This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN - w/o local access

Hi All,

UTM 9.414-2 Home License.

I use SSL VPN to provide secure access to the home network and external browsing.  Some of my kids are away from home now and I want to continue to provide the SSL tunnel for them but don't want them to have access to the local network (Who knows where those devices have been...;) 

The SSL Access Profile provides for allowed networks, but not denied networks.  

So the question is, how do I setup a profile to allow access to "the world" but not my local network?

Am I missing something stupid simple here?

Thanks in advance.



This thread was automatically locked due to age.
Parents
  • Thank you both for the response.

    I've got a nice symmetrical 100Mb/s pipe and plenty of horsepower on the UTM machine (quad core 8G, 256MSSD, intel GigNics)  They would only use it for financial / sensitive type stuff; they know better than to try and stream music or movies through.  All that said, a simple solution does not appear to be in the mix.

    I've not experienced any issues with SSL VPN, but I'm using transparent proxy and only URL filtering. That mated with a PiHole and I'm in pretty good shape for a home network.

    It would be nice if there was a built in definition for Internet IP addresses or the simpler, NOT logic for a defined network.

    Maybe XG can do this?

     

     

Reply
  • Thank you both for the response.

    I've got a nice symmetrical 100Mb/s pipe and plenty of horsepower on the UTM machine (quad core 8G, 256MSSD, intel GigNics)  They would only use it for financial / sensitive type stuff; they know better than to try and stream music or movies through.  All that said, a simple solution does not appear to be in the mix.

    I've not experienced any issues with SSL VPN, but I'm using transparent proxy and only URL filtering. That mated with a PiHole and I'm in pretty good shape for a home network.

    It would be nice if there was a built in definition for Internet IP addresses or the simpler, NOT logic for a defined network.

    Maybe XG can do this?

     

     

Children
  • You may be able to achieve your desoted result with user-network firewall rules to block nonweb traffic, and block rules within the filter action to exclude internal websites by both name and number.   Create a filter profile linked to their vpn ip pool, than link it to a user policy and the desired filter action.

    I am pretty sure that vpn user identity does not cross over to transparent proxy web identity, so tbey will have a double login before they can web surf through the tunnel, unless the filter profile specifies no authentication for the vpn ip pool address range.

    UTM is uncommonly good st hairpin turns, such as this propsal.  I cannot speak for XG other than to observe that XG users think UTM web filtering is superior.