R600VPN: How to Block Clients from Internet-Access while using Site-2-Site-VPN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

R600VPN: How to Block Clients from Internet-Access while using Site-2-Site-VPN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
R600VPN: How to Block Clients from Internet-Access while using Site-2-Site-VPN
R600VPN: How to Block Clients from Internet-Access while using Site-2-Site-VPN
2022-05-14 09:54:27 - last edited 2022-05-14 17:13:18
Model: TL-R600VPN  
Hardware Version: V4
Firmware Version:

I have established a Site-2-Site VPN (IPSec) with 2 TL-R600VPN-Routers.

Now all Clients can access the Internet, which i is not what i want (because of security issues).

 

The easiest way would be to turn off NAT, but that doesn't work on a TL-R600 (it simply can't be turned off)

 

Is there a simple way to block all Internet-Access while not blocking the VPN-Traffic?

 

Regards,

Micky

  0      
  0      
#1
Options
3 Reply
Re:R600VPN: How to Block Clients from Internet-Access while using Site-2-Site-VPN
2022-05-14 17:12:13 - last edited 2022-05-14 17:13:18

I have found one solution, maybe it's interesting for someone:

 

1. Disable / Clear the Default Gateway in the WAN Settings.

2. Create a route to the other VPN-Router with the former Default-Gateway as the "next hop".

(Optional: If you need DNS in the VPN-Router, create a route for that, too.)

 

So, no need for complicated Firewall-Rules or disabling NAT (which does not work)

  2  
  2  
#2
Options
Re:R600VPN: How to Block Clients from Internet-Access while using Site-2-Site-VPN
2022-05-17 05:04:19

  @Micky_Roth I haven't test but I think ACL may also work. Two rules:

1. Allow Any LAN to Remote Gateway LAN;

2. Block Any LAN from DNS protocol.

 

The limitation is it will only block website access. Some applications like facebook may still work since they do not need DNS.

  0  
  0  
#3
Options
Re:R600VPN: How to Block Clients from Internet-Access while using Site-2-Site-VPN
2022-05-17 14:41:22

Somnus wrote

Some applications like facebook may still work since they do not need DNS.

  @Somnus Also problematic if your clients want to use a local DNS over die VPN-Connection....

  0  
  0  
#4
Options