restric access limit internal IP of VPN

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
lucamuscas
Posts: 2
Joined: Thu Feb 09, 2017 6:42 pm

restric access limit internal IP of VPN

Post by lucamuscas » Thu Feb 09, 2017 7:05 pm

Hi,
I want to limit the internal network IP each user can see.
For example, i want the user can see only the PC with IP 192.168.1.30

I have tried with the access list, but i dont have found a solution.
In this forum I have read this:
"There is priority in the access list.

You may want to use the following priority.
1. Allow access to specific local IP
2. Allow return packets
3. Deny access to all local IP
4. Allow access to all IP"



[attachment=0]fig4.jpg[/attachment]
[attachment=1]fig3.jpg[/attachment]
[attachment=2]fig2.jpg[/attachment]
You do not have the required permissions to view the files attached to this post.

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: restric access limit internal IP of VPN

Post by moatazelmasry » Thu Feb 09, 2017 10:30 pm

The priority just mean the order in which those rules are probed. (smaller priority will be tested first)

If you want to disable access to all PCs in 192.168.30.1/24 except the the .1 PC, then allow destination 192.168.1.30 (Priorty 1) as you did, then deny 192.168.1.30/24 (Priority 100 or so)

All traffic destined to 192.168.1.30 will get accepted, all traffic destined to other 192.168.1.30/24 will be denied
Btw 192.168.1.30/24 means the net mask is 255.255.255.0

Cheers

lucamuscas
Posts: 2
Joined: Thu Feb 09, 2017 6:42 pm

Re: restric access limit internal IP of VPN

Post by lucamuscas » Sat Feb 11, 2017 11:10 am

Thanks,
i have tried but don't work again.

step 1
allow destination IP 192.168.1.30 / 255.255.255.255 priority 1 source name "utente 1"

step2
deny destination IP 192.168.1.30 / 255.255.255.0 priority 100 source name "utente 1"

step 3
allow all source addresses and all destination addresses destination name "utente1"

I have modify only the access list. nothing else.
where is my error? thanks

moatazelmasry
Posts: 336
Joined: Sat Aug 15, 2015 7:41 pm

Re: restric access limit internal IP of VPN

Post by moatazelmasry » Tue Feb 14, 2017 12:08 am

Step3 is not needed.

Sorry, I made a mistake in my last answer. I meant deny all traffic to the rest of 192.168.1.1/24, precisely the rule should look like:

deny destination IP 192.168.1.1 / 255.255.255.0 priority 100 source name "utente 1"

After applying this rule. Do you see undesired behaviour? if yes which IPs can you still access while you shouldn't?

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: restric access limit internal IP of VPN

Post by thisjun » Thu Mar 02, 2017 5:59 am

I think the error is caused by dropping DHCP request.
Please try to allow DHCP packet.

Post Reply