Needed a remote user to be able to access a server (with admin rights) but nothing else on the LAN. Without getting into detail, the option for using VLANs (tagged or otherwise) wasn’t available, so needed a simple solution. Using the existing Draytek router I created a ‘remote dial-in user’ account and gave the connection a specific internal IP address. Then in the firewall rules on the router I configured two entries on it so that this specific address could only access the one internal address, all others were blocked as per this Draytek KB article.
Add static route on Mac – VPN connection on same subnet as local network
A remote Mac user needed to VPN into an office network, and then RDP onto their office machine, but their home network...