I have a 2800 router at work and one at home, linked with an IPsec VPN.

All works well.

I have a lodger who wants internet access.

I can create a Vlan for him easily so he has internet access and no access to my home network, but how do I prevent him having access to the VPN'ed computers at my office?

Thanks in advance!

Since it's just one IP address, you'd need to create a firewall rule that blocks the IP addresses of the other end of the VPN i.e.
Direction: LAN to WAN
Source IP: the IP you want to block - subnet is /32
Destination IP: 192.168.3.0 (your VPN's remote IP range goes here) - subnet is /24
Action: Block immediately

That should stop them from accessing any of those VPN addresses.

Thanks.

I have not setup advanced rules on the router before - do I put the rule in the DATA or CALL filter, or am I not meant to be putting it there?

My home local subnet is 192.168.4.0 /24
My remote office subnet is 192.168.3.0 /24

Sorry!

Actually, when I think of it, is there away to stop all DHCP addresses having access, and only a single static (MAC bound) IP from having access to the VPN? There is nothing to stop the lodger from plugging in a a second PC or laptop and recieving another DHCP IP.....

Cheers for the help.

You'd put the rule in the default data filter, call filter isn't for firewalling so much.
You can lock IPs to MAC addresses by using the Bind IP to MAC under the LAN menu, set it to Strict Bind, add yours and their IP addresses to that list and that'll stop them changing IP address.

You can separate them by making sure your IP address is outside of the DHCP pool, by changing the DHCP start IP and IP pool count so that they won't overlap, then you can set the source address of the firewall to just cover that range of IPs.

Sorry, I am trying to figure it out in my head.

I know how to setup the DHCP server range and bind IP's.

How do I specify in the firewall the IP range of the DHCP server to be blocked?

I must admit, this has gone a little over my head - I am ok with IP's, but the subnet ranges confuse me a tad.

I need to get this sorted for tomorrow, so will have to read up on subnets!

If you could point me a little closer that would be great!

Your advice is greatly recieved!

ah I forgot the 2800 can only do subnets, the easiest way is to use something like this: http://www.subnet-calculator.com/
change around the hosts per subnet amount and you'll see how you can limit it to specific ranges, although subnet is a slightly awkward way of doing it.