Is this dumb? Probably, but still........


  • I put this in general because it covers several topics........

    Let me set the stage - I'm getting gig fiber out in the boondocks. Bought a Protectli 4 port to support the speed and am ordering a small business access point for wireless. Installed pfSense, still waiting for final fiber install, but oh well. I plan to pay for the static IP as well.

    My wife has a business/office and I'm the IT guy of course. I am doing offsite backups for her using our home NAS without having to open things up on the internet, as well as have her able to VPN in from home. For now she VPN's in using a local client and my NAS has a VPN client I can connect to the office VPN as well to do backups.

    Here's where my imagination started running wild, having all this speed, nice hardware, and a product like pfSense. My thoughts are to set up and IPSEC VPN, always on between the sites, VLAN it, and have the access point do a 2nd SSID that's on the VPN. Then her work laptop is just on the VPN wifi at home. I'd also like to be able to include the NAS (wired) either on a schedule or all the time (as long as split tunneled). I don't want to run normal household traffic through the VPN, so not sure if I could use something like a VIP or some other solution to carve off a separate path for the VPN traffic. It even bounced around in my head to feed a line from my downstream switch back into one of the OPT ports to use for the VPN traffic (really stupid, fairly certain of that).

    Long and short of it, I have a bad habit of trying to learn something by using solutions like this. I'm more an OS guy, less network, so wanted to get some feedback about if any of this is possible, would make any sense, and some rough pointers in the direction of what I'm attempting to do. Could we just use the existing VPN clients? Yeah. But what fun is that :) Thanks in advanced for any (helpful) input.


  • Yes, you can definitely setup a site-to-site IPSEC VPN tunnel to get into her place of work. Is it pfsense on both sides - home and at work?

    Youtube Video

    You can also setup a separate SSID on the access point, using the IPSEC VPN as it's specific gateway. That way, all the traffic sonnected to that SSID goes out to the internet thru the VPN. I'm assuming that you will also want to run a normal LAN wifi, for all the other wireless stuff in your house, right?

    All of this you can do, but you'll also have to get and install a smart/managed switch that can run VLANs. The "business access point" should be able to support VLANs, that's usually how you run the different SSIDs on the same device. By using VLANs, you don't necessarily have to use an "extra" port on your firewall, you can run all your traffic over a single physical port, LAN as an example.

    https://www.amazon.com/NETGEAR-8-Port-Gigabit-Ethernet-Managed/dp/B07PLFCQVK/

    Unifi makes some great access points, and are highly recommended here.

    https://www.amazon.com/Ubiquiti-Unifi-Ap-AC-Lite-UAPACLITEUS/dp/B015PR20GY/

    Jeff


  • Watchguard firewall at work. I have an unmanaged switch that is supposed to pass VLAN tags, so hoping that will work, but if not I'll have to get a managed switch and figure that out.

    Correct, I don't want my normal household traffic going through the VPN, just the one SSID and the NAS (wired) when scheduled for backups (or if split tunneled would be fine). Might be the wired NAS that needs the managed switch? Otherwise I could maybe hang the AP or the NAS off of the leftover OPT port to avoid getting having to get the managed switch if it is needed. The NAS does have a static IP, so not sure if I could schedule a rule around that...... (dreaming again....)

    I'll start watching the video, hopefully that fleshes out how to not have the VPN consume all traffic going out the WAN port. That's probably the most confusing part for me to comprehend.

    Thanks Jeff for all the info, that was a great response!


  • @bigthrilla said in Is this dumb? Probably, but still........:

    I'll start watching the video, hopefully that fleshes out how to not have the VPN consume all traffic going out the WAN port. That's probably the most confusing part for me to comprehend.

    Here's a basic discussion about it, internet searches turn up way more. Not sure if there's a step-by-step anywhere out there, but maybe. I haven't watched the attached video, so it might all be set up right there.

    https://www.reddit.com/r/PFSENSE/comments/947gmt/pfsense_with_two_lans_home_lan_and_vpn_lan/

    Jeff


  • That thread hit the nail right on the head as far as I can tell! Awesome! I knew I wasn't searching the right terms, but I couldn't figure out what to use. Thanks for the help!