VPN Firewall to route between 2 VLANS?

Posted on 2008-11-02
Last Modified: 2012-06-27
Hello, can anyone tell me if this is possible. As per the attached diagram I am after this kind of network where my routing provider (left side of cloud) connects to a VPN/Firewall device (it currently connects directly to the public vlan of the switch). The VPN/Firewall would be physically connected to each VLAN, so the different nodes on the VPN/Firewall device would have to have separate IPs (I think?)

Normally, I think, the uplink connects to a switch and a VPN device sits on the switch and would connect to a different switch for VPN traffic. I would like the firewall/vpn device to be first in that chain. The 2 staff VPN devices will create a VPN with the vpn/firewall device and route vpn traffic to the vpn/internal VLAN. All public traffic (non-vpn) gets routed to the public vlan on the same switch.

I'm really just trying to release the packet filtering burden from the switch and individual machines.

The public and VPN VLANS are on the same switch. VPN vlan nodes have internal non-routable IPs, the public nodes have public routable IPs. I only want to spend ~ £100-£150 on the VPN/Firewall device. Second-hand/ebay items are fine.

Just confirmation that there are devices which are capable of what I am asking for (in that price range), maybe even hinting at example devices, would be a great help.
Question by:Alcedema
  • 3
  • 3
LVL 18

Accepted Solution

deimark earned 500 total points
ID: 22865343
IN short, from what I understand, its possible for you to do what you are looking for here.

Any small VPN device should do for this, but ones i have experience with are:

Check Point UTM-1 Edge
Juniper SSG5/SSG20/NS5GT

I also hear that draytek routers are also good for VPNs, but I am not too sure if you can get a decent bit of kit for the money you are looking at, however, ebay is probably the best option for the light in cash. :D

Each of which will offer full IPSEC functionality and also cater for the VLANs/multiple internal ports.

You are right as well, each inside connection on the firewall, will need to have its own IP for the public and VPN nets.  You can still do all your vlanning on the switches if you want, but the firewall will be doing the security.

Author Comment

ID: 22866465
Thanks, my main concern is the device knowing which port to send either VPN or normal (public) data.. that must be selectable.

I'll have a look at the Junipers and Drayteks to familiarise myself.
LVL 18

Expert Comment

ID: 22866603
I assume that your different VLAns have different subnets assigned?  If yes, then that will be how the firewall will decide where to send the traffic.

If its for the VPN net, it will route it through the VPN port, else it will use the public VLAN.

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.


Author Comment

ID: 22884197
Thanks, that's great. I'm looking at drayteks at the moment and just one thing concerns me. Even though you can vlan the lan ports, you still assign one "lan ip" to the vpn router (doesn't appear to be one per port, just one overall). Does this affect it in anyway, especially where that IP address may only be in one of the subnets and not the others.

LVL 18

Expert Comment

ID: 22887384
Not had a lot of experience on the drayteks, so someone else may be able to assist, however the Check Point Edge or smaller SSGs all do what you need with no fuss.

You should be able to pick up older NS5GTs on ebay quite cheaply, which although older, have the functionality you are looking for

Author Closing Comment

ID: 31512563
Great, thanks!

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSG50 Firewall Rules 17 43
Auto-launch VPN via Wifi 7 64
ASA5510 Blocking a Wanted Website/Host 9 46
BGP recommended setup with failover 2 85
Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question