1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WRV200 - Possible to only limit VPN traffic to one VLAN?

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Walrus78, Dec 12, 2006.

  1. Walrus78

    Walrus78 LI Guru Member

    I think I'm asking my poor little WRV200s to do too much.

    The VLANs for ports and SSIDs are nice on the WRV200 for separating computers from each other but still allowing access to the internet - but we are looking to make it so only VLAN1 for instance can access the vpn tunnels that are created on it. VLAN2 could just have access to the internet but not that vpn tunnels.

    A workaround I've found is to just change the subnet mask to something like 255.255.255.128 (or smaller) on the local side of the VPN tunnel and using the DHCP reservations make those computers that need access to the vpn (or vice versa) in that range and have the rest of the DHCP scope assign addresses outside the range. In doing so, the computers can't see each other - the computers that need access to the vpn have it, and everyone has access to the intenet.

    The solution just isn't very scalable with only being to make 20 reservations in DHCP. It would be fantastic if the ipsec vpn tunnels could just only allow traffic from specific VLANs, but I think I'm asking for a bit much from it.

    I'm loving the 1.0.24 firmware.
     
  2. Walrus78

    Walrus78 LI Guru Member

    anyone have any thoughts on this?
     
  3. ifican

    ifican Network Guru Member

    When setting up the tunnel you dictate what the lan ip's are that use the tunnel, just make sure that the machines you want to have access are in that range and the ones you do not, are not.
     
  4. Walrus78

    Walrus78 LI Guru Member

    ifican - thanks for responding to my post first of all. :)

    I'm agreeing thats thats the only way to do it - didn't I say I was already doing that in my post? (copied below)

    I do have a workable solution - but what I'm really looking for in my business environment is the ability to have everything that is plugged into certain physical ports given access to the vpn connection and the internet - and those plugged into the other ports only the internet connection and to be separated from the rest of the network. Same goes for wireless with different SSIDs as well. I can set it up and do it for a static set of computers - which will work for the time being - but for offices we have that are hours away and where the computers that are company owned change reguarly in there (laptops mostly), it isn't realistic for me a keep a list of mac addresses on hand because there would be hundreds of mac addresses to enter - which just isn't possible. I also can't statically assign the ip addresses. Being able to limit traffic to a particular vlan would be a mostly perfect solution with only having to really worry about a non company owned computer plugged into a "vpn accessible port". Being able to deploy $70 makes than an acceptable risk if we can do the rest.

    Like I said - I think I'm asking the WRV200 to do too much. There a heck of a lot of features that the Pix 501 can't do that the WRV200 is able to accomplish at this point.

    Thanks for the response though. :)
     

Share This Page