Knowledgebase
How to set up IP filter rules for the remote dial-in user
Posted by on 20 January 2012 12:02 PM

 

Scenario: The remote dial-in user (218.242.130.19) is only allowed to access to the internal server (192.168.21.1) via the Host-To-LAN VPN tunnel, and all other requests to the local subnet of the VPN server will be dropped.  

Firewall/firewall_18.JPG

1. IPSec Host-To-LAN VPN Tunnel

 

As to the IPSec Host-To-LAN VPN tunnel, we should set up the IP filter rules as follows:

 

Firewall/firewall_19.JPG

Click index 2, and set up an IP filter rule to block all the traffic from the PC1 to the Vigor’s local subnet.

Firewall/firewall_20.JPG

Then click index 3, pass PC1 to access to the internal server of the Vigor router.


Firewall/firewall_21.JPG

2. PPTP/L2TP Host-To-LAN VPN Tunnel

 

The mechanism of PPTP/L2TP is something different from IPSec. As to the PPTP/L2TP tunnel, the remote dial-in user will get an IP address which locates in the internal subnet of the VPN server. So in this case, we should set up different IP filter rules as follows: 

 Firewall/firewall_22.JPG

As the remote dial-in user will get an IP address “192.168.21.*”, so we should block all the traffic from “192.168.21.0/24” in the direction of “WAN -> LAN”.

Firewall/firewall_23.JPG

Then set up the “pass” rule for the access to the internal server. 

/Firewall/firewall_24.JPG 

 

(1 vote(s))
Helpful
Not helpful

Comments (0)