I am about to order the Routerboard RB951Ui-2HnD, but want to make sure I can use it for the purpose I want.
This routerboard has 5 ethernet ports, one of them will be connected to the DSL modem for internet connection, the POE ethernet port will be used for a VoIP phone and the remaining ports including the wifi are ment for PC’s and wireless devices.
Now the main question is, I only want to have the VPN (IPSec) connection for the POE ethernet port on which the VoIP phone is connected. all the other ethernet ports need to use the local internet connection.
Is this possible?
The second question; can I limit access to the POE ethernet port in a way only the VoIP phone can use it? for example based on its MAC address? This to ensure no PC is connected to this port to use the VPN?
Yes, both of the requirements you described are possible to be implemented.
In case of local network for first ports only, you just remove port 5 (PoE one) from switch group or bridge (whichever you’re going to use). Then, you create VPN connection and bridge it with that PoE port.
In terms of limiting access for port 5, you can do it different ways. The easiest one is to simply create firewall rule to allow your phone’s MAC address, so any other packet with different source MAC address would be dropped.
I’m not really understanding what you are looking for with question one, but yes that should be possible. You will likely need to use routing rules to get it to use the route, IP and interface you want.
For question 2, yes that is very easy. Set the ports ARP option to reply-only, and in IP->ARP set the MAC and IP address of the devices you want to allow communication from.
Thanks!
The reason for this is simple. Only the voip traffic needs to go through the vpn and for security reasons I dont want to allow other traffic to flow trough the vpn. The pcs connected to the other ports can use the local internet. There is no need to have them access the vpn.
In my mind you would accomplish both things by simply putting the VOIP phone and respect port on it’s own VLAN. Then you can isolate traffic just to that subnet. Then just establish your IPSEC VPN tunnel to link to that subnet only. Should be easy peasy.