DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
LAN - LAN VPN with Strict Bind
- mikeybhoy
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
07 Mar 2018 13:36 #90980
by mikeybhoy
LAN - LAN VPN with Strict Bind was created by mikeybhoy
Hi,
I am going to be setting up a IPsec LAN-LAN VPN for a customer tomorrow. He has an existing 2860 at the Head Office (HO) and is getting a new 2862 at the Branch Office (BO).
The BO is multi-tenant (my customer, plus an estate agents) and they currently share the same internet connection through a BT Hub. My customer has a Windows VPN connection on his PC but now wants a site-site VPN setting up instead. The BT Hub will be replaced by the 2862.
In order to prevent the estate agents from having any kind of access to the HO network, I have VLAN'd the new 2862 so that P1 will be used by my customer and P2,P3,P4 available for the estate agent
My customer will be given an IP in the 192.168.3.x range, the estate agent will be 192.168.1.x (same as the existing BT hub)
In the IPSec VPN at the HO end I intend to only specify the Remote Network IP of 192.168.3.x which, if I am correct, will prevent the estate agent on 192.168.1.x from traversing the VPN tunnel from his devices? Have I got this correct?
The customer has further asked that we prevent the estate agent from plugging their own device(s) in to P1 at the BO in order to gain access to the HO network via the VPN tunnel. Strict Bind would appear to be what we're after but is this likely to interfere with VPN traffic in any way?
Bit of a convoluted setup to be honest, but could do with knowing of any potential problems with this before I turn up tomorrow (have an hour window to complete job)
Thanks for looking.
Mike
I am going to be setting up a IPsec LAN-LAN VPN for a customer tomorrow. He has an existing 2860 at the Head Office (HO) and is getting a new 2862 at the Branch Office (BO).
The BO is multi-tenant (my customer, plus an estate agents) and they currently share the same internet connection through a BT Hub. My customer has a Windows VPN connection on his PC but now wants a site-site VPN setting up instead. The BT Hub will be replaced by the 2862.
In order to prevent the estate agents from having any kind of access to the HO network, I have VLAN'd the new 2862 so that P1 will be used by my customer and P2,P3,P4 available for the estate agent
My customer will be given an IP in the 192.168.3.x range, the estate agent will be 192.168.1.x (same as the existing BT hub)
In the IPSec VPN at the HO end I intend to only specify the Remote Network IP of 192.168.3.x which, if I am correct, will prevent the estate agent on 192.168.1.x from traversing the VPN tunnel from his devices? Have I got this correct?
The customer has further asked that we prevent the estate agent from plugging their own device(s) in to P1 at the BO in order to gain access to the HO network via the VPN tunnel. Strict Bind would appear to be what we're after but is this likely to interfere with VPN traffic in any way?
Bit of a convoluted setup to be honest, but could do with knowing of any potential problems with this before I turn up tomorrow (have an hour window to complete job)
Thanks for looking.
Mike
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
07 Mar 2018 16:25 #90990
by hornbyp
I would have thought a Firewall Rule would be what is required, to do that.
The best way to restrict access to Port 1, would be a physical restriction - i.e. a locked cabinet. If you take the "Strict Bind" route, be careful you don't lock yourself out... (it'll get applied to any Wifi clients as well)
You could also look at the"User Management " side of things - I've only looked at this in passing and it introduces another level of complexity - but it might help.
An "hour window" you say...:wink:
Replied by hornbyp on topic Re: LAN - LAN VPN with Strict Bind
In the IPSec VPN at the HO end I intend to only specify the Remote Network IP of 192.168.3.x which, if I am correct, will prevent the estate agent on 192.168.1.x from traversing the VPN tunnel from his devices? Have I got this correct?mikeybhoy wrote:
I would have thought a Firewall Rule would be what is required, to do that.
He also wrote:
The customer has further asked that we prevent the estate agent from plugging their own device(s) in to P1 at the BO in order to gain access to the HO network via the VPN tunnel. Strict Bind would appear to be what we're after but is this likely to interfere with VPN traffic in any way?
The best way to restrict access to Port 1, would be a physical restriction - i.e. a locked cabinet. If you take the "Strict Bind" route, be careful you don't lock yourself out... (it'll get applied to any Wifi clients as well)
You could also look at the
An "hour window" you say...
Please Log in or Create an account to join the conversation.
- mikeybhoy
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
08 Mar 2018 15:55 #91008
by mikeybhoy
Replied by mikeybhoy on topic Re: LAN - LAN VPN with Strict Bind
Thanks for the reply hornbyp,
So ....
now back from site (2.5hrs in the end, including chasing down BT ADSL credentials and filter issues). System working and traffic routing successfully between BO and HO for our customer, with estate agents unable to traverse the tunnel from their VLAN / Subnet, but still has full internet access.
I originally looked athttps://www.draytek.com/en/faq/faq-vpn/vpn.lan-to-lan/how-to-access-more-subnet-on-remote-network/ and took this to mean a subnet not explicitly listed would not route traffic and that seems to be the case here. Strict Bind doesn't appear to interfere with the VPN.
They had no cabinet, but did have structured cabling through the building. Even if the Draytek could have been locked away, they could still connect to the cable patched through to Port1,.
Strict Bind looks to be doing the job in so far as any other device plugged in to P1 gets diddly squat (not even an IP) as expected, but has one odd side effect that caused an issue during setup. With Strict Bind enabled on P1 / LAN1 subnet for a particular device/MAC, that same device CANNOT then be used in P2 / P3 / P4 (LAN2) where there is no Strict Bind in place. However any other devices in P2 / P3 / P4 work as expected. Strict Bind appears to bleed through to the other Subnet.
I was a wee bit concerned as this was my first 2862 install and our network group were reporting some issues with this model and VOIP delays (firmware bug), but other than the Strict Bind bleed mentioned, seemed to go OK.
Cheers again
Mike
So ....
now back from site (2.5hrs in the end, including chasing down BT ADSL credentials and filter issues). System working and traffic routing successfully between BO and HO for our customer, with estate agents unable to traverse the tunnel from their VLAN / Subnet, but still has full internet access.
I originally looked at
They had no cabinet, but did have structured cabling through the building. Even if the Draytek could have been locked away, they could still connect to the cable patched through to Port1,.
Strict Bind looks to be doing the job in so far as any other device plugged in to P1 gets diddly squat (not even an IP) as expected, but has one odd side effect that caused an issue during setup. With Strict Bind enabled on P1 / LAN1 subnet for a particular device/MAC, that same device CANNOT then be used in P2 / P3 / P4 (LAN2) where there is no Strict Bind in place. However any other devices in P2 / P3 / P4 work as expected. Strict Bind appears to bleed through to the other Subnet.
I was a wee bit concerned as this was my first 2862 install and our network group were reporting some issues with this model and VOIP delays (firmware bug), but other than the Strict Bind bleed mentioned, seemed to go OK.
Cheers again
Mike
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
09 Mar 2018 11:34 #91012
by hornbyp
Yes, I suppose that's the case (though I'm a paranoid type and would still have the firewall rule in place)
Thinking about it, the answer is probably to configure Wired 802.1X authentication for that port. I've never used it in anger, but there's a guide here:
https://www.draytek.com/en/faq/faq-connectivity/connectivity.lan/how-to-do-port-based-access-control-by-wired-802.1x/
It might be my imagination, but I'm sure Strict BInd changes with every firmware release
Replied by hornbyp on topic Re: LAN - LAN VPN with Strict Bind
I originally looked atmikeybhoy wrote:
and took this to mean a subnet not explicitly listed would not route traffic and that seems to be the case here. https://www.draytek.com/en/faq/faq-vpn/vpn.lan-to-lan/how-to-access-more-subnet-on-remote-network/
Yes, I suppose that's the case (though I'm a paranoid type and would still have the firewall rule in place)
He also wrote:
They had no cabinet, but did have structured cabling through the building. Even if the Draytek could have been locked away, they could still connect to the cable patched through to Port1,.
Thinking about it, the answer is probably
and he wrote:
Strict Bind looks to be doing the job in so far as any other device plugged in to P1 gets diddly squat (not even an IP) as expected, but has one odd side effect that caused an issue during setup. ...
It might be my imagination, but I'm sure Strict BInd changes with every firmware release
Please Log in or Create an account to join the conversation.
- mikeybhoy
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
13 Mar 2018 16:14 #91062
by mikeybhoy
Replied by mikeybhoy on topic Re: LAN - LAN VPN with Strict Bind
802.1X does indeed look like it would have done the job, without the hassles involved with Strict Bind
I'll keep it in mind for the next time.
Cheers
Mike
I'll keep it in mind for the next time.
Cheers
Mike
Please Log in or Create an account to join the conversation.
Moderators: Sami
Copyright © 2024 DrayTek