Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Connecting multiple branch offices back to HQ using cable and DSL

    Scheduled Pinned Locked Moved Routing and Multi WAN
    7 Posts 3 Posters 737 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coreybrett
      last edited by

      I am researching a project that would involve connecting our branch offices to our HQ and DR using cable and dsl connections. Each branch would have a cable connection as the primary and a dsl as backup.

      I am interested in using pfSense as my router of choice.

      What would be my options on the VPN side?

      Would OpenVPN + OSPF be a good option, or would IPSec be better?

      I know TINC is technically an option, but it doesn't seem to have much adoption in the pfS community.

      This setup would be replacing an existing MPLS network. We currently have 5 branches, but may be expanding to 10 in the next 2 years.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Why would you need OSPF?

        Do the branches need to communicate directly with each other or just HQ?

        What kind of traffic levels are you looking at?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • C
          coreybrett
          last edited by

          They really only need to communicate with HQ and DR.

          I was considering creating multiple tunnels from each WAN interface at a branch, back to the HQ and DR. I figured OSPF could be used to manage routes and give priority to the tunnels on the cable connections.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            You could use OpenVPN.

            If this is not going to be implemented immediately you could also look at the routed VTI IPsec coming in 2.4.4. You should be able to leverage OSPF there too.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            NogBadTheBadN 1 Reply Last reply Reply Quote 1
            • NogBadTheBadN
              NogBadTheBad @Derelict
              last edited by

              @derelict said in

              If this is not going to be implemented immediately you could also look at the routed VTI IPsec coming in 2.4.4. You should be able to leverage OSPF there too.

              Was going to post this, I had a play with the development release, routed VTI IPsec makes it really easy to do.

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • C
                coreybrett
                last edited by

                Our current traffic levels are fairly light, our 10mbit links are not a bottleneck.

                I just watched the Hangout on Routed VTI IPsec, it looks pretty interesting.

                https://www.youtube.com/embed/NgRy14rYhV8

                But I'm not sure what advantage that would have over OpenVPN.

                I'm just trying to figure out the best design for reliability and automatic failover to the DSL links when the cable links fail.

                I figured having tunnels already up between the DSL links and HQ/DR would be better than relying on gateway groups to reconnect the tunnels.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  IPsec is ... faster.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.