Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN Relay on same subnet?

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 488 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      selbs
      last edited by selbs

      Hi all, I have searched myself into a state of confusion. I think the information is here but I am burnt out and words have lost meaning :) In reality, I just don't think I am using the correct search strings.

      I have one static IP that is handled by an ASA 5505 (at some point pfsense will replace this but, I need to see it running for awhile and get familiar), from the ISP.

      I have a machine that must have all traffic move via VPN and no bleeds of data to the public network. What I have envisioned is, I set up pfsense (with openvpn) as that machines gateway and then pfsense passes the encrypted traffic through the ASA like any other traffic... that should be it, right? I set up two nics (pfsense is in a esxi VM) but, I can't seem to have them IP'd on the same subnet.

      Well, I have built the server up and I just can't connect the dots. The VPN interface should be its own interface... right? Do I have to have two nics to do this? Do I have to have a WAN nic to do this? I'm going to flatten this build and start again... but, I need to have more info. I guess, ideally, I'd like to use one nic as the "LAN" nic and the virtual "VPN" interface just repackages stuff and sends it back out that LAN interface. Clear as mud? :)

      I don't want or expect anyone to hold my hand but, I think I am looking at this the wrong way and could use a shove in the right direction. Thanks!

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @selbs
        last edited by

        @selbs said in VPN Relay on same subnet?:

        What I have envisioned is, I set up pfsense (with openvpn) as that machines gateway and then pfsense passes the encrypted traffic through the ASA like any other traffic... that should be it, right?

        That's exactly the point. pfSense has to be the only one default gateway on that machine.
        However, consider that this means, that the machine is only reachable from within your LAN or by adding manual static routes to your computers and to that machine as well.

        On pfSense the ASA has to be set as default gateway.

        @selbs said in VPN Relay on same subnet?:

        I set up two nics (pfsense is in a esxi VM) but, I can't seem to have them IP'd on the same subnet.

        Why two NICs? Since you're going to connect it to only one network, one interface will be sufficient.

        @selbs said in VPN Relay on same subnet?:

        The VPN interface should be its own interface... right?

        It's a virtual interface. However, if you want to use it as gateway you should assing an interface to the OpenVPN instance in Interfaces > Assignments and enable it.

        Which interface you use on pfSense doesn't matter, as long as you configure the rules to allow the needed access.
        Consider that on the WAN interface private networks are blocked by default (a check box in the interface settings), so you will have to uncheck this, while on LAN any incoming traffic is allowed by a predefined rule.

        1 Reply Last reply Reply Quote 0
        • S
          selbs
          last edited by

          Thank you! That definitely pushes me in the right direction. I'm going to rebuild today!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.