Restrict VPN access to certain subnets or devices for Remote Dial-in users.

A Remote Dial-in (also known as Host to LAN) VPN provides a secure connection for a teleworker/VPN client to remotely access a network, for example, in an office. Once the VPN is online, the dial in users can access all of the devices in the network, just like they are physically connected to the LAN. In this article, we'll demonstrate how to: Allow a dial-in VPN user to access specific subnet(s), and Restrict a VPN user to certain hosts or subnets using firewall rules.

(For managing LAN-to-LAN VPN users, please refer to this article link.)

Allow a Dial-In VPN User to Access Specific Subnets:

To grant a VPN client access to additional subnets such as LAN2 and LAN3, follow these steps:

  • Enable Use default gateway on remote network
  • or

  • Click More in the SmartVPN Client, and manually enter the target subnet (format: xxx.xxx.xxx.0) and its subnet mask.

    On the VPN server (e.g., a Vigor router), ensure Inter-LAN Routing is enabled before establishing the VPN tunnel.

    Once the VPN tunnel is established, the VPN client can access the other subnets.

    Restrict a VPN User to Specific Hosts or Subnets Using Firewall Rules

    To limit VPN clients to specific hosts or subnets, we need to:

  • Assign a fixed IP address to the VPN client.
  • Create a firewall rule to define access permissions based on the client’s IP address.
  • For example, in the figure below, the dial-in user is assigned the fixed IP address 192.168.23.11. A firewall rule is then created to block this IP from accessing the 192.168.2.0/24 subnet on the VPN server.

    By checking the Syslog, we can observe that the VPN client is blocked when attempting to access the restricted subnet.

    Additionally, Web Content Filter (WCF), URL Filter, and DNS Filter can also be applied to VPN clients. Simply enable the desired profiles in the firewall rule for the dial-in users.

    Published On:2019-07-23 

    Share

    Was this helpful?   

    book icon

    Knowledge Base