I need your guidance to configure the following scenario:
I have two RUT951 routers, and I want to establish an IPSec VPN connection between them.
Router 1: It has an internet connection via the WAN port. LAN 1 (ports 1 & 2) should be able to access the remote network behind Router 2 via the VPN, but should not have internet access. Port 3 should have internet access but no access to the VPN or LAN 1.
Router 2: It has an internet connection via SIM1. LAN 1 (ports 1 & 2) should be able to access the remote network behind Router 1 via the VPN, but should not have internet access. Port 3 should have internet access but no access to the VPN or LAN 1.
It is very important that neither router be accessible from the internet, only via VPN.
Thank you for providing detailed information about your configuration.
Here are step-by-step guidance instructions to configure the setup:
Ensure Both Routers Have Different LAN Subnets. It is important that both routers (RUT1 and RUT2) operate on separate LAN subnets to prevent IP conflicts. For example, configure RUT1 with the subnet 192.168.1.1/24 and RUT2 with 192.168.14.1/24.
Create a VLAN on Both Routers. On each router, go to the Network → VLAN section and create a new port-based VLAN. Select lan1 and lan2 as Untagged. This configuration allows the VLAN to carry traffic without tagging packets, which simplifies communication between the two LANs. Instructions on how to set up VLAN can be found here.
Create Additional LAN Interfaces. For that navigate to Network → LAN and press on the Add button. In newly opened window specify name and assign the LAN IP address, e.g. on RUT1 as192.168.2.1/24, and on RUT2 – 192.168.3.1/24 This configuration enables each router to manage its own LAN network independently, ensuring no overlap between the routers’ internal networks. Here’s screenshots for better understanding of LAN interfaces pages from RUT1 and RUT2.
RUT1:
Create a VLAN Zone in the Firewall. On both routers navigate to Network → Firewall and create a new VLAN zone covering the previously created VLAN network and accepting all three policies. Creating a separate firewall zone ensures the VLAN traffic is properly controlled and isolated. By setting the policies to accept, you allow the traffic to flow correctly through the VLAN without being blocked by the firewall. After creating the VLAN zone, make sure to check and remove the VLAN interface from the LAN firewall zone by going to Network → Firewall → General Settings and editing the firewall Zones section. This will ensure the VLAN traffic remains properly segregated from the main LAN.
Configure IPsec VPN Between Routers. Follow the steps provide in this article. During the VPN setup, ensure that you modify the Local/Remote Identifier and Local/Remote Subnet fields to match the subnets for your VLANs.
Add Traffic Forwarding Rule. Lastly, in Network → Firewall → Traffic Rules add new forwarding rules that specify how traffic between the VLAN and other networks should be handled. Configure the settings as shown in the provided screenshots, allowing the necessary traffic to flow between the interfaces. This rule rejects any IPsec traffic originating from the LAN network going to the WAN.
If everything is configured correctly, you should be able to ping the RUT2 LAN1 network from RUT1 LAN1, and vice versa. At the same time, traffic from end devices connected to port 3 of the router should have internet access but won’t be able to reach LAN1 networks through the IPsec VPN tunnel.
Moreover, it’s important to mention that routers are not accessible from the internet by default, because of preconfigured forwarding rejection from the WAN zone to the LAN.
Let me know if this helps or if you need further assistance.
