Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Can Pfsense do this???

    Off-Topic & Non-Support Discussion
    2
    6
    104
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      netizen-uk last edited by

      I have a server in a DataCenter which has been assigned a small network subnet.
      I also have a home-based office (SOHO) with a good internet connection (fibre) and I’d like to transfer the traffic of some of the subnet IPs to my SOHO so I can host some services there. At the SOHO I have only one static IP.

      Assuming that I have one PfSense on each end can I do this? I’m guessing that it can be done with a static VPN tunnel between the two locations however I’d like to avoid overheads and hence I’m looking for an alternative. From my reading I think BGP could possibly do that however I have no clue if this possible.

      Can someone put some light on this please? Also, does the BGP require my 2 providers to do something or I can handle it only via the 2 PfSense instances?

      Any help is MUCH appreciated!
      Thank you.

      1 Reply Last reply Reply Quote 0
      • JeGr
        JeGr LAYER 8 Moderator last edited by

        @netizen-uk said in Can Pfsense do this???:

        Assuming that I have one PfSense on each end can I do this?

        Assuming that the setup on your DC allows that, you can e.g. set up an OVPN tunnel between the DC host and your SOHO pfSense and 1:1 NAT the IP you want to your SOHO network. Yeah, that's possible. As you are routing "public" traffic, you could even disable encryption etc. on that tunnel, as the traffic is most certainly public (otherwise it wouldn't hit your DH host in the first place) and avoid most overhead of that tunnel. We had to run a similar setup for some time, as we had provider bound addresses that were stupidly hardcoded into customer apps and the customer couldn't change it, so we had to run it via VPN - but the performance was pretty good. For most web usage etc. that would be more than adequate.

        From my reading I think BGP could possibly do that however I have no clue if this possible.

        Nope. Most providers won't allow you to just route their IPs somewhere else as well as your home/SOHO setup won't allow you to propagate networks/IPs via BGP to their routers. You can't simply setup BGP on pfSense and start announcing networks (or better said: if that actually worked, I'd run from that provider like never before as he lacks serious security in the network department :D).

        Greets

        1 Reply Last reply Reply Quote 0
        • N
          netizen-uk last edited by

          It all makes sense however what I had in mind was only those two end being capable to handling the routes. Not just "anywhere".
          What solution would be appropriate (it at all possible) in order to for this to work?
          VPN?

          1 Reply Last reply Reply Quote 0
          • JeGr
            JeGr LAYER 8 Moderator last edited by

            @netizen-uk said in Can Pfsense do this???:

            only those two end being capable to handling the routes

            Could you elaborate what you mean by this?

            N 1 Reply Last reply Reply Quote 0
            • N
              netizen-uk @JeGr last edited by

              @JeGr said in Can Pfsense do this???:

              @netizen-uk said in Can Pfsense do this???:

              only those two end being capable to handling the routes

              Could you elaborate what you mean by this?

              First of all I missed an "s" (two endS).
              I am not a networking person so i am unaware if this is even possible.
              If a declaration can be made on those two endoints (two public IPs, one at each site) then the routing between those two could possibly be done (so I am told) using private BGP between those two ends.
              Is this totally wrong?

              1 Reply Last reply Reply Quote 0
              • JeGr
                JeGr LAYER 8 Moderator last edited by

                @netizen-uk said in Can Pfsense do this???:

                Is this totally wrong?

                As I'm not that deep into (private) BGP, it could be possible. But at the end AFAIK at least the upstream provider on your DC side has to allow you to speak BGP to him and almost no mainstream provider (or low-cost) do that, as you only have access to their IP space. If it would be your own IP space you get from RIPE etc. I'd guess it possible.

                But nevertheless your initial idea is to have one of the IPs on the DC node routed to your SOHO node / network and that's an easy setup using OpenVPN for example, so I'd go down that route to try it out.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy