Business Community > Routers > Split Tunnel (standalone, IPSec, 1 WAN Interface each)
< Routers

Split Tunnel (standalone, IPSec, 1 WAN Interface each)

Split Tunnel (standalone, IPSec, 1 WAN Interface each)

Split Tunnel (standalone, IPSec, 1 WAN Interface each)
Split Tunnel (standalone, IPSec, 1 WAN Interface each)
a week ago - last edited a week ago
Tags: #VLAN & Multi-Networks #VPN #WAN Setup #Routing
Model: ER7206 (TL-ER7206)  
Hardware Version: V2
Firmware Version:

Hello, I have 2 ER7206, and I will set up an IPSec tunnel between the two. These are standalone routers....no controllers.

 

There is one physical WAN cable from the provider on each side. On the branch side there is 1 public IP, and I have 4 public IPs on the HQ side.

 

 

Using the VPN confogu document, I will configure the IPSec tunnel.

 

My main question is that I want HQ PC at 192.168.20.3 to ONLY go out to the internet....NEVER through the VPN or back to the Branch...at all.

 

How can I accomplish this? VLAN? NAT? what routing? This is my first go at this, and, unfortunately, this is not a lab setup, this is something I need for my actual work. Thanks

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:Split Tunnel (standalone, IPSec, 1 WAN Interface each)-Solution
a week ago - last edited a week ago

Hi @PBInc 

Thanks for posting in our business forum.

PBInc wrote

  @Clive_A 

Thanks for your reply.

 

You are right that it is the same vlan.

 

Yes, I want to exclude HQ PC from the vpn, and want to make sure that it only accesses the local ISP.

 

What if I speciy a vlan 30, for example, with 192.168.30.0/24 and give that HQ PC an IP of 192.168.30.3, assign vlan 30 to port 6 on the router. How would I set it up so that that particular PC sends no traffic to the tunnel, AND only accesses internet through the local ISP.?

 

Thank you again for guiding a newbie to this setup.

 

 

Yes. That's how I imagine it would work for your requirements.

Just don't pick VLAN 30 in the IPsec VPN and it will be excluded.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#4
Options
6 Reply
Re:Split Tunnel (standalone, IPSec, 1 WAN Interface each)
a week ago

Hi @PBInc 

Thanks for posting in our business forum.

IPsec does not route the Internet. So, it does not go to the branch for the Internet. Unless you are trying to access the branch local IPs.

 

Do you mean that you want to exclude 192.168.20.3 entirely from the VPN tunnel that links the branch?

That is basically impossible to do as it is a computer in the VLAN where you specify in the IPsec Site-to-Site.

You can set up ACL to block others from accessing it.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#2
Options
Re:Split Tunnel (standalone, IPSec, 1 WAN Interface each)
a week ago

  @Clive_A 

Thanks for your reply.

 

You are right that it is the same vlan.

 

Yes, I want to exclude HQ PC from the vpn, and want to make sure that it only accesses the local ISP.

 

What if I speciy a vlan 30, for example, with 192.168.30.0/24 and give that HQ PC an IP of 192.168.30.3, assign vlan 30 to port 6 on the router. How would I set it up so that that particular PC sends no traffic to the tunnel, AND only accesses internet through the local ISP.?

 

Thank you again for guiding a newbie to this setup.

 

 

  0  
  0  
#3
Options
Re:Split Tunnel (standalone, IPSec, 1 WAN Interface each)-Solution
a week ago - last edited a week ago

Hi @PBInc 

Thanks for posting in our business forum.

PBInc wrote

  @Clive_A 

Thanks for your reply.

 

You are right that it is the same vlan.

 

Yes, I want to exclude HQ PC from the vpn, and want to make sure that it only accesses the local ISP.

 

What if I speciy a vlan 30, for example, with 192.168.30.0/24 and give that HQ PC an IP of 192.168.30.3, assign vlan 30 to port 6 on the router. How would I set it up so that that particular PC sends no traffic to the tunnel, AND only accesses internet through the local ISP.?

 

Thank you again for guiding a newbie to this setup.

 

 

Yes. That's how I imagine it would work for your requirements.

Just don't pick VLAN 30 in the IPsec VPN and it will be excluded.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#4
Options
Re:Split Tunnel (standalone, IPSec, 1 WAN Interface each)
a week ago

  @Clive_A 

 

I am attaching an updated diagram

 

VLANs 20 and 30 have been created in HQ, and I have created "pretend" public ip addresses of 80.x and 90.x

 

You said to not pick vlan 30 in ipsec...I have not created an IPSec tunnel yet, so don't know about that....but is there an option to pick which vlans are accessible and which are sent over the IPSec tunnel?

 

Thanks in advance.

 

  0  
  0  
#5
Options
Re:Split Tunnel (standalone, IPSec, 1 WAN Interface each)
a week ago - last edited a week ago

Hi @PBInc 

Thanks for posting in our business forum.

PBInc wrote

  @Clive_A 

 

I am attaching an updated diagram

 

VLANs 20 and 30 have been created in HQ, and I have created "pretend" public ip addresses of 80.x and 90.x

 

You said to not pick vlan 30 in ipsec...I have not created an IPSec tunnel yet, so don't know about that....but is there an option to pick which vlans are accessible and which are sent over the IPSec tunnel?

 

Thanks in advance.

 

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  2  
  2  
#6
Options
Re:Split Tunnel (standalone, IPSec, 1 WAN Interface each)
a week ago

  @Clive_A 

 

This is most helpful, thank you.

 

I have finally got both routers, and both side public IPs. I will set this up over the next few days and update this thread / you.

 

Have a great day.

  1  
  1  
#7
Options

Information

Helpful: 0

Views: 139

Replies: 6

Tags

VLAN & Multi-Networks VPN WAN Setup Routing
Related Articles
 Wan and lan in 1 port
207 1
ER7206 L2TP tunnel EAP standalone fails to open browser but it responds to ICMP ping
590 0
 VPN IPSec Site2Site without split tunnel
3007 1
L2TP over IPsec - Split Tunneling
216 0
Tunnel IPSec vs Fortigate
1719 0
Customize Loopback Interface on Omada VPN routers (Standalone & Cloud)
179 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.