Pep vpn and firewall


#1

We have five locations connected by PepVPN. Location 5 has a server with sensitive information that should only be accessed by three user devices. Those devices are laptops that the users physically carry among the sites so the user could be on at any locations 1 to 4.

Sometimes the users connect with wifi. The access points are in AP mode, not router/NAT mode, so the devices receives a DHCP address that is part of the wired LAN. Sometimes the user plugs into the wired LAN. Each device therefore has two possible MAC addresses.

I’m trying to write firewall rules to prevent other devices from using the PepVPN to see the servers at location 5. At the moment I’m doing it with passwords on the server but I prefer to back that up with restrictions in the network. Do the Internal Firewall rules affect traffic coming in via the PepVPN? If I enter a rule at location 5 that allows access via MAC address, will the Balance at location 5 even see the device’s MAC address coming in over the VPN?

Or can I do this from the opposite end, where the user is, by restricting access to a specific PepVPN link, to only certain users? That would be an outgoing firewall rule, but I don’t see options to control a specific PepVPN in that section.


#2

Peplink treats PepVPN traffic as ‘internal’ from a firewall perspective. Since the remote devices are routing over Layer 3 to the server, the servers balance won’t see the device MAC addresses which are used at Layer 2(they’ll see the MAC address of the router at L2).

If it was me I’d likely set up SSH on the server, block all remote subnets from the server (apart from access to the SSH port) then SSH tunnel from the user devices to the remote server (over the existing PepVPN) and use key based security so only those devices with the right private key and SSH username password could route traffic to the server.

Yes that means you’d have a SSH tunnel running over the PepVPN which is a little inefficient, but its a tidy way to secure access to the server and limit which devices can access it.


#3

This configuration is, frankly, over my head. That said, I would think you could, at each location, assign the three laptops specific IP addresses and then at the location with the sensitive server, limit access by source IP address. Three laptops with two MACs each is only six IP addresses.

On another level, is there a router/firewall fronting just the sensitive server? Does this make sense (as I said this configuration is beyond me)?


#4

So, more to the point, if LAN A (client devices) and LAN B (servers) are connected by PepVPN, can I write a rule on the LAN A side, which limits access to a specific PepVPN to allow or block certain LAN devices? For example, we have this ability in the PepWave access point firmware, blocking PepVPN access by SSID. I need to block or allow only certain devices on the wired LAN, from entering the VPN.

I had thought of Michael234’s suggestion about writing a rule on the LAN B side, based on the IP address of the client device. Unfortunately as Martin pointed out, PepVPN traffic is treated as internal, so I don’t think the firewall could block it.

How about if I put the server on a separate VLAN? Could I then write a rule to allow only certain IP’s to cross over into the other VLAN? Some of those IP devices would be on the same LAN B, but some would be over on LAN A. I don’'t know if the LAN A device’s IP would be visible to the router on LAN B.

Would this be any different if I switched the connection to IPsec instead of PepVPN? The location of LAN B only has one internet source, so for my purposes it would function the same. Would I have any more firewall control using IPsec?


#5

Yes you can - identifying by IP address or MAC address by adding a rule to the internal firewall rules section on the Balance at LAN A.

The traffic is treated as internal, but as its over Layer 3 (so different source and destination subnets) you can deny traffic using the firewall with identification by source IP.

With the server on a separate VLAN/Subnet you can apply rules based on source IP addresses.LAN A device IPs as the source would be visible to the router on LAN B.

Yes it would much harder :slight_smile: Well no not really, but you don’t want to go to IPSEC if you can help it as PepVPN is easier by far.


#6

I am looking at the internal firewall rules section. I don’t see any options to allow or deny access to a specific PepVPN. Lets say I only want to allow one specific IP access to the remote site through PepVPN. All other LAN clients would be blocked. How do I set that up?


#7

Help Tips:
image

Let give a simple example here:

Site A - Network 192.168.0.0/24

  • Admin PC : 192.168.0.10 able to access network for Site B 192.168.1.0/24
  • Others is not allow to access Site B network.

Site B (Remote) - Network 192.168.1.0/24

  • no access from Site B network to Site A.
  • only allow Site A admin access to Site B.

You can define the following firewall rules to control the access:

Site A and Site B:

P/S: If you only the administrator for Site A, defining the example firewall rules in site A device should sufficient to control access for site A devices.