05-03-2018 12:03 PM - edited 05-03-2018 12:19 PM
I am hitting a wall with replicating a VPN setup of a DrayTek router we are looking to replace.
We have two networks:
10.5.0.1/16 (VLAN 5), administrators, keep out!
10.10.0.1/16 (VLAN 10), regular folk
We used to be able to assign a remote VPN user to one of these networks, so that they ended up in the right subnet/VLAN, and got their IP as per policy we would have set up in the DHCP server for that LAN (including static IP assignments and so on). Basically they became part of the same subnet/VLAN as if they were physically at the office using wired or wireless LAN.
This is especially important so that things like broadcasts and bonjour/zeroconf stuff keeps working.
It looks like the USG takes a whole different approach: I must create a separate subnet for the VPN users, and I have not found a way to say that remote user A may only go to subnet X, and remote user B can only go to subnet Y.
Perhaps I could use the CLI/JSON method to give the admins some static IP's and then firewall the rest off the restricted network, but there is nothing that prevents the rest from statically assigning these protected IP's (in other words, it is not secure).
Creating multiple remote user VPN's would require us to set up and administer a separate RADIUS server for a couple of administrators, which is something we actually hoped to avoid, and I'm not sure that would solve the mentioned IP spoofing problem anyway.
If things need to be done a bit differently, so be it, but one non-negotiable condition would be that only several VPN users should be able to use a specifc protected LAN.
Please tell me there is a way to achieve this using UniFi hardware, I don't care how messy any resulting JSON file would be, and we did not just buy a USG Pro as a very expensive paperweight
Hope you can help, I hope I can use it for this since its controller is management heaven compared to logging into different interfaces everywhere.