I need to restrict SOME VPN clients from accessing parts of my internal LAN.
Specifically I want SOME VPN clients to be able to access my entire network, whilst others are restricted to accessing JUST the 10.1.7.0 (VLAN7) network. Internally every network can see every LAN / VLAN.
10.1.2.0 (VLAN2) - Servers (static|)
10.1.3.0 (VLAN3) - WiFi (AP’s = static / clients DHCP)
10.1.4.0 (VLAN4) - Workstations (DHCP)
10.1.5.0 (VLAN5)- Telephones (DHCP)
10.1.6.0 - VPN Clients (static or DHCP) <<- need SOME of these clients to ONLY be able to access the 10.1.7.0 (storage) must not be able to see anything else (including the internet).
10.1.7.0 (VLAN7)- Storage (static)
10.1.8.0 (VLAN8)- LAN Infrastructure / Switches (static)
10.1.9.0 - Remote Office A (Via IPsce EoIP tunnel)
10.1.10.0 - Remote Office B (Via IPsce EoIP tunnel)
10.1.11.0 - Remote Office B (Via IPsce EoIP tunnel)
At the moment I just have a single NAT rule Scr Address = 10.1.0.0/16 - Dst Address = 10.1.0.0/16 - Action = accept. Would this be best achieved using NAT or would it be better to do something clever with the route tables? What is the best approach?
Keith