[NEBULA] Can I isolate external VPN L2TP connections to port group 2 only?

GadgetryTech

I have a secure box on my network that other developers need to remotely access.  I do not want them to be able to see anything on my home network.  If they were using the Nebula VPN feature on my NSG 100,  can I make it so they only see the server(s) on an isolated network?

I know other options are bypassing the Nebula VPN service and just open a single port, then deploy a VM running a VPN service on it's own subnet.  I just like the hardware feature built in to the NSG and its performance.  Thanks!

Zyxel_Chris

Hello @GadgetryTech
I assume the L2TP pool subnet is 192.168.145.0/24 and your home network subnet is 192.168.41.0/24 then you can set the firewall rule as below.


If your sever is also in subnet 41.0/24 for instance 192.168.41.100 then you can put another firewall rule at first priority and allow it.


/Chris

RUnglaube

I believe using the outbound rules will do just fine, but I guess you first need to create a rule that allows access from the VPN network to servers network, and then another rule bellow that blocks other traffic from the VPN network to any.

Zyxel_Chris

Hello @GadgetryTech
I assume the L2TP pool subnet is 192.168.145.0/24 and your home network subnet is 192.168.41.0/24 then you can set the firewall rule as below.


If your sever is also in subnet 41.0/24 for instance 192.168.41.100 then you can put another firewall rule at first priority and allow it.


/Chris

GadgetryTech

Thanks Chris!  Finally got around to testing this out.  VPN traffic is isolated to Port group 2 on the gateway.  Any traffic on port group 2 cannot hit my local/home network, but I can still establish sessions from my home network to VMs on port group 2 without any issues.  Works like a charm!