VPN Firewall to route between 2 VLANS?

Posted on 2008-11-02
Last Modified: 2012-06-27
Hello, can anyone tell me if this is possible. As per the attached diagram I am after this kind of network where my routing provider (left side of cloud) connects to a VPN/Firewall device (it currently connects directly to the public vlan of the switch). The VPN/Firewall would be physically connected to each VLAN, so the different nodes on the VPN/Firewall device would have to have separate IPs (I think?)

Normally, I think, the uplink connects to a switch and a VPN device sits on the switch and would connect to a different switch for VPN traffic. I would like the firewall/vpn device to be first in that chain. The 2 staff VPN devices will create a VPN with the vpn/firewall device and route vpn traffic to the vpn/internal VLAN. All public traffic (non-vpn) gets routed to the public vlan on the same switch.

I'm really just trying to release the packet filtering burden from the switch and individual machines.

The public and VPN VLANS are on the same switch. VPN vlan nodes have internal non-routable IPs, the public nodes have public routable IPs. I only want to spend ~ £100-£150 on the VPN/Firewall device. Second-hand/ebay items are fine.

Just confirmation that there are devices which are capable of what I am asking for (in that price range), maybe even hinting at example devices, would be a great help.
Question by:Alcedema
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 18

Accepted Solution

deimark earned 500 total points
ID: 22865343
IN short, from what I understand, its possible for you to do what you are looking for here.

Any small VPN device should do for this, but ones i have experience with are:

Check Point UTM-1 Edge
Juniper SSG5/SSG20/NS5GT

I also hear that draytek routers are also good for VPNs, but I am not too sure if you can get a decent bit of kit for the money you are looking at, however, ebay is probably the best option for the light in cash. :D

Each of which will offer full IPSEC functionality and also cater for the VLANs/multiple internal ports.

You are right as well, each inside connection on the firewall, will need to have its own IP for the public and VPN nets.  You can still do all your vlanning on the switches if you want, but the firewall will be doing the security.

Author Comment

ID: 22866465
Thanks, my main concern is the device knowing which port to send either VPN or normal (public) data.. that must be selectable.

I'll have a look at the Junipers and Drayteks to familiarise myself.
LVL 18

Expert Comment

ID: 22866603
I assume that your different VLAns have different subnets assigned?  If yes, then that will be how the firewall will decide where to send the traffic.

If its for the VPN net, it will route it through the VPN port, else it will use the public VLAN.

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!


Author Comment

ID: 22884197
Thanks, that's great. I'm looking at drayteks at the moment and just one thing concerns me. Even though you can vlan the lan ports, you still assign one "lan ip" to the vpn router (doesn't appear to be one per port, just one overall). Does this affect it in anyway, especially where that IP address may only be in one of the subnets and not the others.

LVL 18

Expert Comment

ID: 22887384
Not had a lot of experience on the drayteks, so someone else may be able to assist, however the Check Point Edge or smaller SSGs all do what you need with no fuss.

You should be able to pick up older NS5GTs on ebay quite cheaply, which although older, have the functionality you are looking for

Author Closing Comment

ID: 31512563
Great, thanks!

Featured Post

Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question