WAN and LAN addresses



  • Hey guys.  This is probably a newbie question and I apologize that I need to ask it.

    I purchased 2 NetGate SG-1000 devices.  I want to use these devices to set up a point to point VPN for my users in the remote office to be able to add themselves to the domain at my local office and connect to the SQL server on the same server.

    I was told by NetGate to put the device between my WAN router (10.36.1.1) and my switch (10.36.1.*).

    I set my WAN IP to static and set it to 10.36.1.3.  But I don't know what to set my LAN to?

    I want to then follow the directions on setting up the point to point VPN that is shown on this video: https://youtu.be/-ylEGnQli_E

    Are there any other configuration settings I should do before I set up the VPN?

    Thanks again for any help.



  • Whats the final network supposed to look like?

    Something like this?
    Client(1) > sg1000(2) > wanrouter(3) > internet  > wanrouter(4) > sg1000(5) > SQLserver(6)

    Then IP addresses could be something like this:
    1- client has a IP lets say 192.168.2.1/24 assigned by dhcp server running on (2)
    2- sg1000 has a LAN:192.168.2.1/24 with DHCP server on lan  and 10.0.2.3/24 on WAN with gateway 10.0.2.1
    3- router has a local-ip of 10.0.2.1 and a public ip
    4- router has a local-ip of 10.36.1.1 and a public ip
    5- sg1000 has a wan of 10.36.1.3/24 with gateway 10.36.1.1 and a LAN network of: 172.16.5.1/24
    6- SQLserver has a static ip of 172.16.5.44

    Then after networks are working for basic 'internet access' then add the VPN into the mix to connect the two 192.168.2.x and 172.16.5.x networks over a tunnelnetwork that could be called 10.0.10.0/24 ..

    This 'could' work.. but is probably requires renumbering parts of your network..

    And all those numbers could be done differently..

    So one of the questions is is it all open for new configuration.? or are there parts that you would prefer to keep the same subnet as currently running?

    Are client and SQLserver using different subnets currently? And should the original routers keep their configuration. or can you change those to something 'in between' ? Or perhaps they support bridge mode so pfSense can get the actual public ip's that would be better.. But requires some digging into the current router config pages.. and if its also used for phone/TV/wifi/stuff.. those functions might nolonger be available..



  • @PiBa:

    Whats the final network supposed to look like?

    Something like this?
    Client(1) > sg1000(2) > wanrouter(3) > internet  > wanrouter(4) > sg1000(5) > SQLserver(6)

    Then IP addresses could be something like this:
    1- client has a IP lets say 192.168.2.1/24 assigned by dhcp server running on (2)
    2- sg1000 has a LAN:192.168.2.1/24 with DHCP server on lan  and 10.0.2.3/24 on WAN with gateway 10.0.2.1
    3- router has a local-ip of 10.0.2.1 and a public ip
    4- router has a local-ip of 10.36.1.1 and a public ip
    5- sg1000 has a wan of 10.36.1.3/24 with gateway 10.36.1.1 and a LAN network of: 172.16.5.1/24
    6- SQLserver has a static ip of 172.16.5.44

    Then after networks are working for basic 'internet access' then add the VPN into the mix to connect the two 192.168.2.x and 172.16.5.x networks over a tunnelnetwork that could be called 10.0.10.0/24 ..

    This 'could' work.. but is probably requires renumbering parts of your network..

    And all those numbers could be done differently..

    So one of the questions is is it all open for new configuration.? or are there parts that you would prefer to keep the same subnet as currently running?

    Are client and SQLserver using different subnets currently? And should the original routers keep their configuration. or can you change those to something 'in between' ? Or perhaps they support bridge mode so pfSense can get the actual public ip's that would be better.. But requires some digging into the current router config pages.. and if its also used for phone/TV/wifi/stuff.. those functions might nolonger be available..

    Thank you so much for taking the time to reply.

    I am still a bit confused, so I will give you more details the way you posted:

    Client(1) > sg1000(2) > wanrouter(3) > internet  > wanrouter(4) > sg1000(5) > Domain/SQLserver(6)

    Client (1): 192.168.1.250 (DHCP)
    SG1000 (2): (WAN?/LAN?)  (Static)
    WAN Router (3): 192.168.1.1 with DHCP on

    WAN Router (4): 10.36.1.1 with DHCP on
    SG1000 (5): (WAN?/LAN?) (Static)
    Windows Server (Domain/SQL) (6): 10.36.1.2 (Static)

    I have a Linksys EA9200 for wanrouter (4), and could technically set it to bridge mode, but this may cause other issues.  I would rather leave it alone if I could.  Also, currently, the users with wanrouter (3) do not know their admin password to the router (sigh).

    Currently, I have set the following to SG1000 (5)… and this may be wrong:
    WAN IP: 10.36.1.3
    LAN IP: 10.36.2.3

    VPN:
    Peer to peer shared key
    port  1100
    AES-256-CBC
    Aut digest algorythym: SHA256
    IPv4 Tunnel Network: 10.2.15.0/24
    IPv4 Remote Network: 192.168.15.0/24



  • As you might have noticed, in my original example i used different subnets on each network segment.

    In your data:

    Client (1): 192.168.1.250
    SG1000 (2): (WAN?/LAN?) 
    WAN Router (3): 192.168.1.1

    The client and wanrouter are on 2 separated networks and should not share the same network subnet.. If you 'must' then you could possibly put the SG1000 into bridge mode itself. But personally i prefer regular routing where possible.

    Same go's for the second part of the network.. wanrouter and sqlserver have ip's from the same subnet.

    Currently, I have set the following to SG1000 (5).
    WAN IP: 10.36.1.3
    LAN IP: 10.36.2.3

    This can be OK, but does mean that the SQLserver-IP should change to 10.36.2.x to be able to use the LAN-IP of pfSense as its gateway. It might be easier to leave that server and others in the 10.36.1.x range and change the wanrouter and pfSense-wan to a different subnet..

    VPN:
    Peer to peer shared key
    port  1100
    AES-256-CBC
    Aut digest algorythym: SHA256
    IPv4 Tunnel Network: 10.2.15.0/24
    IPv3 Remote Network: 192.168.15.0/24

    Here the 'local' and 'remote' network should match the subnets used by the server and client subnets machines so the 192.168.15.x is likely wrong.



  • I just had a "hit my head with my desk" moment.

    I think I understand now

    For example:
    Client (1): 192.168.1.250
    SG1000 (2): WAN: 10.0.0.2/LAN: 192.168.1.1
    WAN Router (3): 10.0.0.1

    WAN Router (4): 192.168.2.1
    SG1000 (5): WAN: 192.168.2.2/LAN: 10.36.1.1
    Server (6): 10.36.1.2

    So I have to turn on DHCP on the SG1000s (2) and (5).  And change the addressing on the WAN routers (3) and (4).

    And then what would be the correct addressing for the VPN?
    IPv4 Tunnel Network:
    IPv4 Remote Network:

    One other thing.  What this does is route all my traffic through pfsense.  Is there any way to have only the traffic of the 1-2 PCs on the remote network that need to connect to the SQL Server and domain, route though the SG1000?



  • For example:
    Client (1): 192.168.1.250
    SG1000 (2): WAN: 10.0.0.2/LAN: 192.168.1.1
    WAN Router (3): 10.0.0.1

    WAN Router (4): 192.168.2.1
    SG1000 (5): WAN: 192.168.2.2/LAN: 10.36.1.1
    Server (6): 10.36.1.2

    So I have to turn on DHCP on the SG1000s (2) and (5).  And change the addressing on the WAN routers (3) and (4).

    This looks good.

    As for the vpn there are 2 sides :)

    On the VPN client running at (2)
    tunnelnet: 10.2.15.0/24
    Remote subnet: 10.36.1.0/24

    On the VPN server at (5)
    IPv4 Tunnel Network: 10.2.15.0/24
    IPv4 Local network(s): 10.36.1.0/24
    IPv4 Remote network(s): 192.168.1.0/24

    I think that should work.. (If all other requirements like portforward on (4) for the vpn traffic, and firewallrules on (5) and possibly (6) allow the traffic..)



  • Thank you sooooooo much.  Couldn't have done this without you!

    One last thing.  This will route all my traffic through the Netgate.  Is there a method that I can either set on the Netgate to only process traffic of the 1-2 PCs that need to go through the VPN and allow all other traffic straight through?  Or maybe set it up on the Windows computers that need to connect to the remote office to push their traffic through the Netgate?

    I just don't want to cause any kind of traffic bottleneck by forcing the entire network through the Netgates.



  • On the server side you could use one of the SG1000's as only a openvpn server..

    Client(1) > – switch -- > wanrouter(3) > internet  > wanrouter(4) > -- switch -- > SQLserver(6)
                    ^                                                        ^
                    |                                                        |
                  sg1000(2)                                                sg1000(5)

    So client could still use its wanrouter as the default gateway.
    And the client(1) or the wanrouter(3) could then configure a extra route to the sg1000(2) when it wants to connect to the sql-server..

    Then the sg1000(5) could be using outbound-natting to translate traffic from its vpn-clients to its own ip and the company network would need no changes at all.. But sql-server and other logfiles would show all clients connecting with sourceip of the sg1000(5).
    Or instead of using outbound-net the wanrouter(4) or SQLserver(6) would need a route for the lan-network of client(1) to point to sg1000(5)..

    Or you could install regular openvpn clients on the client pc's, (use openvpn export package from pfSense to create its config and possibly a Windows installer.) And not use the sg1000(2) at all..

    It all depends on what you want want/need ;). usually pfSense becomes the edge router of the network, but if you want to push decent bandwidth, and also run VPN's over them the sg1000's might not have the processing power (ive never seen one in action.)..  Also maybe a 128 bit cipher might offer better performance over the vpn.. but provides a little less security i guess..

    Also is the VPN going to push 2Mbps over a 10MBps internet line in which case i 'think' the sg1000 should be able, or do you want to use 100Mbit internet while also using 50Mbit of VPN traffic or bigger numbers in which case it might not..? But again ive got no numbers to back these thoughts up.. Its just the feeling from what i read/remember of comments made around the forum about these devices.


Log in to reply