I have a 255.255.255.0 lan, which awards dial in users with an ip address on the subnet. (Draytek 2860)

Is there a way to have a firewall rule to allow only one tcp protocol for dial in users?

What I want to do is restrict access to only remote desktop server service ( which I can define as answering to a particular tcp port) as I don't want dial in users to be able to see the rest of the network.


regards

Roga

It appears the UK site doesn't have an equivalent guide yet, but this article shows how to do what you want to do, which is to use the router's firewall on either side to limit access to a single IP on the remote VPN subnet:
https://www.draytek.com/support/knowledge-base/5470

Thanks @admin3 for the suggestion. The document you link to is for Lan to Lan VPN, in this case I am using what draytek refer to as "Remote Dial in User", so if you have any ideas about that I would be pleased to hear them.

regards

Roger

Good point, the setup is about the same, but you put the LAN IP range as the IP range that the remote dial-in users will use, so you'd block "LAN/RT/VPN > LAN/RT/VPN" with LAN (your subnet) to VPN (the remote dial in user IP range, also your subnet)

Thanks @admin3
I was thinking something similar my self, I'll give it a try and let you know how I get on

I got it going using a couple of filters: I set the dial in range as an object, then had a rule to block unless further matched, then had a rule to allow only port 3389 through to specific servers.

I would have uploaded some screen shots, but not so easy to do on this board.

Roga