I think I'm asking my poor little WRV200s to do too much. The VLANs for ports and SSIDs are nice on the WRV200 for separating computers from each other but still allowing access to the internet - but we are looking to make it so only VLAN1 for instance can access the vpn tunnels that are created on it. VLAN2 could just have access to the internet but not that vpn tunnels. A workaround I've found is to just change the subnet mask to something like 255.255.255.128 (or smaller) on the local side of the VPN tunnel and using the DHCP reservations make those computers that need access to the vpn (or vice versa) in that range and have the rest of the DHCP scope assign addresses outside the range. In doing so, the computers can't see each other - the computers that need access to the vpn have it, and everyone has access to the intenet. The solution just isn't very scalable with only being to make 20 reservations in DHCP. It would be fantastic if the ipsec vpn tunnels could just only allow traffic from specific VLANs, but I think I'm asking for a bit much from it. I'm loving the 1.0.24 firmware.