• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Dual WAN, dual LAN

Scheduled Pinned Locked Moved Routing and Multi WAN
4 Posts 2 Posters 2.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S Offline
    sheepthief
    last edited by Sep 19, 2012, 4:59 PM

    The more I think about this the more I think it would be better to use two pfsense boxes, but for various reasons I'd prefer to avoid that. Let's see if I can describe the plan without drawing a diagram…

    Site with WAPs with multi-SSID delivered via VLANs, one for staff wifi, one for guest wifi.

    Staff VLAN (security via 802.1x/RADIUS) is bridged to the local network.

    Guest VLAN (security via CP/RADIUS) is routed through an OpenVPN tunnel to a remote site where there's another pfsense box acting as an internet gateway.

    The pfsense box at the internet gateway actually serves a number of tunnels to sites with the pfsense boxes providing staff/guest VLANs.

    The guest network must never see the staff network, and vise versa! So, dual-WAN, but for dual networks rather than for failover or load-balancing.

    What's working so far, in isolation; WAPs, VLANs, 802.1x/CP/RADIUS, OpenVPN tunnelling.

    What's not working: routing. It seems that I need two default routes, one for the staff to the local network, and one for the guest network through the VPN tunnel to the remote internet gateway.

    Is this scenario reasonable, or am I barking up the wrong tree entirely? Is policy-based routing via firewall rules the way to go?

    I've learned a fair amount over the last few weeks but I'm a bit stuck at the moment (and taking a step back to pause and think).

    1 Reply Last reply Reply Quote 0
    • C Offline
      cmb
      last edited by Sep 26, 2012, 5:52 AM

      That's reasonable. You'll have to policy route the clients out the VPN.

      1 Reply Last reply Reply Quote 0
      • S Offline
        sheepthief
        last edited by Sep 30, 2012, 2:35 PM

        @cmb:

        That's reasonable. You'll have to policy route the clients out the VPN.

        Thanks for the response cmb. I've got policy-based routing working now (forcing guest traffic down a VPN tunnel, though I had to disable gateway monitoring for that to work).

        However, I've had to abandon rolling staff and guest networks through pfsense - it turns out that running pfsense in bridging mode, while using VLANs, and in an ESX high-availability virtual environment, is a bit of a nightmare of layer 2 loops, and it seems that there's no way to resolve it. Ah well.

        1 Reply Last reply Reply Quote 0
        • C Offline
          cmb
          last edited by Oct 1, 2012, 5:16 AM

          Yeah, running anything with bridging and HA in ESX will be a mess. Not something I'd recommend, either don't do HA, or don't do bridging, generally the latter the only good option.

          1 Reply Last reply Reply Quote 0
          1 out of 4
          • First post
            1/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received