Multi-client site to site ipsec tunnels



  • We have numerous clients who want to be able to connect to us.  Each client wants to have an IPSec tunnel to their own servers.  At the same time we need to be able to access a subnet or two on their side (we pull data and process), they access results. The way we're currently doing it, is each client gets an AWS Marketplace pfSense firewall and they have a direct tunnel between their subnet and them. This is okay, but we currently have over 75 clients, so managing all the pfSense's is getting to be a lot of work. Also, since we use the 10.10/16 subnet internally and some clients also use space in 10. we use BINAT of 172.16.

    Besides rules in the client specific pfSense firewalls, we also have AWS groups setup so that only the client subnet can access their client servers on our side and our client servers can only get to that specific client's servers on their side.

    What I would like to do is consolidate down to a redundant pair of more powerful pfSense AWS instances.  Is this possible with all the overlapping subnets or is the best way to keep doing a single pfSense firewall per client?

    Ex.
    Our side:
    Client A Servers - 10.10.10.0/24 - BINAT: 172.16.10.0/24 - AWS SecGroup: ClientA
    Client B Servers - 10.10.11.0/24 - BINAT: 172.16.11.0/24 - AWS SecGroup: ClientB
    Client C Servers - 10.10.12.0/24 - BINAT: 172.16.12.0/24 - AWS SecGroup: ClientC

    Client Datacenter Networks:
    Client A Side: 192.168.0.0/24

    Client B Side: 10.0.0.0/16

    Client C Side: 10.10.0.0/16



  • Bump



  • In my opinion you are already using the best option available. Because i think that if you would try to consolidate this one a few hosts that the firewall rules alone will give you nightmares  to never sleep from. Side from alle the other config elements you have to manage on that box. Also how would you handel downtime. Then you would have a get permission from more then one client. I think it who'll be better to have 75 or more pfsense boxes running then a few with a lot of connections. because you have to keep things separated, what beter way then you are already doing.

    If you really want to switch things up have a look at docker / ansible or puppet. Make a template that you just have to put in the unknown var's and the rest gets build automatically. then you can also test if new versions of pfSense break stuff ;)

    Hope it helps ;)

    TheSec.



  • servers Have you developed it? Because it is interesting in content.



  • @TheSec:

    In my opinion you are already using the best option available. Because i think that if you would try to consolidate this one a few hosts that the firewall rules alone will give you nightmares  to never sleep from. Side from alle the other config elements you have to manage on that box. Also how would you handel downtime. Then you would have a get permission from more then one client. I think it who'll be better to have 75 or more pfsense boxes running then a few with a lot of connections. because you have to keep things separated, what beter way then you are already doing.

    If you really want to switch things up have a look at docker / ansible or puppet. Make a template that you just have to put in the unknown var's and the rest gets build automatically. then you can also test if new versions of pfSense break stuff ;)

    Hope it helps ;)

    TheSec.

    Not the answer I was hoping for, but you bring up some really good points.  It is definitely easier to troubleshoot and to do maintenance when I'm working on one client it doesn't affect anyone else.  And my rules are fairly simple per client.


Log in to reply