no LAN access how would I do

转载自 http://www.vpnusers.com/viewtopic.php?f=7&t=2817&sid=f910b3d04c898e398f36dfdc6575b405&view=print

YES!!!! I got it mesa!!!

Actually I did it two different ways!

I was able to set up a Virtual Hub with Internet only.

Also I was able to have a Virtual Hub with multiple user and give internet access to some user and then give internet access and LAN to others.

With both cases I had to set up rules in the Manage Access List.

Then only allow traffic to route to and from the router. Then deny access to receiving from computers in the subnet.

Here are examples of what I did

The main differences with the hubs I had to setup a user group to handle the multiple user types.

针对用户和组的 安全策略 里面有项叫 privacy filter mode/隐私过滤器模式
有隐私过滤器模式策略设置的会话间的全部通信将被过滤。

用两个l2tp用户登录，进行互相ping。首先这个选项是针对单一用户/组设置的，也就是用户/组设置过滤并生效需要重新连线就ping不通另外一个ip了，不管另外一个IP是否设置过滤模式，嗯测试过程就是这样的有点难以理解ping的双向过程，这个双向看似变成跟vpn网关的双向。所以还是应用上面的访问列表控制安全点。