Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC VPN restrict access

    IPsec
    2
    6
    963
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zMaliz
      last edited by

      Hi.
      I'm looking at creating an IPSEC VPN between home and the office.

      Ideally I'd like to restrict this so only 2/3 devices locally (home) use it and from the office they can only access those 2/3 devices.
      Is this possible ?  Can someone point me in the right direction.

      Thanks

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        @zMaliz:

        Hi.
        I'm looking at creating an IPSEC VPN between home and the office.

        Ideally I'd like to restrict this so only 2/3 devices locally (home)

        Pass the traffic you want to allow using firewall rules on the LAN interface for the remote VPN destinations.

        Then reject LAN net to the VPN destinations.

        Ideally this should also be done at the other side for traffic coming into the firewall there but you can generally control it like this too.

        use it and from the office they can only access those 2/3 devices.
        Is this possible ?  Can someone point me in the right direction.

        Pass the traffic you want passed from the remote sources on the IPsec tab.

        Reject everything else (or just let default deny there do it. I prefer reject for internal blocks like this so a negative reply is returned to the source.)

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • Z
          zMaliz
          last edited by

          Thanks I'll try this over Christmas and see how I get on..

          1 Reply Last reply Reply Quote 0
          • Z
            zMaliz
            last edited by

            Thanks for the advice. I'm trying to work out the best way to do this..

            So far I've created an alias which contains the internal local IP Addresses I want to access the office via the IPSEC VPN. This alias is called 'OfficeACL'

            In Firewall / Rules / IPSec I've added a rule:
            Source: 192.168.10.0/24 (office range)
            Destination: OfficeACL

            In Firewall / Rules / LAN I've added a rule:
            Source: OfficeACL
            Destination: 192.168.10.0/24  (office range)

            Is that right ? will other devices in the local IP Address range be able to get to the office ?

            Will other devices in the office be able to get to anything other than OfficeCL devices ?

            Thanks

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              I don't know what "Office" is. What is the IPsec tunnel network or the remote networks?

              What is the Local LAN subnet?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • Z
                zMaliz
                last edited by

                @Derelict:

                I don't know what "Office" is. What is the IPsec tunnel network or the remote networks?

                What is the Local LAN subnet?

                Hi
                Remote office network is 192.168.10.0/24
                Local LAN is 192.168.25.0/24

                I only want a couple of devices to have access via the VPN and be reachable from the VPN. These have been specified in the Office all

                Thanks

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.