tunneling.
Is there a possibility to achieve the same (lack of access to one VLAN from Software VPN client) while using Full Tunneling?
- Copy Link
- Report Inappropriate Content
Hi @RaRu
RaRu wrote
OK, I have found out, that "not including Home network configuration in VPN Policy's Local Networks" works when the configuration of OpenVPN server is set to Split Tunneling.
Is there a possibility to achieve the same (lack of access to one VLAN from Software VPN client) while using Full Tunneling?
This is correct.
About the possibility in full tunneling, you might create a VLAN interface to match the OVPN pool IP, and set up the ACL and give it a try? I remember some time in the past I did something like this.
- Copy Link
- Report Inappropriate Content
Thanks for reply.
Ye, ye. I found that post of yours and tried that as well but without luck. That's why I got confused and made this post :)
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi,
I have used that option in VPN settings, but with full tunneling it doesn't really work.
In full tunneling I have access to all VLANs, no matter what I set there (manually by IP/mask or network interface).
It does work properly when I switch to Split mode. Then this setting takes effect and block VLANs access properly.
I was thinking about SSL VPN but unfortunately I don't have a possibility to issue a certificate. Without valid cert, end-user receive a Warning Message about lack of cert for this connection, which I would like to avoid (questions from end-users / owner of the solution).
- Copy Link
- Report Inappropriate Content
RaRu wrote
Hi,
I have used that option in VPN settings, but with full tunneling it doesn't really work.
In full tunneling I have access to all VLANs, no matter what I set there (manually by IP/mask or network interface).
It does work properly when I switch to Split mode. Then this setting takes effect and block VLANs access properly.
I was thinking about SSL VPN but unfortunately I don't have a possibility to issue a certificate. Without valid cert, end-user receive a Warning Message about lack of cert for this connection, which I would like to avoid (questions from end-users / owner of the solution).
There is a clear difference in split and full tunnel. You should get a clear idea between them.
I think what you have written so far shows that your use case is different from what's meant to be for the router. You want to set up the proxy but the proxy means everything is forwarding through the VPN tunnel and which means you can access everything on the server end. And using its gateway for Internet access. That's what full tunnel means.
If you have tried that, that would simply explains the ACL is not effective to the VPN tunnel and routing.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 873
Replies: 7
Voters 0
No one has voted for it yet.