Block guest vlan from vpn tunnels

Unanswered Question
Nov 25th, 2008

I have a office 1812 router with 12.4T. The router has an GRE tunnel into the corporate intranet. Multiple static routes send some destinations into the VPN tunnel.

For guests there is a separated guest VLAN on the router. Guests are supposed to get internet access only. They are not allowed to send traffic into the VPN tunnel nor access the office VLAN. The latter is easy set up with ACLs.

I could also set up ACLs to block traffic for destinations routed into the VPN tunnel. However, that is a list of some 20+ static routes and the list changes at times. If I used ACLs I would have to adjust the ACL each time I make changes to the VPN tunnel routing.

Is it possible to "force" routing of a VLAN into the internet only, ignoring any other static route which may exist?

Abridged configuration:

interface Tunnel0

ip address

tunnel source Dialer0

tunnel destination


interface FastEthernet0

no ip address

pppoe enable

pppoe-client dial-pool-number 1


interface Vlan99

description Guest VLAN

ip address

ip nat inside


interface Vlan10

description Main VLAN

ip address

ip nat inside


interface Dialer0

ip address

ip nat outside

dialer pool 1

dialer-group 1


ip route Dialer0

ip route

ip route


The guests are not supposed to access the VPN tunnel destinations like Guest traffic should always be routed to the default gateway through Dialer0. Is this possible other then by setting up and maintaining ACLs?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
John Blakley Tue, 11/25/2008 - 10:27

I don't think this is possible, but there may be an easier way of doing it.

You should create an ACL for your guest vlan99 like this:

ip access-list ext GUEST

deny ip

deny ip

deny ip

permit ip any

This would block any vlan99 traffic to anything over the tunnel or the office vlan. You WILL have to add any additional subnets as your network grows. Put this on your vlan99 interface inbound and it should work for you.

You MIGHT be able to do a route map as an alternative, but I've never tried this.

ip access-list ext GUEST

permit ip any

route-map GUEST permit 5

match ip address GUEST

set default interface Dialer0

int vlan99

ip policy route-map GUEST

I'm not 100% confident that the route-map would work, but this tells it to send all traffic from vlan99 to Dialer0 as the default-interface. It may NOT block the traffic that you're wanting to block though.



Gerald Vogt Tue, 11/25/2008 - 22:34

Thank you. I know the ACL on the guest vlan interface. That's the way I do it at the moment. But it is cumbersome to maintain the access list and the static routes in sync.

After some thinking I actually think with ACLs it is better to filter the out traffic on the tunnel interface. Anything with source IP address gets filtered and won't enter the tunnel. That's much shorter and the IP subnet of the guest subnet won't change.

The route map is a good idea and it seems to do what I want. You have to use "set interface Dialer0" instead of "set default interface Dialer0". The latter changes the default route, i.e. all statically routed traffic will still go into the VPN tunnels. The former forces routing of the guest traffic to the Dialer0 and into the internet. I have tested this and it works nicely.

Actually it works better then the ACLs. The IP addresses routed into the VPN tunnels are routable IP addresses (e.g. Most of the servers are only accessible through VPN. But some servers are actually accessible through the open internet as well using the same IP address. Thus, if I filter destination for guests, they are not able to access this IP address although it may be accessible through the open internet.

Using the policy routing I can force the traffic to go into the internet and guests can still access but only through a direct connection through the internet and not through the VPN tunnel. That's exactly what I need.

Thanks for the idea with the route-map. That was what I was looking for...


This Discussion