Can Pfsense do this???



  • I have a server in a DataCenter which has been assigned a small network subnet.
    I also have a home-based office (SOHO) with a good internet connection (fibre) and I’d like to transfer the traffic of some of the subnet IPs to my SOHO so I can host some services there. At the SOHO I have only one static IP.

    Assuming that I have one PfSense on each end can I do this? I’m guessing that it can be done with a static VPN tunnel between the two locations however I’d like to avoid overheads and hence I’m looking for an alternative. From my reading I think BGP could possibly do that however I have no clue if this possible.

    Can someone put some light on this please? Also, does the BGP require my 2 providers to do something or I can handle it only via the 2 PfSense instances?

    Any help is MUCH appreciated!
    Thank you.


  • LAYER 8 Moderator

    @netizen-uk said in Can Pfsense do this???:

    Assuming that I have one PfSense on each end can I do this?

    Assuming that the setup on your DC allows that, you can e.g. set up an OVPN tunnel between the DC host and your SOHO pfSense and 1:1 NAT the IP you want to your SOHO network. Yeah, that's possible. As you are routing "public" traffic, you could even disable encryption etc. on that tunnel, as the traffic is most certainly public (otherwise it wouldn't hit your DH host in the first place) and avoid most overhead of that tunnel. We had to run a similar setup for some time, as we had provider bound addresses that were stupidly hardcoded into customer apps and the customer couldn't change it, so we had to run it via VPN - but the performance was pretty good. For most web usage etc. that would be more than adequate.

    From my reading I think BGP could possibly do that however I have no clue if this possible.

    Nope. Most providers won't allow you to just route their IPs somewhere else as well as your home/SOHO setup won't allow you to propagate networks/IPs via BGP to their routers. You can't simply setup BGP on pfSense and start announcing networks (or better said: if that actually worked, I'd run from that provider like never before as he lacks serious security in the network department :D).

    Greets



  • It all makes sense however what I had in mind was only those two end being capable to handling the routes. Not just "anywhere".
    What solution would be appropriate (it at all possible) in order to for this to work?
    VPN?


  • LAYER 8 Moderator

    @netizen-uk said in Can Pfsense do this???:

    only those two end being capable to handling the routes

    Could you elaborate what you mean by this?



  • @JeGr said in Can Pfsense do this???:

    @netizen-uk said in Can Pfsense do this???:

    only those two end being capable to handling the routes

    Could you elaborate what you mean by this?

    First of all I missed an "s" (two endS).
    I am not a networking person so i am unaware if this is even possible.
    If a declaration can be made on those two endoints (two public IPs, one at each site) then the routing between those two could possibly be done (so I am told) using private BGP between those two ends.
    Is this totally wrong?


  • LAYER 8 Moderator

    @netizen-uk said in Can Pfsense do this???:

    Is this totally wrong?

    As I'm not that deep into (private) BGP, it could be possible. But at the end AFAIK at least the upstream provider on your DC side has to allow you to speak BGP to him and almost no mainstream provider (or low-cost) do that, as you only have access to their IP space. If it would be your own IP space you get from RIPE etc. I'd guess it possible.

    But nevertheless your initial idea is to have one of the IPs on the DC node routed to your SOHO node / network and that's an easy setup using OpenVPN for example, so I'd go down that route to try it out.


Log in to reply