How to connect 2 (two) pfSenses to WANEM-server to simulate WAN

iami

I am about to connect two remote sites over internet via VPN. I have two pfSenses, one operational on site A (internet over PPPoE) and the other one shall get to site B (internet over Ethernet). Because site B is far away and I am doing this for the first time I decided to test the connection of the pfSense for site B at site A (home).

I set up a WANEM server to simulate the WAN.

Because pfSense1 on site A is running on my network I want to avoid mistakes in order not to bring my existing network down.

My idea is to enter the existing IP address and gateway of site B to pfSense2 and let WANEM simulate the WAN for this pfSense.

pfSense1 is connected to a ADSL-Router and it is configured as PPPeE. So ideal would be to let WANEM simulate PPPoE so to minimize the internet downtime of pfSense1 I would switch the LAN-cable from ADSL-Router to the WANEM-server having settings of pfSense1 untouched. Then I could experiment with the VPN and when that is working, connect pfSense1 back to ADSL-router (or whenever missis wants to surf).

Therefore I am looking if hopefully someone documented a similar scenario in a tutorial. Last but not least if there is another WAN-simulator which would suit my purpose, please propose it because I am not bound to WANEM as this fresh installation was only set up to suit the purpose described above.

I also like to know if it is possible to run both firewalls and VPN on the same network 192.168.1.0/24 or if they must differ (192.168.1.0/ & 192.168.2.0). I am still "green" in networking and believe that my small network would be easier to maintain, if site A would use 192.168.1.1 to 192.168.1.127 and site B 192.168.1.128 to 192.168.1.254.

Babiz

@iami said in How to connect 2 (two) pfSenses to WANEM-server to simulate WAN:

I also like to know if it is possible to run both firewalls and VPN on the same network 192.168.1.0/24 or if they must differ (192.168.1.0/ & 192.168.2.0). I am still "green" in networking and believe that my small network would be easier to maintain, if site A would use 192.168.1.1 to 192.168.1.127 and site B 192.168.1.128 to 192.168.1.254.

Hi! I feel to said, Basically you''need to reading and understanding about some basics concept of networking huh?
Different ipv4 network require different subnet and this concept is well accepted for make all thinghs on network to work correctly-

So you need set subnet like:
Local lan to "A" (ex. class C subnet 192.168.A.0/24)
Tunnel to "Z" (ex. class B subnet 10.0.Z.0/28 or higher cdir)
Remote lan to "B" (ex. another class C address 192.168.B.0/24)

But I know isn't too easy understanding all networking things by yourself, also a little network training with a teacher of some kind will help much more than only read about.
I remember My nightmare at school time (many many years ago) is about: ISO/OSI layer , looks harder stuff without right explained. But it's much easyer to understand when good teacher explain you.

Good luck!

iami

@babiz
Thanks for the answer and yeah man, you're right. Learning, learning, learning.

I will set up site A 192.168.1.0/24 and site B 192.168.2.0/24.

How about the rest - maybe pfSense has already everything implemented to connect 2 pfSenses (without testing it as I thought) and I am just too paranoid that my pfSense2 will not work when I arrive at remote site?

Babiz

@iami
Well I'd not fully understand wich your goal is.
But if you would like simulate vpn's locally , I'm don't know.
My experience about bulding vpn is very basic, for an ipsec vpn, I followed some tutorials and go on.
When setup tunnels, First of all I previously opened on wan side of remote site, one https port (at random number I like) natted to remote pfSense lan address:443 (web ui) and setting up dyndns if public ip assigned is not static type.
This allow me to manage and test different ipsec configuration and ensure me to right choice with dealing to real isp wan behaviors..

Next when tunnel is up and running I simply disabled nat rule pointing to pfSense webui of course.
According to me, this "method" allow easy training some stuffs between local and remote site hassle free.

iami

I am a step further now :-) I thought too complicated installing a server with WANEM to simulate my internet connection.

To achieve my goal to connect the two pfSenses it should be enough to connect both WAN-ports over a simple switch, right? Then I will be able to test my VPN and when this is running I will take one pfSense and only change the WAN-settings with those at site B and be sure that when I arrive there it will work.

Any thoughts?

Babiz

@iami said in How to connect 2 (two) pfSenses to WANEM-server to simulate WAN:

To achieve my goal to connect the two pfSenses it should be enough to connect both WAN-ports over a simple switch, right?

Well in short, you also connect trought one cable, directly wan to wan your ethernet ports for linking pfsense's boxs, Auto mdi mdi-x capable nic's can also swap tx and rx at handshake stage, so you don't need some cross-like cable, just normal cable.

Basically on the paper you are right, but in the real world , your connection between pfSense's wans make a different paths than just "single hop", and because this, is not easy make all thing you are in mind.

I mean , connections with isp's imply one or more "hop" between routers isp's, so not ALL settings (like cripto chiper and bitrate) is allowed trought isp's network to pass.
Here for example, my isp allowing only some commons for estabilish tunnels, and so you better starting with common setup as well.

iami

@babiz

Thank you for the help! I understand. What I try to achieve is to make sure my VPN is running, because I am setting it up for the first time. I have no other option than test the two pfSenses as I suggest. After I see that the VPN connects from both sides I can travel in piece. Otherwise I am sure I end at site B without VPN.