This setup possible with pfsense?



  • Hello folks,

    at the moment we ware evaluating pfsense as the primary firewall
    for our company and i would like to know from your experience if
    the following setup can be handled by pfsense without problems.

    LAN–-- PFSENSE (OpenVPN) ---- CISCO (IPSEC, split-tunneling) --- ISP
               |
              DMZ

    Secondoffice LAN--- PFSENSE---ISP

    Our LAN is connected to pfsense interface0, WAN is interface1, DMZ interface2.
    The WAN interface is connected to the CISCO Router which creates an IPSEC tunnel
    to our customer on demand. The only offical IP is on the WAN interface of the
    CISCO Router, which forwards any traffic not directed to our customer to pfsense which
    has an internal adress on it's WAN interface.

    Our second office will have pfsense as firewall and pppoe gateway (offical ip on WAN),
    we need a persistant VPN tunnel between the two offices.

    Does this setup work if one of the pfsense boxes has an internal ip on WAN
    and the other does have an offical? Will the tunnel between the offices work?
    Does OpenVPN accept this setup for roadwarriors? What rules are necessary?

    thanks a lot in advantage
    Stefan



  • If a a similiar IPSEC setup like you describe (with one pfSense behind another natting router). The pfSense behind the natting router joins as mobile client to the pfSense with the static IP. As it has a keppalive IP set the tunnel is up all the time even on IP-Change (the end with the other natting router is dynamic).

    Can't say too much about openvpn though as I haven't used it yet.


  • Moderator

    OpenVPN should work, as long as its standard UDP Port (1194) ist properly redirected to the pfSense box behind the Cisco. The other pfsense on the ADSL (I assume) line should work just fine. Anything further depends on the ip/netmasks used on either side and the mode used for openvpn. But at a first glance I can't see anything that should spoil the fun here - as long as the cisco is fowarding the openvpn-udp packets adressed for the public ip to the pfsense on its transfer-net (wan)


Locked