VPN Firewall to route between 2 VLANS?

Posted on 2008-11-02
Last Modified: 2012-06-27
Hello, can anyone tell me if this is possible. As per the attached diagram I am after this kind of network where my routing provider (left side of cloud) connects to a VPN/Firewall device (it currently connects directly to the public vlan of the switch). The VPN/Firewall would be physically connected to each VLAN, so the different nodes on the VPN/Firewall device would have to have separate IPs (I think?)

Normally, I think, the uplink connects to a switch and a VPN device sits on the switch and would connect to a different switch for VPN traffic. I would like the firewall/vpn device to be first in that chain. The 2 staff VPN devices will create a VPN with the vpn/firewall device and route vpn traffic to the vpn/internal VLAN. All public traffic (non-vpn) gets routed to the public vlan on the same switch.

I'm really just trying to release the packet filtering burden from the switch and individual machines.

The public and VPN VLANS are on the same switch. VPN vlan nodes have internal non-routable IPs, the public nodes have public routable IPs. I only want to spend ~ £100-£150 on the VPN/Firewall device. Second-hand/ebay items are fine.

Just confirmation that there are devices which are capable of what I am asking for (in that price range), maybe even hinting at example devices, would be a great help.
Question by:Alcedema
  • 3
  • 3
LVL 18

Accepted Solution

deimark earned 500 total points
ID: 22865343
IN short, from what I understand, its possible for you to do what you are looking for here.

Any small VPN device should do for this, but ones i have experience with are:

Check Point UTM-1 Edge
Juniper SSG5/SSG20/NS5GT

I also hear that draytek routers are also good for VPNs, but I am not too sure if you can get a decent bit of kit for the money you are looking at, however, ebay is probably the best option for the light in cash. :D

Each of which will offer full IPSEC functionality and also cater for the VLANs/multiple internal ports.

You are right as well, each inside connection on the firewall, will need to have its own IP for the public and VPN nets.  You can still do all your vlanning on the switches if you want, but the firewall will be doing the security.

Author Comment

ID: 22866465
Thanks, my main concern is the device knowing which port to send either VPN or normal (public) data.. that must be selectable.

I'll have a look at the Junipers and Drayteks to familiarise myself.
LVL 18

Expert Comment

ID: 22866603
I assume that your different VLAns have different subnets assigned?  If yes, then that will be how the firewall will decide where to send the traffic.

If its for the VPN net, it will route it through the VPN port, else it will use the public VLAN.

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.


Author Comment

ID: 22884197
Thanks, that's great. I'm looking at drayteks at the moment and just one thing concerns me. Even though you can vlan the lan ports, you still assign one "lan ip" to the vpn router (doesn't appear to be one per port, just one overall). Does this affect it in anyway, especially where that IP address may only be in one of the subnets and not the others.

LVL 18

Expert Comment

ID: 22887384
Not had a lot of experience on the drayteks, so someone else may be able to assist, however the Check Point Edge or smaller SSGs all do what you need with no fuss.

You should be able to pick up older NS5GTs on ebay quite cheaply, which although older, have the functionality you are looking for

Author Closing Comment

ID: 31512563
Great, thanks!

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
fabric 1 32
Anyconnect landing page login failed 2 27
BGP prefix and routing 3 61
Network setup between buildings 4 23
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question