How to Setting network for open VPN



  • I’m considering implementing pfsense in my home network , currently I have RT-AC87U with the basic setup.
    I have built pfsense on a box with Atom, CPU E3815 1.46GHz , 4G of RAM and 8G of CF card
    In my current network I have a couple of computers, phones and printer which are connected via wireless, and IPTV and PS4 (Let us call it IoT) via cable, and all run together on the same network
    My Goal
    1- Isolate IoT devices and the private Lan on two different network
    2- Implement OpenVPN with Redirect IPv4 Gateway option, so when I travel or in unsecure network I can connect to my home FW and redirect my traffic to my home ISP, I don’t want to reach any of my home network , I just need redirect my traffic only.
    My Plan
    1- Buy managed switch and create 3 VLANs one for the private network (wireless) , and one for IoT device and one as managment VLAN. And each one will have separate subnet.
    2- Convert Asus router as AP
    3- Deploy open VPN with PKI and allow redirect traffic only, No access to my internal network.
    4- Implement AV , snort and web-filter on Pfsense as I use AV and web-filter now on my Asus router.
    I’m not sure if that the optimal design for my network, and probably the redirect traffic on the VPN side will be tricky , so any suggestion or ideas will be highly appreciated.

    Thank in advance.





  • This is a common request and fairly straight forward to implement.

    1- Buy managed switch and create 3 VLANs one for the private network (wireless) , and one for IoT device and one as managment VLAN. And each one will have separate subnet.

    There are two questions here:

    1. Will it be a Layer 2 or Layer 3 switch?
    2. If it's a L3 switch, do you want to lean towards performance or security? Because each option will change the design.

    Personally, I always lean towards performance, but my concerns and priorities may be different than yours.

    3- Deploy open VPN with PKI and allow redirect traffic only, No access to my internal network.

    This is easy to do. It's as simple as a checkbox on the OpenVPN config and a firewall rule.

    4- Implement AV , snort and web-filter on Pfsense as I use AV and web-filter now on my Asus router.

    You can install Snort or Suricata for IDS/IPS, but the only AV and web-filtering options on PFsense require you to install the Squid package. Personally, instead of trying to leverage PFsense packages that may give you semi-effective, UTM-like features, I'd recommend actually implementing a UTM product. For example, I have Untangle running in bridge mode inside of a VM which sits between PFsense and my core switch providing AV, web filtering, application control, reporting, etc.


Log in to reply