Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route specific L2TP user to VLAN/Port

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 390 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      simonwait
      last edited by

      Hi

      I'm sorry but I'm new to this pfsense having existed only on consumer units in the past but I seem to have now become some sort of defacto IT department at my job during the lockdown.

      We have a Netgate XG-7100 with the WAN coming in on ETH1 and then being split between ETH1-ETH6. We already have an L2TP/Ipsec VPN set up for several of our staff. This has a DHCP server which is on the 192.168.80.x range

      On ETH7 we have a separate VLAN for a company who is temporarily using our internet while their ISP has issues. To prevent the 2 LANs from seeing each other i have set up some firewall rules. This has a separate DHCP on 192.168.9.x

      We also have a number of suppliers of our building equipment (Alarm system, building heating, IP cameras etc) where the suppliers want to be able to access their equipment. As we don't want the suppliers to have access to our network I have again created a VLAN and assigned this to ETH8 with a DHCP on the 192.168.8.x range.

      One of the suppliers needs to access via a VPN and can only do L2TP/Ipsec.

      I am wondering if there is a way to assign them a username and password in the current VPN but then route them over to the other network based on those credentials? Alternatively, create a new separate VPN.

      Thanks in advance for any help

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        L2TP/IPsec is probably one of the worse things you could be using for that, but it should still be somewhat possible.

        You can't create a second L2TP server so your only choice, if they really can't use anything else (which I find difficult to believe), is to assign their L2TP user a specific IP address and then setup your firewall rules to filter on that static address. For example, by disallowing them to reach anything except the systems you want them to reach.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          simonwait
          last edited by

          Hi jimp

          Thanks for your help. I agree that they seem to be being difficult but I'm not sure I have the time or indeed the knowledge to argue well enough. I have started looking down the route you suggested and have managed to create a user with their own IP. This is a remote site and i need someone to go down and physically move the equipment over to ETH8 so i can test. Will let you know how i get on.

          Once again - thank you

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.