Restrict network access from L2TP VPN Clients
Description
If the VPN is configured in Split-Tunnel mode, users will have access to the X0 subnet.
If using Route-All mode, they will have access to every subnet under every zone. This is because, unlike WAN GroupVPN GVC and SSL-VPN NetExtender clients, L2TP client access cannot be controlled by VPN Access List. This limitation can be overcome by controlling access via Access Rules. By default, when the SonicWall L2TP server is enabled (on the VPN | L2TP Server page), Access Rules are auto-created from the VPN zone to LAN, WAN and, if applicable, DMZ, allowing any traffic. The Source of such rules will be the auto-created Address Object of L2TP IP Pool with Destination set to Any. In order to override these Allow rules, we must create deny rules with a higher priority.
Resolution
Login to the SonicWall management GUI.
Navigate to the Firewall | Access Rules | VPN | LAN page.
This page would already have an auto-created rule as under.
This Access Rule cannot be deleted nor its Action, Source or Destination fields edited. To render this rule ineffective, we edit this rule as in the following screenshot.
Create the following deny rule. It is important to first make the changes described above without which SonicWall will not admit creating the following rule (an Allow and a Deny rule with identical parameters is not permitted)
With the above steps, we have ensured that traffic from L2TP clients will not have unimpeded access to the LAN zone. Now we create Allow rule or rules to allow L2TP clients access to selected resources on the LAN.
Similarly, if there are configured interfaces under DMZ, WLAN or custom zones, modify the auto-created rule under VPN | DMZ (or WLAN etc.) and create Allow and Deny rules as above.