Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    set up pfSense as additional gateway into VPNs

    OpenVPN
    2
    2
    33
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sgw
      last edited by sgw

      Greetings, I could need your help here:

      For a customer I configure pfSense-appliances (small 1100s) which are rented to their customers.
      They want hw appliances so that the paying customers "see what they get" ;-)

      The boxes should be plugged between the existing LAN and the PCs, pull an IP and act as DHCP and OpenVPN client, calling "home":

      a tunnel is established, and via CSO they now can reach one single VM in the server LAN at my customers site

      So we have the following "features":

      • pull WAN-IP per DHCP
      • provide DHCP to the PCs behind its LAN-NIC
      • act as VPN client, route traffic to one server VM
      • optionally provide access from the server VM to stuff like payment terminals or printers at the client side (via NAT portforwardings)

      So far this works, we run around 20 of them

      For sure the concept has flaws: double NAT, sometimes issues accessing existing Wifi (which is in the original subnet) etc / AND the pfSense is a SPOF now

      So we want to come up with better solutions:

      • I'd like to place the 1100 as an additional gateway routing to the servers
      • no more DHCP-server on it
      • PCs keep their def gw, and get a route added ("to reach server X, send packets to pfSense-IP")

      What I don't get yet:

      • WAN and LAN of the pfSense would be in the same subnet: can't work
      • can I set that up using one NIC only somehow?

      The appliances should be as much "plug and play" as possible

      I appreciate any help here, so far I am a bit lost ... thanks

      ps: I see that this would be a use-case for something like tailscale etc ...

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @sgw
        last edited by

        @sgw said in set up pfSense as additional gateway into VPNs:

        can I set that up using one NIC only somehow?

        A router on a stick design? For sure, you can set this up.

        pfSense only needs a single IP in this case.

        On the internet router you have to forward the OpenVPN traffic of course.

        The appliances should be as much "plug and play" as possible

        You need to set a static route on each client, which needs to access the remote site, as you already mentioned. But this can be done via DHCP.
        You can also consider to forward traffic on pfSense to the server, in case that there is no need to access a LAN device from the remote site.

        If you connect the WAN interface to the network, ensure the remove the "block private networks" in the interface settings. But you can as well attach the LAN to their network.

        Aside from this and proper firewall rules, there is nothing special to concern with this setup, what come into my mind.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.