Cisco environment with multiple VLANS and branch office VPNs



  • We currently have 3 locations, all connected view IPsec site-to-site vpn tunnels to the main site. This main site has the topology shown below. I'd like to insert the PFsense as transparently as possible, so that it doesn't take over routing or disrupt our existing network, but is still able to filter and block as a firewall. Can anyone assist with where to put the PFsense in the topology and if there are any guides out there for preserving existing VLAN setup and site-to-site tunnels with PFsense?

    HQ site:

    WAN (internet) -> Cisco edge router -> Catalyst Layer 3 switch (does routing and VLANs) - > Catalyst layer 2 switches -> hosts

    Site 2:
    WAN (internet) -> Netgear router -> hosts

    Site 3:
    WAN (internet) x 2 -> Peplink Balance router (dual WAN failover) -> hosts

    Thanks!


  • Rebel Alliance Global Moderator

    "I'd like to insert the PFsense as transparently as possible"

    Insert it where, where are you wanting to do firewall?  Between your sites, between your vlans at your HQ.. site 2 and 3 don't have multiple vlans?

    Your planning on multiple pfsense?  at all 3 sites?



  • I want to firewall internet activity at the HQ site first. The HQ site is the only one with multiple VLANs, the branches have single subnet networks and minimal number of hosts (only cameras at one of the sites). I will deploy a PFSense to each of the other sites at a later point.


  • Rebel Alliance Global Moderator

    Then you could put it between your router and your L3 in 2 different fashions as full router with a transit going to your edge router and a transit going to your L3.  Or you could put in bridge mode and use it as a transparent.

    I would go with routed mode, just because its more straight forward and less complex.

    You would just turn off its natting since I assume your edge cisco is currently doing the nat.

    Or you could just replace your current cisco edge with pfsense.  This would prob be the best option.



  • I'd like to insert the PFsense as transparently as possible, so that it doesn't take over routing or disrupt our existing network,

    This could be done if you are bridging ports from the main router or WAN router to the pfsense and from the pfSense to the
    LAN switches. It is also called using the NICs and LAN ports in the "promiscuous mode" then your firewall will be absolutely transparent!

    It will be perhaps better of thinking to install a proxy server such Ngix or Squid is offering.

    but is still able to filter and block as a firewall.

    If you will not be using or installing strong enough hardware for the pfSense machines, you will ending up often together with or in;

    • massive packets loss
    • hard port flapping
    • packet dropping

    Can anyone assist with where to put the PFsense in the topology and if there are any guides out there for preserving existing VLAN setup and site-to-site tunnels with PFsense?

    Please read below.

    HQ site:WAN (internet) -> Cisco edge router -> Catalyst Layer 3 switch (does routing and VLANs) - > Catalyst layer 2 switches -> hosts

    WAN (internet) -> Cisco edge router -> put the pfSense here -> Catalyst Layer 3 switch (does routing and VLANs) - > Catalyst layer 2 switches -> hosts

    Site 2:WAN (internet) -> Netgear router -> hosts

    WAN (internet) -> Netgear router -> put the pfSense here -> LAN Switch -> hosts

    WAN (internet) x 2 -> Peplink Balance router (dual WAN failover) -> hosts

    WAN (internet) x 2 -> Peplink Balance router (dual WAN failover) -> put the pfSense here -> LAN Switch -> hosts

    Please note that the switches and routers here in that game play must be supporting then to be running in the promiscuous mode
    too, this action is like bridging ports together and this might be also producing often more trouble then getting something good out.

    Golden network rule: Route where you can and bridge only if you must


  • Netgate

    Take your Cisco config line-by-line and recreate it on pfSense.

    There is no guide that you will find that will cover this situation. The problem description is not very well communicated. What is currently doing the tunnels? Why do you need to keep the Cisco in-place?

    Something like this: