Planning: New home network with Ubiquti and Pfsense



  • Hello,

    I'm planning to build a new home network for my new 1000/1000mbits connection.

    I have planned to buy Ubiquiti router, switch and ap but my headache start when it comes to securing my server behind VPN.
    The simplest thing would be to run software VPN on the server but i don't want that since it will take from what i read allot of cpu to even come close to 1000/1000Mbits.

    So what i am looking at is to put a pfsense machine with an i72600k to act as hardware vpn between the switch and the server i want to secure. Now this is were my knowledge stops, if i do that will it be as secure as if i had the VPN as router in the beginning? and will i still be able to connect to the server locally? (eg TV,Nas,Computer etc need to reatch the server locally) This is a flow chart of what i try to describe:

    I get the best thing would be to use this pfsense server as router and skip the Ubiquiti but i don't want my whole network to be on the VPN.


  • Rebel Alliance Global Moderator

    "I get the best thing would be to use this pfsense server as router and skip the Ubiquiti but i don't want my whole network to be on the VPN."

    Huh??  You do understand the unifi router.. Your talking about this gateway right
    https://www.ubnt.com/unifi-routing/usg/

    It can be a vpn server.. Just because it hosts vpn connections does not mean your whole network is on a vpn.  From my understanding to do vpn with the USG you have to use cli.. Why can you not just use pfsense for your router and then use unifi for your AP and switches?

    Again does not matter what you use as a router and what sort of vpns you use be it site to site, road warrior, vpn client to some vpn service or whatever etc.. This does not mean your whole network is on the vpn.



  • "It can be a vpn server.. Just because it hosts vpn connections does not mean your whole network is on a vpn.  From my understanding to do vpn with the USG you have to use cli.. Why can you not just use pfsense for your router and then use unifi for your AP and switches?"

    Thanks for the answer.
    So if i use my pfsense server and set it as router, set it up with openvpn i can route the vpn connection to one device only and not all?
    Also the USG will never manage to do 1000/1000 Mbits over VPN so that's why i am planning to use a Pfsense server with overclocked i7 (even that might handle 1000Mbits but maybe closer)

    So this is the choices i have, trying to achieve 1000/1000 over VPN is going to be hard and thats why i would like to not do it on the main router, but the server still needs to access devices on the LAN and devices on the LAN need to access the server, is it even possible with Option 1?

    Option 1: Router > Switch > Pfsense (VPN) > Server
    Option 2: Pfsense (VPN)> Switch > Server  (Downside here is that the Pfsense acts as a router and VPN it will be under heavy load)



  • You will have to put some rule(s) on the OpenVPN to allow the incoming traffic that you want anyway. So you can just allow traffic with destination=LAN IP of the server. Then after connecting the OpenVPN, the remote user/device can only access that 1 IP address. And you can limit it to certain ports if you like.


  • Rebel Alliance Global Moderator

    A vpn connection on pfsense is just amounts to a different gateway you can policy route whatever you want through that gateway.  As to inbound from that connection - yes you can limit what it can talk to..