Site-to-Site VPN between 2 Golds
hi,
I've setup a site-to-site VPN between 2 FWG's. Each site has a LAN and IOT network. After setting up the VPN on each FWG, the tunnel is great, no issue. But I only want the LAN devices for each site to be able to use the tunnel, not the IOT devices. So I "applied" the LAN devices on each network to the site-to-site VPN configurations. However, the IOT devices on Site A are able to ping the LAN devices on Site B, and vice-verse. The fix I put was a block on the IOT network in Site A from accessing the LAN network on Site B, and vice-versa. But shouldn't me applying only the LAN devices to the VPN config have blocked IOT access automatically?
thanks
-
Which site did you use for VPN Server and which site did you use as VPN Client to initiate the site-to-site VPN connection?
- For now, you should only be able to apply "VPN" on the VPN Client side, not the Server Side. Any device/network on the client side with VPN enabled should be able to access all subnets in the server side. (firewall allow rules are automatically created) The IOT network on the client side should not be able to access the networks in server side.
- Unless you have setup two site-to-site VPN connections, with each side as VPN Server separated. That's going to make it complicated. Please confirm.
-
I’ve setup 2 site-to-site connections, each side being a server. I did it this way thinking that by applying the VPN to the LAN devices at each site, only those devices would be able to use the tunnel. The first scenario you mention (one VPN connection from client side) only allowed the LAN devices from accessing the LAN devices on the server side, but the LAN devices from server side couldn’t see the LAN devices on the client side. What’s your suggestion for what I want to do (only the LAN devices should have access to site-to-site tunnel)?
-
Here is my suggestion:
1. Setup a site-to-site connection from site A to site B. (site A as client, and site B as server) You could just turn off the other site-to-site connection from app.
2. In site A, apply the VPN connection to LAN devices only
3. In site B, create a blocking rule to block IoT devices from accessing the subnets of site A. (The subnet of site A is the target of the rule, and applied on IoT devices)
-
I removed both VPN configs and started over. Followed your steps. Right off the bat, the LAN devices on Site B can’t access the LAN devices on site A. Also, with my original config, the OpenVPN and WireGuard clients into Site A could access the LAN devices on Site B. They can’t anymore.
-
Can you please send an email to help@firewalla.com so that we can do further troubleshooting?
Please sign in to leave a comment.
Comments
5 comments