isolate l2tp vpn client traffic

isolate l2tp vpn client traffic

I have successfully set up an L2TP/IPSec server under Server 12.04 LTS,
following info from here with a few tweaks from here. I can connect on my
iPhone, get an internal address, and browse the internet as if I'm sitting
at my desk at home. One thing I'd like to do is isolate VPN traffic so
that VPN clients can't access anything else in my home network. (Yeah, it
sounds strange, but this is strictly for iOS devices only, and really only
for when I'm traveling and need my home IP address while on the internet.
I have other ways to get to my home computer or file shares.) The setup
is, my home network DHCP range is 192.168.1.0/24; the VPN range is
192.168.2.0/24. So in /etc/ipsec.conf I have the following, which, based
on the comments in the file, I thought should limit accessible subnets to
just what's on this line:
virtual_private=%v4:192.168.2.0/24
Additionally, in the [lns default] section of /etc/xl2tpd/xl2tpd.conf I
have the following:
ip range = 192.168.2.1-192.168.2.254
However when I connect with my phone, I can browse my Plex Media Manager,
which is located in my DHCP range. It's that kind of access I'm looking to
restrict.
In talking with some friends the first off-the-cuff idea was to use VLANs.
But the server is running as a virtual (vbox) on my desktop PC with one
NIC so I don't think I can use VLANs here.
The next-best suggestion was to put up some iptables rules to drop traffic
not going to 192.168.2.0/24 but I can't seem to get the rule(s) right -
I've been using -A OUTPUT ! -d 192.168.2.0/24 -j DROP but it seems like
there needs to be an exception to that rule and I confess my fluency in
iptables is kinda terrible. As soon as I enter that rule by itself, I can
no longer make a VPN connection.
I also experimented with using two NICs, one with a static IP of
192.168.2.1 and another with a static IP of 192.168.1.xxx, then change
over the conf files to use the .2.1 address; but even after changing the
confs and adjusting the port forwarding, I wasn't able to connect. On my
router, I did verify that the router itself had access to 192.168.2.1 and
that the router's subnet mask was 255.255.0.0. I could ping both NICs from
my laptop as well.
I'm kinda bumping into all the walls here. Can anyone give me some
pointers on how to isolate VPN traffic from the rest of my network
(basically internet only, no intranet), given a virtual installation
running in vbox with bridged networking?