Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Load-balancing and an untouchable existing VPN site to site

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 2 Posters 287 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rafff
      last edited by rafff

      My question is about NAT and multi-wan.

      A customer has a software product only accessible through a VPN site-to-site managed by a SonicWall firewall installed by someone. The software is in the remote site and they filter the traffic by client ip and also client mac address. I can't get support from the vendor of the software and i the connection to the remote site must continue to working.
      This customer has also two internet connections.

      My task is to put a PFSense in the middle of this. The clients in the lan must be able to use the internet connection in load-balanced mode, and also continue to connect to the remote site subnet through the tunnel managed by the SonicWall.

      These are the possible solutions i thought:
      1: PfSense will manage a subnet equal to the current subnet of clients, and the two wan's in load-balancing mode. Clients will use PfSense as default gateway and will be able to connect to the remote VPN site through a static route created on each client. This is a dirty solution i know, but probably easy to do and very probably working.
      Is there any other way to force the clients to connect to SonicWall only for remote site subnet without a static route on them? I think not, and you?

      2: PfSense will manage the two wan's in load balancing, and a third wan. This third wan will have the same IP and the same mac address of one of the clients that currently can connect to the remote site. I will also configure NAT on this wan. PfSense will also manage a new LAN subnet, different from the one that clients are currently using. Then i will configure PfSense to use the third wan only for the traffic directed to the remote VPN site, and the load-balancing for internet traffic.
      I really don't know if the clients will be able to connect to the remote site in this way. The vpn firewalls theoretically will see the traffic coming from an allowed client, i think, but i don't know.

      If the second solution is good, it is the cleanest, because i can configure all clients in DHCP on a new subnet, instead leaving them the current ip addresses like in the first solution.

      What you think about?
      Thanks a lot

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Probably going to need a diagram of the pertinent pieces.

        Also sounds like that customer needs to beat that vendor with a wrench.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.