Install Pfsense
-
Best
I have a big home network. With some servers and other stuff.
I have a router, but i would like to have Pfsense only as vpn server. Can i do that without problems? So i can acces my servers everywere in the world.
I would like to acces my lan network then. It would be in the same subnet but i will resevate some ip adresses for the vpn.
Thanks for the help
-
Why wouldn’t you replace your router with pfSense? That’s a much better option.
Technically you can do what you want to do.
-
Yeah i know, but the hardware that i will use will be a bit old. Not really that redundant. If the vpn goes dead its not that bad. If the router goes dead its really a bad situation. Because the security is also on the network
-
Should i use only the LAN port on the pfsense box?
-
Go to the top of this page and click the Search magnifying glass, then type in 'single nic' and press Enter. Lots of people have already done this.
-
Is it possible to do it? Cant find a topic that's what i want to do
-
@duckzelf said in Install Pfsense:
Is it possible to do it? Cant find a topic that's what i want to do
Yes.
https://www.netgate.com/docs/pfsense/vpn/openvpn/index.html
-
Yes, it's possible to do it.
It would be better to have it on a different subnet if you can because otherwise you're going to hit asymmetric routing issues. You can workaround those by NATing the traffic from the VPN clients. It's a bit ugly though.Obviously you will need to setup port forwards etc on the existing router for the incoming VPN connections to reach pfSense.
Steve
-
Okay, but then i can't reach my lan network and servers annymore right?
-
Why not? As long as you have firewall rules to allow it in your existing router it will work fine. Everything will be routed through that so traffic would not be asymmetric.
But as I say you can use NAT to avoid that.Steve
-
Would the subnet be the better option or the NAT?
-
Can i set that up in a netgear R7000, that firewall rules?
-
The separate subnet would IMO.
If it's in the same subnet then you have to either live with asymmteric routing and put in place rules to allow that. I have no idea if your existing router has that capability.
https://www.netgate.com/docs/pfsense/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html
Or you NAT the VPN traffic leaving pfSense which means the LAN side resources cannot open connections to VPN clients only the other way around. Mostly that's not required though.Steve
-
Okay thanks, the second option would be very nice. Thanks for your help! How do i NAT the vpn traffic?
-
IMHO, if you're not going to replace your Internet router, don't add pfSense to run as a VPN server. You are adding a good amount of complexity to your network. You would need to do a good amount of reconfiguration on the pfSense router to get everything to work flawlessly. And if you run into any issues, the additional complexity is going to make troubleshooting all that more difficult.
Install a Linux box or something like that with OpenVPN running on it. That might be a better solution that is a lot more manageable.
Here is one example. Do some research and this might be a better solution for your network.
https://www.linux.com/blog/how-install-openvpn-centos-7
-
I would use pfSense here if you want OpenVPN. But I may be biased!
Obviously I'm very familiar with it.Steve
-
I would also use pfsense :). How do i NAT the VPN traffic ;)?
-
Actually it will do that by default if you only have one interface assigned and it has a gateway on it.
Try it and see.
Steve