Advice Needed: Separate wired and wireless connections for each VPN client



  • I'm new to pfSense and trying to see if I can get some advice for what I'm trying to set-up.  I'm not a networking expert, but I'll try my best to use the correct technical terminology.

    OBJECTIVE
    In essence, I'm looking to set up a pfSense box together with a wireless router (in AP mode) to transmit multiple SSIDs.  Each SSID will be associated with different OpenVPN client connections that are connected to their respective OpenVPN servers.  These servers include PureVPN (a consumer VPN provider) and DD-WRT/Tomato routers I have setup remotely.  I also want ethernet ports linked to these OpenVPN clients so that I can easily get onto each OpenVPN connection through ethernet cable in addition to wifi.  The purpose of the VPN connections are for overcoming geoblocking when I am outside of the U.S. in my overseas apartment rather than privacy or security.

    CURRENT SETUP
    I currently have a Tomato Shibby router set up for this purpose and it works well, except that I am (i) limited to 2 OpenVPN client instances and (ii) the VPN bandwidth is low because of CPU limitations on the router.  The reason I am looking to pfSense is because of these 2 limitations.  The Tomato setup uses virtual wireless interfaces, VLANs, ethernet bridges and OpenVPN policy routing to accomplish this.  The Tomato router is behind the primary router which is connected to the ISP modem (in bridge mode).  The primary router also transmits a SSID for non-VPN connections directly through my ISP and also provides for wired non-VPN connections through my ISP.

    I've done a lot of research in the past few days to figure out whether pfSense can replicate this setup.  While I haven't seen posts on this forum with the exact setup, I feel that it can be accomplished but need some more guidance from you good folks.  I've come to the conclusion on 2 setups:

    OPTION #1 - Get a 4-port Protectli pfSense box
    Use 1 of the ports on the Protectli for WAN/Internet access through my primary router and then use the remain 3 ports to connect to 3 LAN ports on my Tomato router.  Turn the current Tomato router to AP mode and switch off DHCP.  I haven't figured it out yet, but I'm thinking I can replicate what my current Tomato router is doing in the pfSense setup (i.e. have each port on the Protectli box 'bridged' to each OpenVPN client connection) and then utilize the Tomato router to transmit a SSID for each OpenVPN connection by setting up virtual wireless interfaces.  I've spoken with Protectli and they think that could work, but neither of us are sure.  The downside of this setup (if successful) is that I only have wireless access to the OpenVPN connections but not wired connections as all the Protectli and Tomato router ports will be fully utilized.  I have some unmanaged switches – can I use those to 'add' more ports to the Protectli box and use those ports for the wired OpenVPN connections?  If not, I assume the only option is to buy a 2nd Protectli box to utilize for wired connections?

    OPTION #2 - Build a PC for pfSense
    Assuming that power consumption and fan noise is not an issue, I'm thinking this is a viable option.  I would prefer a mini-ITX build as I want a small footprint, but mini-ITX motherboards only have 1 PCI-e slot so that could be an issue for my objectives.  The issue here is I am concerned about wasting money on the wrong hardware.  For example, I am looking at Intel quad port NIC cards and there are so many versions (VT, MT, PT, ET, etc.)  I understand that all these models are compatible with pfSense/FreeBSD but I can't find enough information online to be sure.  Also, I'm assuming I need 2 quad port cards – 1 set to connect to the Tomato router to provide wireless access and another set for wired connections.  I read that the motherboard ethernet port is usually not compatible with pfSense, so I'm assuming one of the ports on the cards need to be for WAN/Internet Access.  I won't need a 2nd NIC card if I can 'extend' the 1st one using my unmanaged switch, but again I'm not certain if I can use a switch in this setup without complicating things.  Lastly, it's unclear what the optimal config would be in terms of CPU and RAM as I don't want to overspend or underspend.

    Any advice or guidance would be much appreciated.  Thank you in advance!


  • LAYER 8 Global Moderator

    "In essence, I'm looking to set up a pfSense box together with a wireless router (in AP mode) to transmit multiple SSIDs.  Each SSID will be associated with different OpenVPN client connections that are connected to their respective OpenVPN servers. "

    Simple solution is to use a AP that can do vlans, have a smart switch that can do vlans.  The setup your vlans in pfsense to use whatever vpn connections you have setup in pfsense.

    Alternate solution is simple policy routing and you can have whatever IP you want use whatever vpn connection you have setup in pfsense.  You don't need multiple vlans or anything.  Lets say I create a vpn connection in pfsense to vpn A, and then one to vpn B.. I can have IP address 192.168.1.100 use A, .101 use B and if not .100 or .101 use just the normal wan.  Or any other combinations you can come up with..

    Not sure why you think you need any special hardware - this is simple policy routing with pfsense.  Sure you could have as many networks/vlans you want behind pfsense.  But how you route a device to your wan connections be it native, vpn is simple rule - you really don't need any special hardware to do this.. Unless you want to use vlans to segment your networks behind pfsense.



  • Hi hkgnyc

    Based on your username, you are in Hong Kong and your apartment is in NYC ?  :)

    Care to share why you need multiple  OpenVPN clients since the many VPN providers you can change location and I think some of them offer 2-4 connections.    Netflix is implementing a lot of countermeasures to detect VPN users and asking to connect without VPN.



  • Thanks johnpoz.  I'm not really looking for any special hardware but thinking that having more ports will simplier my configuration as I would rather not have to configure a managed switch as well in addition to the pfsense box and wireless AP.  As it stands, I'm looking  at 3 OpenVPN client connections on the pfSense box with corresponding wired connections and wireless SSIDs – that's why I'm thinking I need at least 7 ethernet ports on my pfSense box (1 for WAN/Internet access, 3 for wired OpenVPN client access, and 3 for going to the wireless AP).

    Based on your response, is it correct to assume that I can set this by up through VLANs by having a dual-port NIC on the pfSense box (1 for WAN/Internet and 1 for LAN to the wireless AP) and then use the remaining 3 open ports on my Tomato Netgear R7000 wireless router for the wired connections?

    @johnpoz:

    "In essence, I'm looking to set up a pfSense box together with a wireless router (in AP mode) to transmit multiple SSIDs.  Each SSID will be associated with different OpenVPN client connections that are connected to their respective OpenVPN servers. "

    Simple solution is to use a AP that can do vlans, have a smart switch that can do vlans.  The setup your vlans in pfsense to use whatever vpn connections you have setup in pfsense.

    Alternate solution is simple policy routing and you can have whatever IP you want use whatever vpn connection you have setup in pfsense.  You don't need multiple vlans or anything.  Lets say I create a vpn connection in pfsense to vpn A, and then one to vpn B.. I can have IP address 192.168.1.100 use A, .101 use B and if not .100 or .101 use just the normal wan.  Or any other combinations you can come up with..

    Not sure why you think you need any special hardware - this is simple policy routing with pfsense.  Sure you could have as many networks/vlans you want behind pfsense.  But how you route a device to your wan connections be it native, vpn is simple rule - you really don't need any special hardware to do this.. Unless you want to use vlans to segment your networks behind pfsense.



  • You have very keen observation, ChefRayB.  I split my time between Hong Kong and NYC.

    I use multiple VPN providers as some websites block certain IP address ranges.  I also have OpenVPN servers hosted by friends in the U.S. that I connect to.  All of these connections are for redundancy and flexibility as I need to ensure I can properly VPN into the U.S. when I am abroad (sometimes for extended periods.)

    @ChefRayB:

    Hi hkgnyc

    Based on your username, you are in Hong Kong and your apartment is in NYC ?  :)

    Care to share why you need multiple  OpenVPN clients since the many VPN providers you can change location and I think some of them offer 2-4 connections.    Netflix is implementing a lot of countermeasures to detect VPN users and asking to connect without VPN.


  • LAYER 8 Global Moderator

    dude if you need ports, and you want to create new networks - get a managed switch.. They are $30 for a 8 port gig smart switch..

    Yes for pfsense you can get by with just the 1 lan side port with vlans on top of it.


Log in to reply