Blocking specific host on LAN from accessing remote IPSec networks
-
I want to block a specific host on the local network from accessing the remote networks on the other end of my site-to-site IPSec VPNs. The first thing I tried is to add the following rule under Firewall>Rules>IPSec:
- Action: Reject
- Interface: IPSec
- Address Family: IPv4
- Protocol: any
- Source: 172.20.0.100
- Destination: any
This did not work, so I edited the rule and moved the host IP from Source to Destination. This did not work either.
I then tried adding a rule under Firewall>Rules>LAN:
- Action: Reject
- Interface: LAN
- Address Family: IPv4
- Protocol: any
- Source: 172.20.0.100
- Destination: (alias) MyRemoteNetworks
This rule achieved the desired result. This is fine... However I would like to understand why it did not work when I put the rule on the IPSec interface (group?).
-
@chris-ett Simply because rules are applied on the interface packets arrive.
-
@netblues Okay, simple enough. To clarify, does that mean I would use rules on the IPSec interface group when I want to allow/block traffic coming from the remote networks?
-
@chris-ett Absolutely.
On ipsec, you also have the possibility to"protect" ie allow networks, but thats an ipsec feature only.