Pfsense connected to Fortigate as SSL VPN server only
-
Hello,
We have a SSL VPN server configured on fortigate 100E HA cluster, the fortigate ha cluster is connected to the WAN switch and LAN switch, we want to migrate the SSL VPN server slowly from the forigate to the Pfsense server (migrate only the VPN server not everything), the goal is to use OpenVPN server in Pfsense as the main SSL VPN server for the company, so in first we will have to 2 SSL VPN servers with 2 different GWs (one on fortigate and one on Pfsense) to test the configuration and once everything is working fine we will stop the SSL VPN server on the fortigate and use only the OpenVPN server in Pfsense, did any that and any ideas ?
Thanks,
-
@Debian-Linux
So your setup should look like this in the future:WAN ---- Forti ---- LAN | |--- pfSense-VPN-GW?
In fact pfSense is a LAN device in this case. Maybe there is a switch in between, but this doesn't matter.Yes, you can do this.
- You have to separate pfSense from the LAN, however. Create an additional subnet (maybe VLAN) between the Fortigate and pfSense.
- Assuming you connect the WAN interface of pfSense to the Forti, state the Forti IP (of the VLAN) as upstream gateway in the interface settings.
- On the Fortigate forward the OpenVPN traffic to pfSense.
- On the Forti create static routes for the OpenVPN tunnel networks (assuming you run an access server. For a site-2-site create static routes for the remote networks) and point them to pfSense.
- On pfSense go to NAT > Outbound, enable the hybrid mode and add a rule for the destination of your local networks (can be an alias) to the WAN interface and set it to "no NAT". This enables the destination device to see the real client source IP instead of the pfSense WAN IP.