DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Block Management Access from VPN

  • ranensol
  • Topic Author
  • Offline
  • New Member
  • New Member
More
19 May 2009 10:37 #1 by ranensol
Block Management Access from VPN was created by ranensol
I have a DrayTek v2950 connecting to a DrayTek v2910 using an IPSEC LAN to LAN tunnel.

The ip's behind the v2950 are 192.168.1.x and the behind the v2910 172.168.20.x.

The v2950 is at a remote engineers home and i have no access to that box, and the v2910 is at our office.

Basically we have some sensitive information 'behind' the v2910 in the office, so i've set the default filter rule to 'Block', ticked "Apply IP filter to VPN incoming packets", and then setup firewall rules within the v2910 to restrict access to the 172.168.20.x network accordingly (which all work fine).

The problem i have is i can't seem to block or restrict access to the v2910 configuration from the network behind the v2950 (i.e. the engineers LAN) OR the network behind v2910 (the office LAN).
So essentially if someone managed to crack or figure out the password they would be able to get into the v2910 and open up whatever ports they want.
I'm not as concerned about access from the office LAN as i have more control here, but it's the remote engineer's LAN behind the v2950 that's making me more than a little worried...

I've spoken to DrayTek support, but unfortunately despite their helpful replies we're no nearer to resolving this.

Is there anyone out there that's succesfully setup anything like this before? or who can provide some suggestions?

Thanks

Please Log in or Create an account to join the conversation.

More
19 May 2009 17:35 #2 by louis-m
Replied by louis-m on topic Block Management Access from VPN
doesn't the management access list work in this scenario?
eg only allow https access from 172.168.20.<management ip address>
2820 = 3.3.2_RC5
2950 = 3.2.4

Please Log in or Create an account to join the conversation.

  • ranensol
  • Topic Author
  • Offline
  • New Member
  • New Member
More
20 May 2009 15:31 #3 by ranensol
Replied by ranensol on topic Block Management Access from VPN
unfortunately no, that only applies to connections from the outside world :(

Please Log in or Create an account to join the conversation.

More
20 May 2009 17:10 #4 by louis-m
Replied by louis-m on topic Block Management Access from VPN
well, there's an issue if i ever did see one! that needs sorting.
2820 = 3.3.2_RC5
2950 = 3.2.4

Please Log in or Create an account to join the conversation.

  • ranensol
  • Topic Author
  • Offline
  • New Member
  • New Member
More
21 May 2009 10:49 #5 by ranensol
Replied by ranensol on topic Block Management Access from VPN
It did seem to be the most obvious place to restrict access that's for sure :)

Failing that though the Firewall rules seemed the next best bet, but as they're only WAN -> LAN and LAN -> WAN, access to the DrayTek itself doesn't seem to be taken into account.

It just seems to be a loop hole in the workings of an otherwise great piece of kit :(

Please Log in or Create an account to join the conversation.

More
28 May 2009 15:27 #6 by rmccardal
Replied by rmccardal on topic Block Management Access from VPN
oddly enough I have the complete opposite issue!

from any of our 15 vpn endpoints I cannot get to the 2950 web interface to configure! I am presented with the logon page, but all auth fails.

I have reported it to support, who said there would be a fix in the next release. 4 releases later and no fix.

Boo hiss.

Please Log in or Create an account to join the conversation.