1100 Standalone VPN without router?
-
Can the Netgate 1100 be used as a standalone VPN if the 1100 isn't being used as the router on the network?
For example, if I have a complete network, router, etc in place and just want to add a VPN, can I simply assign an IP to the 1100, enable the VPN, and forward from my existing router or does the 1100 require that it be used as my router as well?
-
@abcdefg while you can setup vpn server inside your network, this can quite often lead to asymmetrical traffic flow.. So its a bit more involved then just plugging it in and running the openvpn wizard.
Simpler solution with less complexity is to use pfsense or any device that is going to be your vpn end point at the edge.
If your going to place a vpn server inside your network - either put it on a transit network connected to your router, or have it source nat traffic so that your vpn clients look like they coming from the vpn servers IP in your network.
Or other option is to use tap vpn where the vpn clients are bridged to the local network, but this opens up its own can of worms.
-
@johnpoz thanks for your response!
Unfortunately our situation with our ISP is that we have to use their hardware so I'm afraid we'll have to do something within the current network.
As for the asymmetric flow issue, are sufficient options exposed in pfSense to configure around this? I've installed VPNs on VMs in existing networks before and have certainly had to do a bit of configuring to get everything visible but it's worked in the past. I was hoping the 1100 would act as a sort of replacement (though not necessarily a configurationless drop-in) for this VM strategy. In other words, is it that it's not possible to do with the 1100 or is it more that it's possible and would just take some configuration/testing to get going?
Thanks again!
-
@abcdefg said in 1100 Standalone VPN without router?:
is that we have to use their hardware
You could always just do a double nat setup, this would be the easiest solution..
internet -- isp device -- 192.168.0/24 -- (wan) pfsense (lan) -- 192.168.1.0/24 -- your network.
If that isp device is not providing wifi then its easy peasy, if you have wireless devices that will need to talk to stuff behind pfsense then it gets a bit more complicated with having to setup port forwards and maybe source natting if vpn clients need to talk to stuff in the wifi network provided by the isp device. If isp device is providing wireless, I would be less complicated to just turn that off and setup your own AP behind pfsense.
Pfsense pretty robust - its more likely that the isp devices doesn't allow for setup of other networks/vlans, so a transit connection option is not really possible.
Those 192.168 networks are just examples..
-
@johnpoz thanks and understood. The double nat suggestion sounds familiar and I assume it's safe to say that the pfSense features are a superset of whatever the freebie ISP router has (I don't have access to the mfr/model info at the moment) so we shouldn't be losing anything by moving the network to the pfSense unit.
Many thanks!
