Route specific L2TP user to VLAN/Port
-
Hi
I'm sorry but I'm new to this pfsense having existed only on consumer units in the past but I seem to have now become some sort of defacto IT department at my job during the lockdown.
We have a Netgate XG-7100 with the WAN coming in on ETH1 and then being split between ETH1-ETH6. We already have an L2TP/Ipsec VPN set up for several of our staff. This has a DHCP server which is on the 192.168.80.x range
On ETH7 we have a separate VLAN for a company who is temporarily using our internet while their ISP has issues. To prevent the 2 LANs from seeing each other i have set up some firewall rules. This has a separate DHCP on 192.168.9.x
We also have a number of suppliers of our building equipment (Alarm system, building heating, IP cameras etc) where the suppliers want to be able to access their equipment. As we don't want the suppliers to have access to our network I have again created a VLAN and assigned this to ETH8 with a DHCP on the 192.168.8.x range.
One of the suppliers needs to access via a VPN and can only do L2TP/Ipsec.
I am wondering if there is a way to assign them a username and password in the current VPN but then route them over to the other network based on those credentials? Alternatively, create a new separate VPN.
Thanks in advance for any help
-
L2TP/IPsec is probably one of the worse things you could be using for that, but it should still be somewhat possible.
You can't create a second L2TP server so your only choice, if they really can't use anything else (which I find difficult to believe), is to assign their L2TP user a specific IP address and then setup your firewall rules to filter on that static address. For example, by disallowing them to reach anything except the systems you want them to reach.
-
Hi jimp
Thanks for your help. I agree that they seem to be being difficult but I'm not sure I have the time or indeed the knowledge to argue well enough. I have started looking down the route you suggested and have managed to create a user with their own IP. This is a remote site and i need someone to go down and physically move the equipment over to ETH8 so i can test. Will let you know how i get on.
Once again - thank you