Dummy WAN?

  • Hi, would it be possible to set the WAN interface as dummy?, I would like to install PFSense in 3 different sites, they'll be interconnected with private point-to-point links and only one of them will have internet connectivity.

    The setup would be something like this:

    IF1 - LAN
    IF2 - Link S1 to S2

    IF1 - LAN
    IF2 - Link S1 to S2
    IF3 - Link S2 to S3

    IF1 - LAN
    IF2 - Link S2 to S3
    IF3 - WAN, internet access

    I don't have enough interfaces to leave an unused card for WAN, how can I make this work with that limitation?

  • as far as i can see, there is nothing stopping you from using the WAN interface for one of your site to site links.

  • "WAN" is just a name.

    However i would put the name "WAN" on the interface with the link facing towards the internet.
    So according to your list:

        LAN              LAN               LAN
          |               |                 |
         S1 WAN -----OPT1 S2 WAN ----- OPT1 S3 WAN ---- internet

  • @Gob:

    as far as i can see, there is nothing stopping you from using the WAN interface for one of your site to site links.

    There are some assumptions about the WAN interface and default rules that I would like to avoid. Also, would be nice to have that interface free in case the other sites get their own Internet access (a full reconfiguration would be needed in that case if I use now WAN)

  • So you want to keep a WAN but not allocate a physical interface to it?
    Are you comfortable with using VLANs?

  • I want to keep "WAN" unused. Currently i'm testing the configuration with Virtualbox and the real site interconnect will be provided by a service provider, so I don't think I can use VLANs in this case….

    The idea is to have VPNs between the sites, i'm not sure about using IPSec or OpenVPN yet as some say IPSec has better performance others that OpenVPN is way better...

    I was planning to use IPSec. Filtering the connection coming from the tunnel might be needed (that's only possible with OpenVPN), and routing is a must (site 1 can only reach site 3 through site 2), i'm not sure if that's an issue with any of both...

  • You can still filter IPSEC tunnel traffic.
    Should be able to achieve the routing with static routes.

    Do you need to use a VPN if you are not routing over a public network?
    You can still filter between two pseudo LAN networks. You would get better performance if you are not encrypting traffic.

  • Would be nice to avoid the tunneling, but is required by management. Apparently they don't trust the p2p provider. For the time being, I started testing the configuration with GruensFroeschli's suggestion.

  • What kind of site-to-site connections are you going to have?

    If you have to encrypt traffic between the pfSense i highly recommend to use OpenVPN.
    With OpenVPN you have to option to specify routes in the config file which are added dynamically to the routing table when the tunnel comes up.
    (And get removed when the tunnel goes down, aka the link drops for whatever reasons)

    With this you have the ability to create two routes ( and which point to the other side of the tunnel, effectively routing everything towards the internet.
    After disabling automatic VPN rule generation you can assign the VPN interface as if it were a normal interface and create firewall rules for it.

    So with your description i would:
    Have one physical interface: LAN –> connect to LAN
    Have one physical interface: WAN --> leave unconnected
    Have one physical interface: OPT1 --> connect to "both" site-to-site connection. Put all the site-to-site connections in the same subnet. (is this possible)
    Have as many as you need virtual VPN interfaces: OPT2, OPT3, --> connect over OPT1 to the other site-to-sites.

    This would look like this:

    WAN -------|
    LAN ----- S1---- OPT1-------|
               |                |
             OPT2(VPN)          |
                  |             |
                  |             |
                  |             |
                  |             |
             OPT2(VPN)          |
    WAN -------|                |
    LAN ----- S2---- OPT1-------|
               |                |
             OPT3(VPN)          |
                  |             |
                  |             |
                  |             |
                  |             |
             OPT2(VPN)          |
              |                 |
    LAN ----- S3---- OPT1-------|
              |----- WAN --- internet

  • Wouldn't OpenVPN give lower throughput than IPSec?, why is it "highly recommended"?. It's not clear to me the "virtual IFs" usage  ???. The intersite connections are point to point fiber optic links provided by an external company, they're terminated as ethernet connections with their hardware. I'll check again, but currently i'm limited with interfaces, so i'm not sure I can assign one unused card to WAN (although it would be ideal).

  • Why do you think IPSec performs better than OpenVPN?
    It all depends on what encryption you choose.
    You might consider adding a hardware crypto accelerator to your setup if you intend to push close to wirespeed encrypted traffic.

    I think for your application OpenVPN is better since you can actually route with it.
    I usually dont use IPSEC so most of my experience with pfSense and IPSEC is from reading about it here.
    What i've read is that you can't actually route into the IPSEC tunnel but more define ranges which get redirected (please someone correct me if i'm wrong with this).

    For each OpenVPN instance you can create a virtual interface on the pfSense.
    From the routing point of view there is no difference between such a virtual interface and a real interface.

    Are these fiber links bridges?
    Or does the terminating hardware do some kind of routing?

    How many interfaces do you have available on your hardware?

  • @GruensFroeschli:

    What i've read is that you can't actually route into the IPSEC tunnel but more define ranges which get redirected (please someone correct me if i'm wrong with this).

    That's what I've read too and why I'm planning on changing 20+ IPSEC VPNs to OpenVPN.

  • that's my plan with my 56 IPSEC tunnels, although waiting for the cert management that is built into pfSense v2

  • As it's running in userspace, openVPN requires more context switches to do the same work. I'm testing it with a VM since I only could stablish one IPSec tunnel, the assistant for the second one didn't like my IP addressing apparently.

    For what I know, the links are terminated by routers.

    Currently site1 has 2 IFs, site2 has 2 IFs and site3 has 3. I think we can add more, but currently that's all we have.

  • This might interest you:
    Also googling IPSEC vs OpenVPN.

    Yes OpenVPN is slower than IPSEC but IMO marginally.
    Using an encryption which has hardware support on your platform will give you way bigger performance-gains than looking for optimizations on this level.

    What hardware are you going to use?
    Do you really need to tweak the least bit of performance?
    I think the advantages you gain with OpenVPN (true routability!, NAT-able into the tunnel) weights more than having a few kbit/s more bandwith on the link ;)

  • I'm not sure about the hardware, I think the're full blown PCs. The'll be provided by the client. Would be nice to have a demo config of this kind of setup in the book  ;D

    I still didn't try to route connection from site1 to site3 as i'm still having some connectivity issues with one direction of one of the tunnels…
    Ref: http://forum.pfsense.org/index.php/topic,23854.0.html

Log in to reply