Hi, I’m trying to figure out if there is an easy way to limit which VLANs can communicate over PepVPN from each site. So e.g. if I only want the default untagged VLAN to use the VPN, is there something equivalent to the InterVLAN routing control? Or do I have to create firewall rules manually?
Thanks,
Nick.
Hi @nick2020 - welcome to the Forum.
Yes, you can decide which VLAN(s) are advertised over the VPN. The screen shot below is from a Balance device, but the same options are available from the “Advanced” tab on the MAX devices.
Also shown on the Screen-shot is “PepVPN Route Isolation” - if you enable this at the “Head-end” then it won’t advertise remote site LAN’s to other remote sites. The tool-tip for this is "Enable this option if you want to isolate PepVPN peers from each other. Received PepVPN routes will not be forwarded to other PepVPN peers to reduce bandwidth consumption.
Note: This will only hide routing information between PepVPN peers, if you want to fully block inter-PepVPN traffics, you should configure Firewall instead."
I hope this helps,
Steve
Thanks Steve, this was helpful. I think the crux of the matter is this
I have an IoT dedicated network that i want to completely isolate and in testing I was seeing that I could ping the remote router over the VPN from the IoT network, so i think the Firewall approach is the safest here.
Thanks,
Nick.
Exactly. 
