Placing old Firewall/VPN behind new PFSense box
-
I'm getting started on replacing gateway devices at several locations, 1 main site and 6 external sites. Each external site currently has a site-to-site OpenVPN using Smoothwall Express. The main also runs openVPN for single remotes with openVPN on users' laptops.
At the main site, I'm looking at the best way to keep the status quo functioning while I work with each branch site and remote worker to update them to new VPN tunnels. The OpenVPN server/client on the current device is limited enough that any change to try and make it connect via openVPN to a netgate device risks breaking everything, which can't happen. A few sites have frustratingly locked down modem/gateway devices which would force an IPSec tunnel through a double NAT, making it really slow and unstable in my experience.
At the main, the netgate device will be at the edge of the network, with the old firewall/vpn behind it. From there, There's a few options:
Port forward the existing VPN ports back to the old device. Routing could be a bit tricky to make sure incoming VPN connections have a route to the main site lan. The new VPNs would then have to use alternate ports, at least until the old tunnels are all decomissioned.
The other possibility is a 1:1 nat setup, and use a completely different IP for the new tunnels on the new devices. Luckily I have multiple public IPs to work with.
Does anyone have some experience with such a scenario, who can suggest the best approach?