Site to Site VPN with traffic/access in only one direction
Hi,
I configured a Site to Site VPN between TP-Link ER7206 and a WatchGuard Firewall.
VPN is up and access is from both networks possible.
Now I want the access only in one direction.
How can I configure it on the TP-Link ER7206?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I think I found the solution.
Here is what I configured.
For the remote Site I configured the Network/IP-Range first under
-> Preferences -> IP Group -> IP Address
add an IP-Range or Subnet here and give it a Name (RemoteNetwork)
Then create a Group
-> Preferences -> IP Group
add a Group and Name it (RemoteNetworkGroup). In the "Address Name" section select (RemoteNetwork).
Go to "Firewall -> Access Control"
Add a new rule and give it a Name.
Policy: Block
Service Type: All
Direction: [WAN] In
Source: RemoteNetworkGroup
Destination: Your internal LAN (in my case "IPGROUP_Any")
Effective Time: Any
States: Select all
klick ok. It should work
- Copy Link
- Report Inappropriate Content
I did not run a test but I think you can try stateful ACL. Add a rule to only block TP-Link ER7206 LAN networks to WatchGuard Firewall.
I do not have ER7206 right now and my ER605 does not support stateful ACL...
- Copy Link
- Report Inappropriate Content
Hi,
yes but I'm missing some functions to get this work.
For example I was looking at the firewall settings to set a rule
Deny FROM "VPN X" oder "LAN 192.168.3.0/24" TO internal LAN.
But I did not find it.
With the Access Control Menu I can not set the source I want to.
Looks like TP-Link needs to improve here!!! For a Business VPN Router such a function should be available
- Copy Link
- Report Inappropriate Content
I think I found the solution.
Here is what I configured.
For the remote Site I configured the Network/IP-Range first under
-> Preferences -> IP Group -> IP Address
add an IP-Range or Subnet here and give it a Name (RemoteNetwork)
Then create a Group
-> Preferences -> IP Group
add a Group and Name it (RemoteNetworkGroup). In the "Address Name" section select (RemoteNetwork).
Go to "Firewall -> Access Control"
Add a new rule and give it a Name.
Policy: Block
Service Type: All
Direction: [WAN] In
Source: RemoteNetworkGroup
Destination: Your internal LAN (in my case "IPGROUP_Any")
Effective Time: Any
States: Select all
klick ok. It should work
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 987
Replies: 3
Voters 0
No one has voted for it yet.