- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
Restrict network access from L2TP VPN Clients
03/26/2020 
28 People found this article helpful
98,401 Views
Description
When L2TP VPN clients successfully connect to the SonicWall L2TP server, they will have unrestricted access to the network behind the SonicWall in either of these two ways:
If the VPN is configured in Split-Tunnel mode, users will have access to the X0 subnet.
If using Route-All mode, they will have access to every subnet under every zone. This is because, unlike WAN GroupVPN GVC and SSL-VPN NetExtender clients, L2TP client access cannot be controlled by VPN Access List. This limitation can be overcome by controlling access via Access Rules. By default, when the SonicWall L2TP server is enabled (on the VPN | L2TP Server page), Access Rules are auto-created from the VPN zone to LAN, WAN and, if applicable, DMZ, allowing any traffic. The Source of such rules will be the auto-created Address Object of L2TP IP Pool with Destination set to Any. In order to override these Allow rules, we must create deny rules with a higher priority.
Resolution
Login to the SonicWall management GUI.
Navigate to the Firewall | Access Rules | VPN | LAN page.
This page would already have an auto-created rule as under.
This Access Rule cannot be deleted nor its Action, Source or Destination fields edited. To render this rule ineffective, we edit this rule as in the following screenshot.
Create the following deny rule. It is important to first make the changes described above without which SonicWall will not admit creating the following rule (an Allow and a Deny rule with identical parameters is not permitted)
With the above steps, we have ensured that traffic from L2TP clients will not have unimpeded access to the LAN zone. Now we create Allow rule or rules to allow L2TP clients access to selected resources on the LAN.
Similarly, if there are configured interfaces under DMZ, WLAN or custom zones, modify the auto-created rule under VPN | DMZ (or WLAN etc.) and create Allow and Deny rules as above.
Related Articles
- App Control fails by schema error when editing VPN category
- Custom Geo-IP list to exclude a website from Geo-IP filter
- GVC stuck on acquiring IP for some users
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO