How to allow the remote VPN network to access specific local server only?

VPN provides a convenient and secure connection between local network and remote network. Once VPN is up, remote network can access all the devices in the local network and vice versa. But what if we only want one specific server to be accessed by the remote VPN network? This document will demonstrate how to restrict the remote VPN users to access specific local server only and do not reach the rest of the network devices. Vigor Router can do it by VPN and by Firewall rule. Below is the example:

allow remote network to access the local network through VPN while block the access to some of the server

 

Method 1: By VPN Configurations

1. On the VPN LAN to LAN profile of the Vigor Router in Branch Office, change the remote network IP from the whole network to the server's IP only.

Remote network settings in the VPN profile

 

2. On the VPN LAN to LAN profile of the Vigor Router in Head Office, change the local network IP from the whole network to the server's IP only.

Local Network Settings in the VPN profile

 

 3. When VPN is up, Branch Office Router will only have the route to the server IP 192.168.188.10/32 so that the clients in Branch Office can only access the server and cannot access the others.

the routing information added by VPN

 

 

Method 2: By Firewall Rule

1. We could create the firewall rule on head office router to limit the connection from the branch office. Go to Objects Setting >> IP Object page, click an available index to create an IP Object profile,

a. Enter Name

b. Select "LAN/DMZ/RT/VPN" as Interface

c. Select Address Type as "Single" and then enter the server IP address 192.168.188.10

d. Click OK to Save

creating an IP object for the server

 

2. Click another available index to create an IP Object profile for the branch VPN network,

a. Enter Name

b. Select "LAN/DMZ/RT/VPN" as Interface

c. Select "Subnet" as Address Type and then enter the IP address 192.168.1.0 and Subnet Mask 255.255.255.0

d. Click OK to Save

creating an IP object for the branch VPN network

 

3. Go to Firewall >> Filter Setup >> Default Data Filter page, click an available profile to create a Firewall rule to pass packets from branch office to head office server.

a. Enable this Firewall rule

b. Enter Profile Name

c. Direction: LAN/DMZ/RT/VPN → LAN/DMZ/RT/VPN

d. Source IP: Select the IP object we created for the branch VPN network

e. Destination IP: Select the IP object we created for the local server

f. Filter: Pass Immediately

a filter rule that allow the remote network's access to the IP address of the server

 Note: We can specify the Service Type here if we only want specific service port of the server to be accessed by the remote VPN network.

 

4. Click another Index to create an IP Filter rule, the index number should larger then the one create at step 3, to block packets from branch office to the other IP addresses.

a. Enable this Firewall rule

b. Enter Profile Name

c. Direction: LAN/DMZ/RT/VPN → LAN/DMZ/RT/VPN

d. Source IP: Select the IP object we created for the branch VPN network

e. Destination IP: Any

f. Filter: Block Immediately

a filter rule that blocks all the traffic source from the remote network

 

5. We can check Firewall log on Diagnostics >> Syslog Explorer page to see if the blocking is successful.

syslog showing the firewall is working correctly

 

Was this article helpful?
17How to allow the remote VPN network to access specific local server only? has been viewed------ 17 ------times.