Hi, Marty,

Thank you for your answer. Do you know if I can do that by RV180 means or I would need an additional equipment?

Slava,

I'm assuming that you are using QuickVPN for remote access.

You can do it on the RV180:

Connect the server to port 1 on the router. That port is VLAN 1 Untagged by default.

Under Networking-> VLAN Membership, Add Row.

VLAN ID: 2

Description: VLAN 2 (Or whatever you like)

Inter VLAN Routing: Enabled

Device Management: Enabled?

Port 1: Tagged

Port 2: Untagged

Port 3: Untagged

Port 4: Untagged

Under Networking-> Multiple VLAN Subnets, select your new VLAN 2 and Edit.

IP Address: 192.168.2.1 (Example)

Subnet Mask: 255.255.255.0

DHCP Mode: DHCP Server (If you want the router to do DHCP)

Starting IP Address: 192.168.2.100

Ending IP Address: 192.168.2.254

Connect all of your VLAN 2 devices to ports 2-4. They should be able to reach the server on VLAN 1 but cannot be reached from the VPN users.

- Marty

Dear Marty, thank you for the detailed instructions. This is a good thing to know. I have tried this out and then realized that it probably not exactly what I need, or I missed something from your write-up.

I have the webserver connected to Port 1 and I manage the CISCO Router from that webserver. The CISCO Router has IP address 10.10.10.1 and the webserver is 10.10.10.2. There are no other devices connected to the router. The webserver has additional network interfaces and all local devices are connected through that.

Till now I had port 443 forwarded by the CISCO routed to the webserver for external connections. But a security consultant adviced to switch the external clients from HTTPS to VPN (still leaving HTTPS though). That's I'm working on right now. I was adviced to use L2TP but I didn't find how I can set it up on the Router (though the manual says it should be there) so I made PPTP for now. I did that by adding IKE Policy and a VPN user (don't know if anything else is needed but it seems working fine).

When I try to connect from outside by a VPN Client which is WIn 7 (creating VPN network feature) the VPN network gets created and I can go to 10.10.10.2 to see the webserver. But I also can go to 10.10.10.1 and see the CISCO Router login page. The last one I'm trying to hide if possible. Also I didn't figure out yet if such VPN users can use other ports or it is still only 443 allowed for them. Ideally I want VPN users login and see only the webserver and only on 443 port. Not sure if that is possible.

Slava,

The RV180 does not have an L2TP server. It does however allow passthrough to an L2TP server on the LAN.

You do not need an IKE policy for PPTP. IKE is for IPSec VPN connections only. For PPTP, you only need to create a DHCP scope and add a user.

Once the user is connected they will have full access to the server. You cannot limit the PPTP users in the RV180 to allow only access to specific ports on the server. To do that you will need a firewall installed on the server that can block all access except for https.

If you need the router to only allow access on port 443, Port Forwarding is a better option than PPTP. Do you have only a few users that need to access the server and you are trying to block the rest of the internet?

- Marty

Hello Marty,

Actually you are right, that's what I need. My webserver is written on PHP and while I took all the measures I know to prevent all the hacker attacks such as Cross-Site Scripting, SQL injsections or Brute Force I heard there could be vulnerables in PHP itself. So I'm trying to limit the access down to certain users, those are about 20-30 users from different cities. For a big remote office of 15 people I just have bought another RV180 which I will set up at their end and make VPN (using IPSec, I guess). For the single users scattered all over different cities I probably would need something else.

I thought PPTP is a good solution for that but doing this I open access to manage my cisco router. If someone would find a password to PPTP connection they could go further and access the router. I don't have that when I'm using just HTTPs through RV180 which acts as a firewall forwarding Port 443 only. I'm not sure which one is better.

I also just realized that PPTP is not encryption, it it just a tunnel, should I use IPSec instead then?

Slava,

IPSec is considered much more secure than PPTP.

- Marty

Ok, get it. So then I create IKE policy for IPSec, create users and go. Another option is to leave as it is now i.e. forwarding 443 port to LAN only. I have to choose myself I guess.

Did you want to suggest something on that:

If you need the router to only allow access on port 443, Port Forwarding is a better option than PPTP. Do you have only a few users that need to access the server and you are trying to block the rest of the internet?

Thank you very much. In this case wouldn't be better a following scheme: usual users keeps getting connected through https with no VPN set up and administrator uses VPN for remote access inside of the network for any settings etc.?

Slava,

It is difficult to answer this question without more information. In general I would say that it is best to use https if that is the only service that the users need access to. You will of course want VPN access to everything on the LAN for management purposes.

- Marty