Blocking specific host on LAN from accessing remote IPSec networks

chris.ett · Jan 19, 2021, 4:42 AM

I want to block a specific host on the local network from accessing the remote networks on the other end of my site-to-site IPSec VPNs. The first thing I tried is to add the following rule under Firewall>Rules>IPSec:

Action: Reject
Interface: IPSec
Address Family: IPv4
Protocol: any
Source: 172.20.0.100
Destination: any

This did not work, so I edited the rule and moved the host IP from Source to Destination. This did not work either.

I then tried adding a rule under Firewall>Rules>LAN:

Action: Reject
Interface: LAN
Address Family: IPv4
Protocol: any
Source: 172.20.0.100
Destination: (alias) MyRemoteNetworks

This rule achieved the desired result. This is fine... However I would like to understand why it did not work when I put the rule on the IPSec interface (group?).

netblues · Jan 19, 2021, 4:45 AM

@chris-ett Simply because rules are applied on the interface packets arrive.

chris.ett · Jan 19, 2021, 4:50 AM

@netblues Okay, simple enough. To clarify, does that mean I would use rules on the IPSec interface group when I want to allow/block traffic coming from the remote networks?

netblues · Jan 19, 2021, 4:54 AM

@chris-ett Absolutely.
On ipsec, you also have the possibility to"protect" ie allow networks, but thats an ipsec feature only.