Business Community > Routers > Site to Site VPN with traffic/access in only one direction
< Routers

Site to Site VPN with traffic/access in only one direction

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Site to Site VPN with traffic/access in only one direction

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Site to Site VPN with traffic/access in only one direction
Site to Site VPN with traffic/access in only one direction
2022-12-19 17:27:51 - last edited 2022-12-20 14:33:13
Tags: #VPN
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.2.3 Build 20221104 Rel.41500

Hi,

 

I configured a Site to Site VPN between TP-Link ER7206 and a WatchGuard Firewall.

VPN is up and access is from both networks possible. 

Now I want the access only in one direction.

How can I configure it on the TP-Link ER7206?

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:Site to Site VPN with traffic/access in only one direction-Solution
2022-12-20 14:33:08 - last edited 2022-12-20 14:33:13

I think I found the solution.

 

Here is what I configured.

 

For the remote Site I configured the Network/IP-Range first under

 

-> Preferences -> IP Group -> IP Address

 

add an IP-Range or Subnet here and give it a Name (RemoteNetwork)

 

Then create a Group

 

-> Preferences -> IP Group

 

add a Group and Name it (RemoteNetworkGroup). In the "Address Name" section select (RemoteNetwork).

 

Go to "Firewall -> Access Control"

Add a new rule and give it a Name.

 

Policy: Block

Service Type: All

Direction: [WAN] In

Source: RemoteNetworkGroup

Destination: Your internal LAN (in my case "IPGROUP_Any")

Effective Time: Any

States: Select all

 

klick ok. It should work

 

 

Recommended Solution
  0  
  0  
#4
Options
3 Reply
Re:Site to Site VPN with traffic/access in only one direction
2022-12-20 05:57:58

  @PROXYTEC 

I did not run a test but I think you can try stateful ACL. Add a rule to only block TP-Link ER7206 LAN networks to WatchGuard Firewall.

 

I do not have ER7206 right now and my ER605 does not support stateful ACL...

  0  
  0  
#2
Options
Re:Site to Site VPN with traffic/access in only one direction
2022-12-20 12:28:50

Hi,

 

yes but I'm missing some functions to get this work.

For example I was looking at the firewall settings to set a rule

 

Deny FROM "VPN X" oder "LAN 192.168.3.0/24" TO internal LAN.

 

But I did not find it.

 

With the Access Control  Menu I can not set the source I want to.

Looks like TP-Link needs to improve here!!! For a Business VPN Router such a function should be available

 

  0  
  0  
#3
Options
Re:Site to Site VPN with traffic/access in only one direction-Solution
2022-12-20 14:33:08 - last edited 2022-12-20 14:33:13

I think I found the solution.

 

Here is what I configured.

 

For the remote Site I configured the Network/IP-Range first under

 

-> Preferences -> IP Group -> IP Address

 

add an IP-Range or Subnet here and give it a Name (RemoteNetwork)

 

Then create a Group

 

-> Preferences -> IP Group

 

add a Group and Name it (RemoteNetworkGroup). In the "Address Name" section select (RemoteNetwork).

 

Go to "Firewall -> Access Control"

Add a new rule and give it a Name.

 

Policy: Block

Service Type: All

Direction: [WAN] In

Source: RemoteNetworkGroup

Destination: Your internal LAN (in my case "IPGROUP_Any")

Effective Time: Any

States: Select all

 

klick ok. It should work

 

 

Recommended Solution
  0  
  0  
#4
Options

Information

Helpful: 0

Views: 899

Replies: 3

Tags

VPN
Related Articles
ER7206 IPSEC Site-to-Site - no incoming traffic
413 0
Site to site VPN behind ISP modem
251 0
ER7602 VPN Site-to-Site Azure
1339 0
 Site-to-Site with fix IP on one side only
338 0
Site to Site VPN with er7206 and OC200. Can not see From Main site the pcs from braches.
384 0
Cannot create working Site-To-Site VPN Tunnel
3159 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.