I have a Vigor 2865ac (dial in - local IP 192.168.2.1) and Vigor 2860n (dial out - local IP 192.168.10.1) for a Lan-Lan connection using L2TP over IPsec and at the moment every device connected to the remote 2860n gets its external internet from the 2865ac. Is there a way to limit the 2860n so that only a set of local IP ranges use the VPN connection and the rest of the traffic goes out over the local internet connection?

I would like to do a similar thing with a remote Vigor 2620Ln too if possible.

I was thinking this might be something to do with subnet masks in the VPN LAN to LAN setup section but I'm still not really getting anywhere as all I managed to do was block access to some of the main site's IP ranges but it was still routing all external internet access through the VPN.

This is an example of what I'm trying to achieve:

Main site is using 192.168.2.1 for the 2865ac router and all other devices are assigned to the range 192.168.2.2 - 192.168.2.254 and all internet goes out via the local ISP as normal. That's working as it should.

The remote site is using 192.168.10.1 for the 2860n router and is using L2TP IPsec to dial in to the main site using the LAN to LAN connection settings. Currently, every device can use the 192.168.10.2 - 192.168.10.254 range and all traffic is routed through to the main site and uses the main site's ISP for external internet.

I would like to just use a smaller range on the remote site for VPN to the main site and keep the rest of the network on the local side only using the local ISP, so for example, have 192.168.10.2 - 192.168.10.200 for local use only and use 192.168.10.201 - 192.168.10.254 for VPN to the main site with access to the main site's devices in the 192.168.2.2 - 192.168.2.254 range access the external internet access from the main site. The idea would be to keep the DHCP range away from the VPN IP addresses and assign specific devices that needed VPN access an IP address manually.