4. Connecting multiple branch offices back to HQ using cable and DSL

Connecting multiple branch offices back to HQ using cable and DSL

  • C

    I am researching a project that would involve connecting our branch offices to our HQ and DR using cable and dsl connections. Each branch would have a cable connection as the primary and a dsl as backup.

    I am interested in using pfSense as my router of choice.

    What would be my options on the VPN side?

    Would OpenVPN + OSPF be a good option, or would IPSec be better?

    I know TINC is technically an option, but it doesn't seem to have much adoption in the pfS community.

    This setup would be replacing an existing MPLS network. We currently have 5 branches, but may be expanding to 10 in the next 2 years.

    0
  • Netgate

    Why would you need OSPF?

    Do the branches need to communicate directly with each other or just HQ?

    What kind of traffic levels are you looking at?

    0
  • C

    They really only need to communicate with HQ and DR.

    I was considering creating multiple tunnels from each WAN interface at a branch, back to the HQ and DR. I figured OSPF could be used to manage routes and give priority to the tunnels on the cable connections.

    0
  • Netgate

    You could use OpenVPN.

    If this is not going to be implemented immediately you could also look at the routed VTI IPsec coming in 2.4.4. You should be able to leverage OSPF there too.

    1 1 Reply
  • Galactic Empire

    @derelict said in

    If this is not going to be implemented immediately you could also look at the routed VTI IPsec coming in 2.4.4. You should be able to leverage OSPF there too.

    Was going to post this, I had a play with the development release, routed VTI IPsec makes it really easy to do.

    0
  • C

    Our current traffic levels are fairly light, our 10mbit links are not a bottleneck.

    I just watched the Hangout on Routed VTI IPsec, it looks pretty interesting.

    https://www.youtube.com/embed/NgRy14rYhV8

    But I'm not sure what advantage that would have over OpenVPN.

    I'm just trying to figure out the best design for reliability and automatic failover to the DSL links when the cable links fail.

    I figured having tunnels already up between the DSL links and HQ/DR would be better than relying on gateway groups to reconnect the tunnels.

    0
  • Netgate

    IPsec is ... faster.

    0
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy