Inter-VLAN routing finer level of control

I am building a large hub and spoke network, and absolutely cannot allow different remote offices to “see” each other, as they are different customers.

But - I with to use a PEPVPN connection from my office AND PPTP remote access to be able to access the entire network for support purposes.

There are two problems:

  1. the PPTP remote access is considered a “VLAN”, so if allow intervlan traffic is blocked then the PPTP user cannot access any remote site, or even the local LAN IPs. I am asking that there be an override control to allow this even if inter-vlan traffic is blocked.
  2. The intervlan allow/deny is global. It would be very useful to have a global allow/deny, then an overriding allow on each VPN. i.e. set global to deny, but go into profile REMOTE17 and be able to list others to be allowed.

#1 is the priority for me, but #2 would also be useful.


I think you can use Internal Firewall (Network > Access Rules > Internal Network Firewall Rules) to control the inter-Vlan and inter-site communication instead of disable the Inter-Vlan routing.

The problem with this solution is that each site receives routes to all other sites. i.e. if I have 1,000 remote sites then each gets route updates for the other 999 sites. That is an incredible waste of resources.