site-to-site question
-
Hello all!
that's my first post here since i'm little newbie to pfsense and the networking world in general and so i'll try to be the clearest possible.This is my actual situaton: i've a Win10 PC at my parents home with 2 NICs on it, NIC 1 is connected to the IPS's router and NIC 2 to an unmanaged switch.
Using OpenVPN all layer 2 traffic from this PC is routed to my home (as server i'm using an RT-AC68U) and the NIC 2 is bridged to the TAP interface used by OpenVPN, this way everything i connect to the switch will figure as it's connected at my home LAN.
The important thing for me is that a client connected to the switch at my parents home will see himself as it is physically connect to my home LAN (except performances)Well, i want to know if i can get this setup using two pfsense: one will replace the ISP's router and Win10 PC at my parents home, the other will replace the AC68U at my home.
I want to know only if it's possible to do and with which protocol (OpenVPN, IPsec etc...) and also i don't mind if it will be a performance killer (like it is now )
If it's possible i'll find the way...it'll be a nice exercise -
Yes.
If you need it to be layer 2 then you would use OpenVPN in TAP mode. But if you don't you could use OpenVPN or IPSec.
The bandwidth available would be entirely dependent on the hardware you use but latency would not change so some things will always be impacted. If the ping time between those sites is high it's generally not a good idea to span them as a single layer 2.
Steve
-
Thanks for the reply!!
On both ends i've 200Mbit/s on fiber, the hardware won't be the top but at least a 4th gen i5, always on both. The average ping (without vpn) is 6ms. DO you think the performance will have a big impact?BTW....I've read around that a site-to-site setup with OpenVPN it's not possible if the sites have the same subnet sooo what's the solution? put the server in remote acces mode instead of peer to peer?
-
Not possible in TUN mode or lets say with some workarounds but no problem in TAP.
-Rico
-
Mmm, with 6ms you probably wouldn't have much of an issue in TAP mode. Still less desirable that routed but you can;t do that with the same siubnet at both ends as you say. Not without NATing somewhere at least.
A Haswell i5 will do 200Mbps OpenVPN but remember it will be limited by the slowest speed in the link so that might be the upload speed if the links are asymmetric, as most are.Steve
-
download is around 1Gb/s, 200 is upload...it's veeeery asymmetric
I can change the subnet on one end, that's not a problem....suppose i'll use 192.168.10.0/24 at my parents home and 192.168.20.0/24 at mine and suppose also that the site-to-site bridge is up and working, the client 192.168.10.5 how will be "presented" to my LAN? will i ping 192.168.10.5 or 192.168.20.something?
-
The two subnets would be directly routed unless you added NAT rules. So you would be able to ping 192.168.10.5 from a client in 192.168.20.X subnet. Assuming of course you have firewall rules to allow that.
What you may not be able to do for example is have a NAS device at one end that is 'discoverable' but a smart TV at the other end. Those often rely on broadcast traffic to find each other and that does not cross between subnets.
If the TV allows you enter the IP of the NAS directly then it will work fine but developers seem to like to hide that stuff from users so often it's auto-discover or nothing!Steve
-
so if i've understood everything, what i need to make a NAS connected at site 1 figure to a SmartTV in site 2 as everything is in site 2 (everything on the same subnet: what i've achieved with that horrible setup using windows and a switch) is a site-to-site vpn made with OpenVPN, TAP and NAT 1:1 rules from site 1 to site 2 right?
-
The first thing do here is make sure you actually need one single layer 2. If a smart TV and media server is indeed what you're using make sure that you can't just enter the IP address directly in the TV. Some can and that would allow you to have two subnets and route between them which would be better for everything else.
Using 1:1 NAT would allow you to keep the same subnet at each end but still route. But the subnets would 'appear' to be different to clients at each end so the auto discover scenario would still fail.
Otherwise you would need to run a single subnet and TAP connection between the sites.
Steve