pfSense to pfSense router with no vpn?



  • Hi, we have a pf router that serves 10 IPSEC site to site vpns. But one of the sites is in the same building.
    Could we stick a 3rd card in each box and setup some sort of network to bypass the IPSEC vpn and the WAN, and connect directly to it?

    Here's a better example i guess.
    Site 1 is the local site where we have SHAW MODEM > PFSENSE > LOCAL NETWORK.
    (There are about 10 of these sites)
    Site 2 is also at site 1, but it has SHAW MODEM (its own) > PFSENSE > SERVER.
    IPSEC site to site connects site 1 to site 2.

    Because they are both in the same building, we would like to bypass the IPSEC that is running through the internet and somehow hook these right together.

    The server at Site 2 is accessed by RDP from all the other sites. So we need to connect site 1 and site 2 and then make them talk to each other somehow, even though they are on separate subnets... so maybe a IPSEC but on the local lans instead of through the internet? Or can we somehow bypass the IPSEC need.

    They are both computers so we can install anything we need into them.

    If anyone has done this please share the love!

    Thank you


  • Netgate Administrator

    Sure you can connect them together using a small transport subnet and just add static routes on each side to pass the traffic.

    Steve



  • @stephenw10 So would i need another NIC in each PC to achieve this? or can I somehow plug directly LAN to LAN without the DHCP's messing it up (layered switch maybe?)


  • Netgate Administrator

    Using a separate NIC at each end would be easiest. You might be able to do it with a VLAN instead if you don't have spare NICs.
    You definitely don't want to just join the two LAN together in one huge layer 2 segment. You would see numerous issues including two DHCP servers on it.

    Steve



  • We do this using a /29 and NAT turned off on the interconnect interfaces on two boxes we have. Each box has a spare ethernet port we used. We use the routed package and set up RIP on the units. Works great as we can reach all the other VPN circuits without complicated setup. All you need to do is build firewall rules on the interconnect interfaces on each side to allow what you want to allow.



  • @chpalmer Thank you guys, we will be looking into this!!


Log in to reply