Once again - VPN access to LAN only

[mendoza_lt]

Goodmorning,

First of all I'm not the beįgest expert here, but i have some knowledge...

I have been searching this forum for a solution, found some information, but still can not make it work the way i need...

And here's the situation:

Multiple IOT devices (via routers with SE Bridge installed) will be connected to SE VPN server and will connect to different virtual HUBS. Multiple clients will connect to those hubs for management of devices. I need to find a way to make clients only to be able to connect to their part - hubs, bridges, etc which is done and works, but forbid connection to the internet through that connection, because server is in the office, ant then there will be a lot of internet traffic, ad offices IP will be used for their connections. Doing anything at client side is not an option. Clients might connect from different networks randomly - home, office, coffee shop, gas station, mobile phone...

As i mentioned, i tried different stuff found here, in this forum...

I am using SE virtual DHCP server.
First of all tried to empty default gateway in Secure NAT configuration - client can connect to VPN, gets IP address from SE DHCP, but can't connect to VPN LAN devices.

NoInternet.png

Then i tried to use Access lists.

First made a rule that allows access to real network.

lanallow.png

Then discard everything else:

NoInternet.png

After the last rule i was unable to get IP from SE DHCP server. VPN Client shows Connected, nothing is accessible (LAN, internet)...

Then i made this rule, just for test: to allow traffic to SE NAT DHCP - That didn't help...

[solo]

I need to find a way to make clients only to be able to connect to their part - hubs, bridges, etc which is done and works, but forbid connection to the internet through that connection...

Remove those access rules and uncheck "Use Virtual NAT Function".

[mendoza_lt]

I did, now when i connect to SE VPN server i get IP from SE DHCP, client side (checked at whatismyip.com) shows client IP, but i can't access remote (server side) LAN. Tried with or without local bridge.

Screenshot 2024-09-03 163051.png

[solo]

I see. In SecureNAT:
- re-enable "Use Virtual NAT Function"
- ensure the default gateway is empty
- in "Edit the static routing table to push" enter the LAN's subnet

[mendoza_lt]

I see. In SecureNAT:
- re-enable "Use Virtual NAT Function"
- ensure the default gateway is empty
- in "Edit the static routing table to push" enter the LAN's subnet

ip.png

I did, same - can't access server side LAN. The only thing that works is to put back gateway... but then i am back where i came from...

[solo]

Incorrect, replace 192.168.88.1 with 192.168.39.1

[mendoza_lt]

Awesome :) works as it should. Thank you very much for help :)