VPN access to single computer on network

[coxhaus]

Sorry you don't understand. Read my posts. I leave in your hands.

 

[Maverickcdn]

Sorry you don't understand. Read my posts. I leave in your hands.

Your first post was mentioning quickbooks online, second was the recommendation for a business class router.

I then replied and clarified your point that going that route (vlan on a business grade router) would still restrict his local access as well as the remote user.... and mentioned it could be accomplished by using a second router (you know some people have routers laying around which saves forking out $$$ on more hardware)

Wheres the rest of the picture...

 

[sladans]

OK. I think I understand the simplest answers.

Option 1) Replace AC88U with a business router than can do VPN, VLAN and routing networks. (I understand hpw to configure the VPN and the VLAN).

Can you explain how to configure with the routing networks? Is this how I will direct the VPN client to only access the VLAN?

Option 2) Put a managed switch behind the AC88U and in front of the Quickbooks only PC. Configure a VLAN on the managed switch to isolate the Quickbooks only PC.

In this case, I am unsure of how I can get the VPN client to only access to the Quickbooks PC now that it is isolated.

One more question: I do have some old AC66U's. I were to put one of them behind the AC88U as suggested above, how would I configure it so the Quickbooks PC did not have access to the main network? (I know the main network would not have access to the Quickbooks PC with a "standard" configuration)

 

[Maverickcdn]

If it were me... because your Quickbooks PC doesn't need access to other clients on the rest of your network, Id put a second router behind your AC88U with a VPN server running on that second router dedicated for your accountant, then forward the outside VPN connection from the first router to the second (port forward)

This way your accountant can VPN into that second router and access that QB PC, have zero access to your primary network. Would need some iptables rules though to restrict the secondary router clients accessing the primary clients. Basically a set of rules allowing internet access and thats it.

With what you want to do is best suited to a router with those capabilities (VPN, VLAN) though, like a business grade router that was mentioned

 

[ColinTaylor]

Would need some iptables rules though to restrict the secondary router clients accessing the primary clients. Basically a set of rules allowing internet access and thats it.

If the secondary router was also an Asus (like an RT-AC66U_B1) then it would be trivial to use its Network Services Filter to create those rules automatically.

 

[sladans]

If it were me... because your Quickbooks PC doesn't need access to other clients on the rest of your network, Id put a second router behind your AC88U with a VPN server running on that second router dedicated for your accountant, then forward the outside VPN connection from the first router to the second (port forward)

This way your accountant can VPN into that second router and access that QB PC, have zero access to your primary network and if you create a static route from your primary to your secondary router all your clients on the primary network can access the PC on the second one if needed.

Thank you. This makes perfect sense to me. I have a question re: static routes.

I do not know how to configure a static route from the primary AC88U network to the new Quickbooks PC -- but this is exactly the second part of what I need to do. Can you explain how I would configure this? Would the Network Host = IP address of the Quickbooks PC, the netmask = 255.255.255.0, the Gateway = the AC88U, and the interface = LAN? What would the metric be set to?

If the secondary router was also an Asus (like an RT-AC66U_B1) then it would be trivial to use its Network Services Filter to create those rules automatically.

The secondary router will be either an AC66U or AC66U_B1. If I use the configuration above, would I still need this ? If so, how would I use/configure the Network Services Filter to configure these rules?

 

[Maverickcdn]

Redacted

Wouldnt the fact that the accountant is remote connected (2 layer connection RDP through the VPN tunnel) into the PC on the second router, wouldn't that PC the accountant is RDP'd into still be able to access the primary network? The second router is essentially only seeing requests from the PC hardwired to it which would be bypassing the VPN rules?

I guess he could lose the VPN connection entirely and rely on the RemoteDesktop encryption (direct port forward of RDP to PC on secondary, Id frown upon this myself) or he'd have to setup IPtable rules to do it the 2 layer way? Sound right?

 

[ColinTaylor]

Wouldnt the fact that the accountant is remote connected (2 layer connection RDP through the VPN tunnel) into the PC on the second router, wouldn't that PC the accountant is RDP'd into still be able to access the primary network? The second router is essentially only seeing requests from the PC hardwired to it which would be bypassing the VPN rules?

I guess he could lose the VPN connection entirely and rely on the RemoteDesktop encryption (direct port forward of RDP to PC on secondary, Id frown upon this myself) or he'd have to setup IPtable rules to do it the 2 layer way? Sound right?

I deleted that comment because it was wrong. I forgot for a moment that he was RDPing onto the PC.

 

[Maverickcdn]

Thank you. This makes perfect sense to me. I have a question re: static routes.

I do not know how to configure a static route from the primary AC88U network to the new Quickbooks PC -- but this is exactly the second part of what I need to do. Can you explain how I would configure this? Would the Network Host = IP address of the Quickbooks PC, the netmask = 255.255.255.0, the Gateway = the AC88U, and the interface = LAN? What would the metric be set to?

If primary router IP LAN is 192.168.1.1 giving secondary router WAN IP 192.168.1.2 secondary router on LAN page should be handing out IPs in 192.168.whatever (just not 1).X (ie. 192.168.2.100 to 192.168.2.150)
Static routes are in the GUI
LAN --> ROUTE
On primary router
Network Host would be 192.168.2.0
Netmask 255.255.255.0
Gateway 192.168.1.2
Interface LAN
I leave Metric blank

In English this tells your primary router that clients at 192.168.2.X addresses (your quickbooks PC might be 192.168.2.102) can be reached over the LAN at IP 192.168.1.2 (your secondary router)

And if you go this way Id need someone elses help to confirm the IPtables rules.....
But I think youd just need 2 lines on your primary router... Ill check it out

 

[ColinTaylor]

Thank you. This makes perfect sense to me. I have a question re: static routes.

I do not know how to configure a static route from the primary AC88U network to the new Quickbooks PC -- but this is exactly the second part of what I need to do. Can you explain how I would configure this? Would the Network Host = IP address of the Quickbooks PC, the netmask = 255.255.255.0, the Gateway = the AC88U, and the interface = LAN? What would the metric be set to?

Why are you using static routes? You don't need any.

The secondary router will be either an AC66U or AC66U_B1. If I use the configuration above, would I still need this ? If so, how would I use/configure the Network Services Filter to configure these rules?

Don't get an RT-AC66U it's old, obsolete and too slow as a VPN server. The RT-AC68U is the same as the RT-AC66_B1.

 

[Maverickcdn]

Why are you using static routes? You don't need any.

If he wanted a PC on his 'private' network to be able to access that Quickbooks PC he'd need one on his primary router? No?

 

[ColinTaylor]

If he wanted a PC on his 'private' network to be able to access that Quickbooks PC he'd need one on his primary router? No?

Sorry, I must have missed that part. I thought the idea was to have the Quickbooks PC completely isolated from everything.

If he wants a PC on his primary network to also be able to RDP to the Quickbooks PC then the simplest way would be to create a port forwarding rule on the secondary router. The alternative would be as you say, create a static route, but you'd also need to turn off the NAT and firewall on the secondary router.

The second option would give all devices on the primary network access to all devices on the secondary network. But in this case there's only going to be one device so you might as well use the port forwarding option.

 

[sladans]

Why are you using static routes? You don't need any.

This was to solve a second problem (not mentioned in my original post), that it would be good to be able to access the QB PC from the private network. The reason for this is that the "best" way to do the configuration (per Quickbooks) is to have the QB instance running on the private network access the QB data file on the standalone Quickbooks PC. This will allow for a nice multi-user environment - me and my accountant. The accountant can use QB via VPN and RDP on the QB-only PC and I use QB on my PC by accessing the multi-user QB data file on the QB-only PC (Quickbooks has some configuration quirks when running in multi-user mode ).

With the suggested configuration, I retain good security for my private network since there is no way to access the private network via the VPN log in (pending the answer re: the Network Services Filter, I believe)

Don't get an RT-AC66U it's old, obsolete and too slow as a VPN server. The RT-AC68U is the same as the RT-AC66_B1.

Understood. I have access to an AC66_B1 in my office which I will use.

 

[ColinTaylor]

This was to solve a second problem (not mentioned in my original post), that it would be good to be able to access the QB PC from the primary network. The reason for this is that the "best" way to do the configuration is to have the QB instance running on the primary network access the QB data file on the standalone Quickbooks PC. This will allow for a nice multi-user environment - me and my accountant. The accountant can use QB via VPN and RDP on the QB-only PC and I use QB on my PC using the multi-user QB data file on the QB-only PC (Quickbooks has some configuration quirks when running in multi-user mode ).

Sorry, this is out of my sphere of knowledge. I thought we were talking about RDPing to a PC running a single-user application. Now we seem to be talking about some sort of client/server setup. Does that work across subnets? What ports does it use? Sounds like you will have to use the static route method.

 

[Maverickcdn]

Someone can call me out me out if Im wrong on this (cough cough Colin)

Using the Network Services Filter

I think... on your secondary router
It would be a Blacklist of the source IP of your QB PC, Port range empty (as in all), destination IP 192.168.1.0 (or whatever your primary router LAN is). Pretty sure its that easy.

Now we seem to be talking about some sort of client/server setup.

My grasp of it is the accountant RDP's in and uses the QB software on that PC, meanwhile the OP can run QB on a separate PC on the primary network and access the same database (which is on the QB PC) is all.

 

[sladans]

My grasp of it is the accountant RDP's in and uses the QB software on that PC, meanwhile the OP can run QB on a separate PC on the primary network and access the same database (which is on the QB PC) is all.

Correct!

 

[ColinTaylor]

Using the Network Services Filter

I think... on your secondary router
It would be a Blacklist of the source IP of your QB PC, Port range empty (as in all), destination IP 192.168.1.0 (or whatever your primary router LAN is). Pretty sure its that easy.

Yep. Personally I wouldn't even specify anything for the source IP, only the destination network (192.168.1.* or 192.168.1.0/24 depending on which firmware you're using). That way you're blocking everything.

My grasp of it is the accountant RDP's in and uses the QB software on that PC, meanwhile the OP can run QB on a separate PC on the primary network and access the same database (which is on the QB PC) is all.

Do we know how the database is accessed? Does it use SQL*net for example, or maybe it's just in an SMB shared folder?

 

[sladans]

Someone can call me out me out if Im wrong on this (cough cough Colin)

Using the Network Services Filter

I think... on your secondary router
It would be a Blacklist of the source IP of your QB PC, Port range empty (as in all), destination IP 192.168.1.0 (or whatever your primary router LAN is). Pretty sure its that easy.
.

I am looking at the Network Service page right now. Are you able to tell me a) would the destination port range also be blank? , and b) what protocol I would use (there are a bunch of choices (TCP, TCP SYN, TCP ACK... UDP))?

Also, can you explain what exactly this is doing? Is it preventing any IP traffic from the Quickbooks PC from flowing to the primary router?

Also I think if you had a static route from primary to secondary you could get away with the VPN on the primary and then RDP to the secondary and utilize the VPN performance that way. And then disallow client -client so the VPN cant access primary clients

I understand the first part of this, but I do not understand what you mean by "And then disallow client -client so the VPN cant access primary clients"

 

[sladans]

Of the last couple of options you have suggested, which would you consider to be the most secure (least chance/greatest difficulty of the VPN client accessing the private network)?

 

[ColinTaylor]

I am looking at the Network Service page right now. Are you able to tell me a) would the destination port range also be blank? , and b) what protocol I would use (there are a bunch of choices (TCP, TCP SYN, TCP ACK... UDP))?

See my previous post. You would need two rules, one for TCP and one for UDP. Ignore the other protocol options.

Also, can you explain what exactly this is doing? Is it preventing any IP traffic from the Quickbooks PC from flowing to the primary router?

See the explanation at the top of that GUI page. Basically you're stopping devices on the LAN from making a connection to anything on the primary network (but not vice versa).