VLAN for remote access

Don_Ferrario · October 21, 2018, 7:36pm

I’m learning how to use VLANs. I am trying to set up a separate VLAN for L2TP remote access users, so that I can control exactly what range they appear (rather than them coming into my primary untagged LAN). I think I am doing something wrong in the VLAN setup.

For example lets say my primary untagged LAN is:
IP address 10.60.12.254 /24
DHCP range 10.60.12.1 - 253
inter-VLAN routing checked

I want to set up 10.60.13.1 to 10.60.13.13 as DHCP for remote access. I created the VLAN named “Remote Access”:
IP address 10.60.13.14 / 28
VLAN ID 2
inter-VLAN routing checked
DHCP range 10.60.13.1 to 10.60.13.13

Under Remote Access setup, I have “assign to Remote Access (2)”

When I connect via L2TP, I am assigned the IP 10.60.13.1 as expected, but I cannot communicate with any devices on the untagged network. A Windows IPCONFIG shows gateway of 0.0.0.0. I would have expected it to show 10.60.13.14.

What am I doing wrong?

sitloongs · October 21, 2018, 9:09pm

@Don_Ferrario

Nothing wrong for the configuration.

You may need to check the split tunneling option (Windows) for the PPTP/L2TP clients devices.

If split tunneling is enabled, only 10.60.13.14 / 28 will route via the VPN tunnel. While other traffics is routed via the local physical interface.

Seem for your deployment, you had separate the L2TP (IPSEC) or PPTP users using different network, hence you need to make sure “use default gateway on remote network” is enabled.

P/S: For you deployment, you should make sure split tunnels is disabled.

Don_Ferrario · October 22, 2018, 4:56pm

I found the problem. When you use a VLAN for remote access, you must open the inbound firewall rules to permit remote access clients to communicate. You have to do the same thing for remote access clients on the primary untagged LAN, but I already had that rule in place.

When I added Allow source 10.60.13.14/28, destination ANY to the firewall, the issue went away. I think this may be the cause of some other remote access problems discussed in this forum other threads. Even if your remote access is receiving addresses on your untagged LAN, you still have to create this rule.