VPN tunnel as WAN gateway?



  • Hi,

    I have a somewhat unique setup, and I hope pfSense can do this more reliably than the ZyWALL 5 UTM I have now, which more accidentally does the right thing (most of the time) than by design. Let me explain:

    I have an ancient class-C network address block assigned to our net, but the scale of our operations doesn't justify the expense that usually goes along with the type of network service required to have customer address blocks routed. In the past I was with some ADSL provider which did that as a courtesy anyway thanks to their great service, but I was at the edge of the ADSL reach, so bandwidth was limited and in bad weather the phone lines didn't play nice. So the decision was made to switch to Verizon's FiOS service (great product, horrible company where one hand doesn't know what the other does…). At first they told me they could route my network block, later it turns out they can't (or more likely don't want to).

    So now I have
    A) a colocation provider where I have a ZyWALL P1, which acts as gateway router and endpoint of a VPN which tunnels my class-C address block over
    B) a FiOS link with a ZyWALL 5 UTM attached to it, which is the endpoint of the tunnel.

    So in effect, all my network traffic right now is tunneled over a VPN to some other location, and hits the internet there. This is great in the sense that still all my machines have public IP addresses, etc. and if need be I can pack up my entire network and switch ISP or my location, and simply have to reprogram one or two IP addresses and everything keeps working.
    The bad part is, that everything goes over that tunnel, even things where it just negatively affects the performance. e.g. when browsing the web, I don't care if I do this with some ISP assigned IP address going through NAT if I could save the latency and bottlenecks resulting from the VPN tunnel detour.

    What I'm trying to do thus is:
    a) have a pfSense box with a DHCP assigned WAN address hooked up to a FiOS link, this address should be possible to look up over DynDNS.
    b) route certain protocols' outgoing traffic through NAT originating from that WAN address directly to the internet
    c) establish an IPSec VPN link to the colocation provider where another pfSense (or ZyWall box) sits, and have that link act as default route for all network traffic not specifically rerouted as per point b) above
    d) have a few (6 or less) low traffic VPN links to some clients' sites which map my networks public IP addresses into a range of their private IP addresses
    e) have a guest network with a private IP addresses, all of its traffic going through NAT and directly to the internet without going through the VPN tunnel described in c)
    f) ideally, I'd also run the freeSwitch module, such that I can run my various SIP accounts through a PBX (low traffic, hardly if ever more than 3 active phone conversations)

    Is this doable? Can it be done with pfSense 1.2.1 or do I need to wait until the 2.0 release is out? (I dimly remember reading something a little while ago that made me think that I'd have to wait for 2.0, but can't remember what feature was the issue...) Would an intel Atom based Netbook (Atom N270 1.6GHz, single-core, hyperthreading, 2GB RAM) or Nettop (Atom 330 1.6GHz dual-core, hyperthreading, 64-bit, 2GB RAM) have sufficient compute power?

    Trying to figure out the feasibility before I buy the hardware ;)



  • My old hand-built Linux router did this, sadly, it was a piece of crap. That said, no, that I can tell this isn't doable with pfsense. I (again) want to do it.



  • The "route everything over a VPN as WAN" part is doable with OpenVPN or PPTP.

    I dont know if that is possible with IPSEC.
    There has been some threads about if it's possible to set a gateway on the other side of a IPSEC tunnel.
    I suppose if that works your problem should be solve.
    However i never read that it actually worked.



  • Another option might be GRE, unless
    a) I don't understand GRE properly
    b) my ISP filters that
    c) there's no way to bypass for a gateway route the generic restriction that a GRE routing entry can't be more generic than the link it uses to be transported over (which of course in the case of a gateway rout, it would be).

    Personally, I don't care WHAT I use. I can put a pfSense (or Vyatta, if it has to be) box on both sides of the link. Anything that's in my budget (i.e. free software and $150 nettop on each end) is an option as long as it can

    1. route the class-C network through some sort of logical tunnel of sorts such that the gateway is logically at the colocation provider, while it's physically here in my home
    2. there's a possibility to have a guest LAN bypass all of that, and via NAT access the internet directly through the ISP without detour of the tunnel
    3. I can have a few additional private-LAN to private-LAN IPSec VPNs to clients and friends' LANs

    Ideally, it would also allow
    4) policy based routing, such that end-user web traffic, downloads, etc. use NAT and don't do the colocation routing detour
    5) VoIP PBX (like FreeSwitch module in pfSense).

    My problem is, the current setup works, sort of, but not trouble free, but it works (it hangs itself rather often, needs resetting on a regular basis, the box sometimes gets overloaded etc.).

    I'm not in a position though to spend $300-$500 all said and done on hardware and equipment installation charges at the colocation provider, just to figure out that it won't work; the whole operation is only meaningful if it moves me from "sort of works" to "works" ;)

    I wish there were someone who could answer a question like that…


Log in to reply