Use pfsense as a vpn only appliance



  • Guys I would like to use Pfsense as a vpn only appliance our network consist of a front end back end firewall setup.  I would like to know are any of you guys out there using Pfsense only for vpn also if you are how did you deploy it in your network. I will be integrating this into an Active Directory environment my main goal for Pfsense is to use Openvpn and configure some ipsec tunnels. I was thinking of deploying Pfsense side by side next to our back end firewall basically plug one nic into the lan than connect the other nic into a dmz. Anyway let me know what you guys think any help will be much appreciated



  • pfsense is a great firewall and I can't wait for the day I can replace my last bit of cisco gear with pfsense.
    there are a few things that hold me back and 1 of those was fixed in the recent maintenance release! (restarting all tunnels when making changes to anything ipsec)
    I personally like to forward PPTP (TCP 1723 + GRE) to a Windows Server and have winders manage PPTP. I wasn't very fond of the pptp in pfsense, but in the end i just wanted users to use their AD credentials, so they didn't have to remember yet another user and pass. I didn't go down the openvpn road very far either, so i can't help much there.

    I use IPSEC very heavily and pfsense would be an awesome fit, but there a few things I have to have to make the move completely. 1 of which is Policy NAT. Some corporations have strict policies that require them to assign me an address space to use as my protected traffic, not to mention half the world is on the 192.168.0.0/24 network (half is an exageration, but you know what i mean). From what I have read and been told, pfsense cannot do this just yet and I don't know if it is in the works or not.
    The other problem I have is I often require the need to input a handful of hosts or even multiple subnets for the same tunnel. right now you can only do 1. to do more then 1 you have to create multiple tunnels, which at the point I am at is just too much work and time. This however is being worked on as far as i know. I used a few snapshots in the past where it allowed me to do this and I can't wait to see it in a final release.

    As in all builds you want to make sure your hardware is adequate to fit your needs as well.



  • I've set that up for people a few times, works well. You can either dual home or single home, I prefer the latter generally, avoiding dual homing where possible is good. Keeping a single ingress/egress point for your internal networks to any outside networks is always preferable for routing and control purposes.



  • This thread came up while searching for help as to howto use pfSense as a VPN appliance. Our current firewall is an iptables ruleset with traffic shaping. I would like to replace my current firewall for a pfSense one but the traffic shaping bit is holding me back. On the other hand we do have an urgent need for VPN.

    So I thought I leave the current firewall alone for now and use pfSense as a drop in VPN appliance. Being a complete nitwit when it comes to VPN I started googling for help on how to setup pfSense as such. This thread came up closest on the forum… but it does not actually provide an awnser.

    Could someone point me to some documentation I could read on this subject? pfSense specific would be apreciated...



  • One place would be the documentation http://doc.pfsense.org/index.php/Main_Page . Another is the recently released book. If you really want to find out all that pfSense can do with VPN the book goes into quite a lot of detail.



  • good tip…. had the book on my desk and did not look at it  :-[

    thanks for the rtfm... ;)


Log in to reply