On my Bal30/, under ‘Remote User Access Settings’, there is a ‘Connect to network’ section, which suggests that I might be able to keep all remote user VPN traffic on just that single VLAN.
I’m trying to set it up like this:
- VLAN does NOT participa/te in ‘inter-vlan routing’
- VLAN does NOT have a Bal30-defined DHCP server
- another host on the VLAN responds to DHCP requests when remote access users need an IP assigned
- the DHCP lease specifies another router in the VLAN is the default gateway
In this way, I can force all VPN user traffic to another router, where security policy can be applied (using a zone-based firewall).
Is that the intended use of this ‘Connect to network’ feature?
Well, I’m having trouble getting it to work (feels like the DHCP lease interaction never occurs, although there has been at least 1 lease assigned) and/or the remote user traffic isn’t being dropped onto the VLAN tagged at L2 for the intended default gateway). What additional logging can I turn on for troubleshooting?
PS. Since the Bal30 doesn’t itself need an IP address in this VLAN, it’d be nice if I could opt not to specify one in the Bal30’s VLAN setup. makes me suspect that even with ‘Connect to network’, the Bal30 is presumed to be the gateway.
1 Like
I tested this is working fine. This is my network connectivity. Please take note, I disabled DHCP server in Vlan 10 for Balance 30 and the router behind Balance 30 acted as DHCP server.
- I connect to Balance 30 via L2TP/IPSec.
- My laptop grabbed IP address 192.168.10.10.
- I successfully ping to 172.16.1.10 from my laptop.
The trick here is ensuring you choose Vlan 10 at Connect to Network in L2TP/IPSec and route 172.16.1.0/24 to 192.168.10.2.
Hope this helps.
1 Like
Sorry for delay to reply. I’m trying to achieve something a bit different.
So, I sort of want the Bal30 to deposit Remote Access traffic onto VLAN10, and for packets placed there to IGNORE the routing table on the Bal30, but to use the default gateway that is supplied by R1’s DHCP service on VLAN10.
Hope my poor diagram makes enough sense. Sorry if it is a non-conventional setup.
There was a small typo in the diagram (corrected now).
Balance 30 always the default gateway for L2TP/IPSec client since the termination point is there. In fact, the adapter for L2TP/IPSec doesn’t have the default gateway. This is the same to the PPTP and IPSec remove VPN client.
May I know any concern of the default gateway? Firewall policy will not apply to the L2TP/IPSec client if not pointing R1 as default gateway?
1 Like
Hi, I guess it doesn’t matter hugely: it would have simplified the definition of the firewall on R1. I’m sure the firewall on Bal30 is fine, but it’s just one more thing to configure, and the key things I’m wanting to protect (ie. the ‘inside’ servers) aren’t directly connected to the Bal30 anyway.
So from this discussion, I suppose the point the Bal30 permitting another DHCP service on the ‘Remote Access Users VLAN’ is to give the opportunity for the ‘usual infrastructure’ to bind the client IP and name into the name resolution scope. That’s useful, at least.
