The firewall integrated into LANCOM routers is a powerful instrument for defining source and target address ranges between which data transfer (and limitations to it) can be enabled or prohibited. These functions are also used for setting up the network relationships for the VPN rules.
In the simplest case, the firewall can generate the VPN rules automatically.
- The local intranet serves as the source network, i.e. the same private IP address range that the local VPN gateway itself belongs to.
- For automatically generated VPN rules, the target networks are those network ranges that have a remote VPN gateway set as their router.
To activate the automated rule generation, simply switch on the corresponding option in the firewall automatic when using the VPN installation Wizard under LANconfig. When coupling two simple local networks, the automatic VPN can interpret the necessary network relationships from the IP address range in its own LAN and from the entry for the remote LAN in the IP routing table.
The description of the network relationships is more complicated if the source and target networks are not only represented by the intranet address ranges of the connected LANs:
- When only a portion of the local intranet is to be available to the remote network, then the automatic method is unsuited as the IP address range that is open to the VPN connection is too large.
- In many network structures, the local network is connected by further routers to sections of other networks with their own IP address ranges. Additional settings are required to include these address ranges in the network relationship.
In these cases, the network relationships that describe the source and target networks must be entered manually. Depending on the situation, the scope of the automatically generated VPN rules may be extended, although sometimes it is better to deactivate the automatic VPN system to prevent unwanted network relationships.
The necessary network relationships are defined by the appropriate firewall rules under the following circumstances:
- In the firewall rules, the option “Consider this rule when generating VPN rules” must be
activated.Note: The firewall rules for generating VPN rules are active even when the actual firewall function in the LANCOM device is not required and is switched off!
- Make sure that the firewall action is set to “Transfer”.
- Sources and targets for the connection can be entered as individual stations, certain IP
address ranges, or whole IP networks. Note: It is vital that target networks are defined in the IP routing table so that the router in the LANCOM devices can forward the appropriate data packets to the other network. You can make use of the entries that already exist there and simply enter a higher-level network as the target. The intersecting portion of the target network defined by the firewall and the subordinate entries in the IP routing table is integrated into the network relationships for the VPN rules.Example: The target networks 10.2.1.0/24, 10.2.2.0/24 and 10.2.3.0/24 are entered into the IP routing table and can be accessed via the router VPN-GW 2. An entry for the target network 10.2.0.0/16 is sufficient for these three subnets to be included in the VPN rules.Note: The definition of source and target networks must agree at both ends of the VPN connection. It is not possible, for example, to map a larger target address range to a smaller source address range at the opposite end. Decisive here are the IP address ranges allowed by the VPN rules and not the networks defined in the firewall rules. These can be very different from the network relationships in the VPN rules because of the intersecting ranges.
- VPN connections can also be limited to certain services or protocols according to your requirements. This means that the VPN connection can be limited to use only with a Windows network, for example.