Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense connected to Fortigate as SSL VPN server only

    Scheduled Pinned Locked Moved
    OpenVPN
    2
    2
    222
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Debian-Linux
      last edited by

      Hello,

      We have a SSL VPN server configured on fortigate 100E HA cluster, the fortigate ha cluster is connected to the WAN switch and LAN switch, we want to migrate the SSL VPN server slowly from the forigate to the Pfsense server (migrate only the VPN server not everything), the goal is to use OpenVPN server in Pfsense as the main SSL VPN server for the company, so in first we will have to 2 SSL VPN servers with 2 different GWs (one on fortigate and one on Pfsense) to test the configuration and once everything is working fine we will stop the SSL VPN server on the fortigate and use only the OpenVPN server in Pfsense, did any that and any ideas ?

      Thanks,

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Debian-Linux
        last edited by

        @Debian-Linux
        So your setup should look like this in the future:

        WAN ---- Forti ---- LAN
                |
                |--- pfSense-VPN-GW

        ?
        In fact pfSense is a LAN device in this case. Maybe there is a switch in between, but this doesn't matter.

        Yes, you can do this.

        • You have to separate pfSense from the LAN, however. Create an additional subnet (maybe VLAN) between the Fortigate and pfSense.
        • Assuming you connect the WAN interface of pfSense to the Forti, state the Forti IP (of the VLAN) as upstream gateway in the interface settings.
        • On the Fortigate forward the OpenVPN traffic to pfSense.
        • On the Forti create static routes for the OpenVPN tunnel networks (assuming you run an access server. For a site-2-site create static routes for the remote networks) and point them to pfSense.
        • On pfSense go to NAT > Outbound, enable the hybrid mode and add a rule for the destination of your local networks (can be an alias) to the WAN interface and set it to "no NAT". This enables the destination device to see the real client source IP instead of the pfSense WAN IP.
        1 Reply Last reply Reply Quote 0
        • First post
          Last post