Mobile VPN from Guest Net to LAN

quasimoto

Hi,
I'm not sure if that's the right place for my question.
I have pfSense Firewall with one LAN and one Guest Network. both Networks have outbound NAT to reach internet.
Also, I have setup IPSec VPN to reach LAN from the internet.
This works all perfectly.

Now I want to to VPN from the GuestNet to the LAN.
How can I do this?

Do I have to exclude the IPSec-Ports from NAT?

Thanks

viragomann

@quasimoto said in Mobile VPN from Guest Net to LAN:

Now I want to to VPN from the GuestNet to the LAN.

There is not need to NAT anything.
Just add proper firewall rules to allow the desired access.

quasimoto

As I have a fully outbound NAT from the GuestNet, how is that "not need to NAT anything"?

The existing Mobile-VPN is from anywhere to the WAN-IP.

My GuestNet is 192.168.2.0/24, my LAN is 192.168.1.0/24.
Do I need to setup a VPN from the GuestNet directly to the LAN-IP?
Or should I exclude outbound-NAT from Guestnet to IPSec-Port?
Only VPN-Users should be able to connect to the LAN, Guests should have no access to LAN at all

viragomann

@quasimoto
So you want to establish an IPSec from a GuestNet member to pfSense to provide access to LAN? What's the use of this?

Do I need to setup a VPN from the GuestNet directly to the LAN-IP?

You can do this though, but not sure if the routing works properly.

quasimoto

@viragomann said in Mobile VPN from Guest Net to LAN:

So you want to establish an IPSec from a GuestNet member to pfSense to provide access to LAN? What's the use of this?

In our meeting room, we provide only the GuestNet, so all Guests can have Internet Access. Our employees in the same room (lets say within a common meeting) should be able to access the internal ressources on the LAN.

akuma1x

@quasimoto It doesn't sound to me like you're doing this the right way...

If this is over a wifi connection, it is totally possible to set your wireless access point to broadcast 2 different networks - 1 for employees and 1 for guests. The employees obviously use the employee wifi. Doing it this way, the guests can have their own network connection, and the employees can have their own network connection. Then you don't to need to use IPSEC or make firewall rules or NAT things to allow the guest network to talk to the LAN network.

To make this all happen, both your wireless access points and your switching gear need to support VLANs. Do you have that type of equipment?

quasimoto

@akuma1x It is for a customers setup. They have a policy in place to not providing any internal Network into the "unsecure" meeting room.
I will get back to the customer and check again if it would be ok to have a separate SSID for the employees. The vlan aware hardware shouldn't be a issue.

Using VPN is no option?

Thx

keyser

@quasimoto said in Mobile VPN from Guest Net to LAN:

@akuma1x It is for a customers setup. They have a policy in place to not providing any internal Network into the "unsecure" meeting room.
I will get back to the customer and check again if it would be ok to have a separate SSID for the employees. The vlan aware hardware shouldn't be a issue.

Using VPN is no option?

Thx

Using VPN is certainly an option. At a customers of mine I have deployed Mobile IPSEC VPN to pfSense (Normally used from Internet to WAN -> to reach LAN).
But I have opened for IPSEC access to the WAN address from the Internal DMZ and BOYD VLANs. So they can start their VPN clients on those VLANs whenever they need LAN access. Works like charm (Windows, Mac, iOS, Android)

quasimoto

@keyser said in Mobile VPN from Guest Net to LAN:

Using VPN is certainly an option. At a customers of mine I have deployed Mobile IPSEC VPN to pfSense (Normally used from Internet to WAN -> to reach LAN).
But I have opened for IPSEC access to the WAN address from the Internal DMZ and BOYD VLANs. So they can start their VPN clients on those VLANs whenever they need LAN access. Works like charm (Windows, Mac, iOS, Android)

Great! This is exactly what I want.
Do these clients have private IPs and doing NAT before reaching the WAN address?

keyser

@quasimoto said in Mobile VPN from Guest Net to LAN:

Great! This is exactly what I want.
Do these clients have private IPs and doing NAT before reaching the WAN address?

Well, if you perform NAT (with the WAN address - like default automatic rules does) on clients originating from internal networks, your client will run IPsec in NAT-T originating from WAN and going to WAN.
It works that way, but depending on your remote ID setting in IPSEC, you might have issues connecting more than one client at a time.

So you might consider skipping the NAT part for that connection (saves CPU cycles), and should help prevent issues with duplicate client IDs depending on your IPSEC config.

quasimoto

@keyser
Thanks for that!
I think I know now which way to go.
Will do the testing next week in my Lab before changing the customers configuration.