I would create 3 type of access to myLAN behind my router.\n\n1) powerful access: it means user can access the LAN over IP and can surf Internet (even if not secure);\n2) powerful access to LAN: it means user can not surf Internet but can communicate with whichever PC on the LAN to every\nports and IP (it is allowed everything over IP protocol);\n3) restricted access to LAN: it means user can not surf Internet and his/her access to the LAN must go under constraints.\n\nUsing "acl" option in client's section is not a good idea as it marks traffic to be protected. So I can not use it for\npeople belonging to 1st group otherwise they will be permitted to surf Internet.\n\nI ought to apply rules concerning VPNclients directly to outside interface but they will be mixed with others rules\napplied over that interface.\n\nIs there a more pretty way? Should I use route maps? And how?\n\nMoreover saying the LAN beyond the router is 192.168.20.0/24 do you thing is a good idea to reserve a subnet (e.g\n192.168.20.128/28) for VPNclients? Doing that needs also to specify a route towards that range point to outside interface.\n\nSorry for the long post.\n\nAlex.