Access Rules Restriction in L2VPN Scenario

Hello Everybody,

Dear Team,

We have 02 Peplink balance one core routers. And we have connected them on WAN1 & WAN2 links.

We have created PepVPN and due to both sides LAN has the same subnet, we have created L2VPN.

Now we want to restrict access of both sides with only 02 IP Addresses on each side should be able to communicate with each other and none else.

We tried it with Access Rules, but it does not work.

Please help us out.
Thanks.
Jeevan.

Hi,

You might be better with virtual network mapping then you can use L3 tunnels.

Cheers,

Chris

Hello Chris,

So should I remove the L2VPN and then configure Virtual Network Mapping?
Please guide.

Hello Chris,

We removed L2VPN over PepVPN. Now only PepVPN remains. But still it does not work.

Even ping of other side breaks.
So we had to again configure L2VPN.
Please guide further.

Hello Chris,

We have configured VNM on one peplink now. And L2VPN on both peplinks.
Guide us further.

You can’t do this on Layer 2. You would need to use Layer 3 to control traffic with the internal firewall rules.

You could use Layer 3 with both subnets having the same subnet, then enable virtual network mapping so that each site thinks the other is available on a different subnet. Then on one site you would access the IP on the other site with the virtual IP instead. Then on each site you could use the firewall to block traffic to and from the remote sites virtual mapped network.

1 Like

Hello Martin,

Good Morning!!!

We did that now. One end was NAT to 172.30.0.0/24 and other end was NAT to 172.31.0.0/24
L2VPN removed. Only PepVPN is configured.
The tunnel is “EASTABLISHED” , but we do not get ping of each other.
One more thing we cant keep the end user PC’s gateway as peplink lan ip. Each PC has another firewall/router as gateway. This is same for both the sides.

Please see attached screenshots of one Peplink appliance.
And help us further.

(Attachment Peplink_I.docx is missing)

Ah in which case the LAN devices will not know to send traffic for the remote site via the Peplink. You will need to add a static route to the gateway at each site for the remote virtually mapped network with next hop as the Peplink LAN IP.

1 Like

Hello Martin,

Good Morning!!!

VNM at both Peplink routers worked for us. And now with PEPVPN+VNM we could work it out. Ping works.
Yes, we will do the routing today on their firewall and let you know.