How to set up IP filter rules for the remote dial-in user
Posted by on 20 January 2012 12:02 PM
Scenario: The remote dial-in user (188.8.131.52) is only allowed to access to the internal server (192.168.21.1) via the Host-To-LAN VPN tunnel, and all other requests to the local subnet of the VPN server will be dropped.
1. IPSec Host-To-LAN VPN Tunnel
As to the IPSec Host-To-LAN VPN tunnel, we should set up the IP filter rules as follows:
Click index 2, and set up an IP filter rule to block all the traffic from the PC1 to the Vigor’s local subnet.
Then click index 3, pass PC1 to access to the internal server of the Vigor router.
2. PPTP/L2TP Host-To-LAN VPN Tunnel
The mechanism of PPTP/L2TP is something different from IPSec. As to the PPTP/L2TP tunnel, the remote dial-in user will get an IP address which locates in the internal subnet of the VPN server. So in this case, we should set up different IP filter rules as follows:
As the remote dial-in user will get an IP address “192.168.21.*”, so we should block all the traffic from “192.168.21.0/24” in the direction of “WAN -> LAN”.
Then set up the “pass” rule for the access to the internal server.