Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using VIP subnet for routed VPN

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    1 Posts 1 Posters 273 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jamesp81
      last edited by

      I have managed to create this configuration on a different firewall product, and I'm wanting to recreate it using pfsense.

      In the other product, I am creating a network of virtual IP addresses, one address each assigned to routers in physically separated locations. The VIP subnet is 10.255.255.0/24. Location 1 gets 10.255.255.1, location 2 gets 10.255.255.2, location 3 gets 10.255.255.3, etc.

      When setting up IPSEC between these locations, I specify public IP addresses as my Phase 1 endpoints for a specific tunnel. However, for phase 2, instead of specifying the actual internal LANs on each location, I specify the listed virtual ip addresses (indirectly. In the competing firewall we are using, I am actually specifying the name of the virtual interface those virtual IPs live on. The firewall works it out from there). In other words, there is an intermediary network between each LAN composed entirely of VIPs, that they actual VPN tunnel is being established on.

      For traffic to be routed into the internal LANs from the virtual IP addresses, each location is implementing BGP, and each router announces its internal LAN routes to the other firewalls. This takes care of the routing and traffic flows normally. Its a nice configuration because you can change internal network topology at any particular location, without changing the intermediary 10.255.255.0/24 network, and BGP will take care of updating routing tables for you.

      I would like to replicate something like this in pfsense. One important difference I see in pfsense is that while there is a facility for VIPs, I don't know of any option to have a virtual interface. I got as far as establishing a VPN using a VIP network between location 1 and location 2, and I got pings from a host in location 1's LAN to be answered by the VIP assigned to location 2. I don't know if pings back from a host in location 2's LAN to location 1's VIP would've been answered. I never did get traffic to cross from LAN to LAN in different locations.

      I hope this post has made sense. Is anyone familiar with this configuration, and if it's doable on pfsense?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.