Dummy WAN?
-
You can still filter IPSEC tunnel traffic.
Should be able to achieve the routing with static routes.Do you need to use a VPN if you are not routing over a public network?
You can still filter between two pseudo LAN networks. You would get better performance if you are not encrypting traffic. -
Would be nice to avoid the tunneling, but is required by management. Apparently they don't trust the p2p provider. For the time being, I started testing the configuration with GruensFroeschli's suggestion.
-
What kind of site-to-site connections are you going to have?
If you have to encrypt traffic between the pfSense i highly recommend to use OpenVPN.
With OpenVPN you have to option to specify routes in the config file which are added dynamically to the routing table when the tunnel comes up.
(And get removed when the tunnel goes down, aka the link drops for whatever reasons)With this you have the ability to create two routes (0.0.0.0/1 and 128.0.0.0/1) which point to the other side of the tunnel, effectively routing everything towards the internet.
After disabling automatic VPN rule generation you can assign the VPN interface as if it were a normal interface and create firewall rules for it.So with your description i would:
Have one physical interface: LAN –> connect to LAN
Have one physical interface: WAN --> leave unconnected
Have one physical interface: OPT1 --> connect to "both" site-to-site connection. Put all the site-to-site connections in the same subnet. (is this possible)
Have as many as you need virtual VPN interfaces: OPT2, OPT3, --> connect over OPT1 to the other site-to-sites.This would look like this:
WAN -------| LAN ----- S1---- OPT1-------| | | OPT2(VPN) | | | | | | | | | OPT2(VPN) | WAN -------| | LAN ----- S2---- OPT1-------| | | OPT3(VPN) | | | | | | | | | OPT2(VPN) | | | LAN ----- S3---- OPT1-------| | |----- WAN --- internet
-
Wouldn't OpenVPN give lower throughput than IPSec?, why is it "highly recommended"?. It's not clear to me the "virtual IFs" usage ???. The intersite connections are point to point fiber optic links provided by an external company, they're terminated as ethernet connections with their hardware. I'll check again, but currently i'm limited with interfaces, so i'm not sure I can assign one unused card to WAN (although it would be ideal).
-
Why do you think IPSec performs better than OpenVPN?
It all depends on what encryption you choose.
You might consider adding a hardware crypto accelerator to your setup if you intend to push close to wirespeed encrypted traffic.I think for your application OpenVPN is better since you can actually route with it.
I usually dont use IPSEC so most of my experience with pfSense and IPSEC is from reading about it here.
What i've read is that you can't actually route into the IPSEC tunnel but more define ranges which get redirected (please someone correct me if i'm wrong with this).For each OpenVPN instance you can create a virtual interface on the pfSense.
From the routing point of view there is no difference between such a virtual interface and a real interface.Are these fiber links bridges?
Or does the terminating hardware do some kind of routing?How many interfaces do you have available on your hardware?
-
What i've read is that you can't actually route into the IPSEC tunnel but more define ranges which get redirected (please someone correct me if i'm wrong with this).
That's what I've read too and why I'm planning on changing 20+ IPSEC VPNs to OpenVPN.
-
that's my plan with my 56 IPSEC tunnels, although waiting for the cert management that is built into pfSense v2
-
As it's running in userspace, openVPN requires more context switches to do the same work. I'm testing it with a VM since I only could stablish one IPSec tunnel, the assistant for the second one didn't like my IP addressing apparently.
For what I know, the links are terminated by routers.
Currently site1 has 2 IFs, site2 has 2 IFs and site3 has 3. I think we can add more, but currently that's all we have.
-
This might interest you:
http://openvpn.net/archive/openvpn-users/2007-02/msg00088.html
Also googling IPSEC vs OpenVPN.Yes OpenVPN is slower than IPSEC but IMO marginally.
Using an encryption which has hardware support on your platform will give you way bigger performance-gains than looking for optimizations on this level.What hardware are you going to use?
Do you really need to tweak the least bit of performance?
I think the advantages you gain with OpenVPN (true routability!, NAT-able into the tunnel) weights more than having a few kbit/s more bandwith on the link ;) -
I'm not sure about the hardware, I think the're full blown PCs. The'll be provided by the client. Would be nice to have a demo config of this kind of setup in the book ;D
I still didn't try to route connection from site1 to site3 as i'm still having some connectivity issues with one direction of one of the tunnels…
Ref: http://forum.pfsense.org/index.php/topic,23854.0.html