SitetoSite VPN Behind Existing Router



  • I have two sites that I am trying to connect with two pfsense routers running OpenVPN with site to site.

    What I am not sure of is the following:

    Connect the pfsense router to the network via WAN or LAN?

    Firewall rules would be pointed to the address of the interface that the lan is giving out? So the border router would pass all 1194 port traffic to these devices?

    Would this firewall rule need to be at both locations?

    ..

    I've tried to port forward to the devices (pfSense) and there not working together. I have followed a few guides I found on this site, but nothing I noticed or I understood that did what I am trying to do.

    Thank you for your time,

    Ryan Nichols



  • @rnichols

    SitetoSite VPN Behind Existing Router

    What network structure do you have there?

    Internet ----- router ----- pfSense ----- LAN devices
    or
    Internet ----- router ----- LAN devices including pfSense
    ?



  • @viragomann

    The second one , pfsense as a lan device.

    Thank you



  • That's the worse sort of setup. With that there is no correct routing possible, without adding static routes to each LAN device you want to access over the vpn.
    You may do a workaround with outbound NAT to get it work.

    The better solution is to set up a separate network segment between pfSense and the router (maybe a VLAN). So you have only set a static route on the router.



  • @viragomann

    Would it be better to give it a port off the router and then run that into the WAN side, then connect the LAN to a switch? Or is that what your suggesting with the network segment.

    Thanks



  • Let pfSense do the filtering of the whole traffic is always the better way. However, you will need an additional switch to connect your LAN devices.
    If your router has only internal NICs which belong to one switch and does not support VLAN (does it?), there will be no other option.

    Otherwise you can set up something like that:

    Internet ----- router ----- LAN devices
                      |_____ pfSense
    


  • @viragomann

    Yes it does VLAN, I have currently 4 vlans that I use.

    Thank you


  • Rebel Alliance Global Moderator

    Making pfsense a downstream router and then trying to use it as your vpn connections between sites is HARD way to do it, and your going to have issues with asymmetrical routing, or your going to have to source nat or route on your hosts.. And almost always leads to hairpinned connections, etc.

    You can for sure put your pfsense boxes behind another nat router and do it without any issues and simple port forward where the network between your edge router and pfsense... If you can not put your isp router into bridge mode do something like this

    siteAhost
    |
    192.168.2/24
    |
    pfsense
    |
    192.168.1/24 - transit
    |
    A ISP Router
    |
    internet
    |
    B ISP router
    |
    192.168.1/24 - transit
    |
    Pfsense
    |
    192.168.0/24
    |
    SiteBhost



  • So leave pfSense in the physical LAN, configure a VLAN on the router and on pfSense LAN interface. pfSense must not have an address in the LAN subnet.
    Configure the OpenVPN server to listen on LAN, if it is the server.

    If pfSense is not use for other purposes the that set the routers VLAN address as default gateway. Otherwise add a static route for the LAN network pointing to its IP.
    On the router add a static route for the remote network pointing to the pfSense VLAN address.


  • Rebel Alliance Global Moderator

    No.. That is not how you would do it at all.. There is no need for any static routing.. Nor any routing on the edge router (isp device)..

    The openvpn would listen on pfsense WAN.. Just like it was public.. it would just be rfc1918 address since your edge route is natting. You would have a double nat if you can not have your edge router in bridge mode.

    The different networks on each site would be listed in your openvpn config.

    All your clients/networks would be behind pfsense at each site.



  • @johnpoz

    So you would just plug the thing into the WAN port and let it be? Forward the port 1194 to it and then it would work?

    Thank you


  • Rebel Alliance Global Moderator

    In a nutshell yes.. You just need to make sure that the networks behind pfsense at each site do not overlap.



  • @johnpoz

    Will it cause issues to have the LAN plugged in as well as the WAN? I have the networks with different IP ranges, the 'tunnel' as a different ip as well.

    Thank you


  • Rebel Alliance Global Moderator

    Huh?? What? Your wan will be connnected to isp router... Your lan will be connected to your lan side switches.. pfsense is now the new gateway for all your lan devices.

    Yeah your tunnel network can not overlap with your lan networks on either site.