I need to connect to a remote site where they are using Starlink. That service uses CGNET so the remote site has no public IP.

The idea is to connect via a VPN initiated from the remote site to my router (2862)

I have previously done this with a remote site that is our own, and have seen that network access via the VPN is available in both directions.

I can't find any setting where I can block the remote site from accessing my network.

I assume this is a job for my firewall, but I can't work out how to do this.

Hi LesD,

Will the VPN connection be ‘LAN-to-LAN’ or ‘Remote Dial-in User’?

I'm not the one setting it up but I can influence what is done.

The connection needs to be permanent so I assume Lan to Lan is the way to go with me being the server and the far end the client.

Once connected, I need to restrict access to my network.

…yes it is totally do-able, with caveats.

Is this so that the remote network connecting to your router can use your public IP(s)? Or is it simply for them to be able to access a server on your local LAN?

The reason I ask is, you can do it a couple of different ways based on what you’re trying to achieve.

Personally, I would create a completely separate LAN(Subnet) for their connection and then deal with all possible routes, out and/or in, from there onwards.

Creating a separate LAN for them to connect to would immediately reduce the chance of them finding their way onto your native/personal LAN easily. This is simpler to setup for a ‘Remote Dial-in User’ but of course capable on a ‘LAN-to-LAN’ setup as well.

But yes, you can use the firewall to block access to your native LAN, or however many LANs you have locally. One simple straight-forward rule will achieve that.

The caveat is that, there is currently no way of blocking access to the router’s GUI from their remote network over LAN-to-LAN, it is not actually possible to block that yet, it is ALWAYS accessible from the remote network. Draytek have recently added a ‘WAN -> Localhost’ function in the firewall (of other models) but, they haven’t added ‘LAN/DMZ/RT/VPN -> Localhost’ (or some derivative of that) which means, the management access restrictions can only be applied to WAN (IPV4&6) and LAN (because these have been specifically catered to within the management setup page (WAN IPV4, WAN IPV6 & LAN)) of the router, but they haven’t covered VPN, so even if you restrict access to the GUI for say LAN access, it won’t stop the LAN-to-LAN VPN network accessing it; madness I know! I have tried to resolve this issue many times but have not yet found a solution.

Thank you for those extensive details.

First, just to clarify, the purpose of the connection is for me to access the remote server so I can open an RDP session to the remote end.

On the other hand, the VPN connection has to be initiated at the remote end for the simple reason that the remote end has no public IP.

From a first read I do not yet fully understand what you have written, so at this point I just have one question.

Is it correct, that if I have the option, it would be beneficial to use the Remote Dial-in option rather than Lan to Lan?

I have never strayed beyond LAN1, so I have been looking at setting up LAN2.

Looks like I have to go to the VLAN page and enable that. Then what? Tick P1 to P4 for subnet LAN2? Or tick just one of them?

Will having set up a LAN2 with a different subnet, allow me, with a PC linked to LAN1, to access the VPN linked to LAN2?

Or will I have to physically plug my PC into the port linked to LAN2?