VPN Firewall to route between 2 VLANS?

Posted on 2008-11-02
Medium Priority
Last Modified: 2012-06-27
Hello, can anyone tell me if this is possible. As per the attached diagram I am after this kind of network where my routing provider (left side of cloud) connects to a VPN/Firewall device (it currently connects directly to the public vlan of the switch). The VPN/Firewall would be physically connected to each VLAN, so the different nodes on the VPN/Firewall device would have to have separate IPs (I think?)

Normally, I think, the uplink connects to a switch and a VPN device sits on the switch and would connect to a different switch for VPN traffic. I would like the firewall/vpn device to be first in that chain. The 2 staff VPN devices will create a VPN with the vpn/firewall device and route vpn traffic to the vpn/internal VLAN. All public traffic (non-vpn) gets routed to the public vlan on the same switch.

I'm really just trying to release the packet filtering burden from the switch and individual machines.

The public and VPN VLANS are on the same switch. VPN vlan nodes have internal non-routable IPs, the public nodes have public routable IPs. I only want to spend ~ £100-£150 on the VPN/Firewall device. Second-hand/ebay items are fine.

Just confirmation that there are devices which are capable of what I am asking for (in that price range), maybe even hinting at example devices, would be a great help.
Question by:Alcedema
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 18

Accepted Solution

deimark earned 2000 total points
ID: 22865343
IN short, from what I understand, its possible for you to do what you are looking for here.

Any small VPN device should do for this, but ones i have experience with are:

Check Point UTM-1 Edge
Juniper SSG5/SSG20/NS5GT

I also hear that draytek routers are also good for VPNs, but I am not too sure if you can get a decent bit of kit for the money you are looking at, however, ebay is probably the best option for the light in cash. :D

Each of which will offer full IPSEC functionality and also cater for the VLANs/multiple internal ports.

You are right as well, each inside connection on the firewall, will need to have its own IP for the public and VPN nets.  You can still do all your vlanning on the switches if you want, but the firewall will be doing the security.

Author Comment

ID: 22866465
Thanks, my main concern is the device knowing which port to send either VPN or normal (public) data.. that must be selectable.

I'll have a look at the Junipers and Drayteks to familiarise myself.
LVL 18

Expert Comment

ID: 22866603
I assume that your different VLAns have different subnets assigned?  If yes, then that will be how the firewall will decide where to send the traffic.

If its for the VPN net, it will route it through the VPN port, else it will use the public VLAN.

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 22884197
Thanks, that's great. I'm looking at drayteks at the moment and just one thing concerns me. Even though you can vlan the lan ports, you still assign one "lan ip" to the vpn router (doesn't appear to be one per port, just one overall). Does this affect it in anyway, especially where that IP address may only be in one of the subnets and not the others.

LVL 18

Expert Comment

ID: 22887384
Not had a lot of experience on the drayteks, so someone else may be able to assist, however the Check Point Edge or smaller SSGs all do what you need with no fuss.

You should be able to pick up older NS5GTs on ebay quite cheaply, which although older, have the functionality you are looking for

Author Closing Comment

ID: 31512563
Great, thanks!

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question