Using PFSense on MPLS circuit to protect site to site



  • We are scrapping our VPN-IPSEC connections in favor to dedicated point to point MPLS.
    I'm not thrilled about it but not much I can do.
    The provider will give me a perimiter router, with say whatever internal IP address I want for the local net.
    Lets just say it's 10.0.0.1/16 at this site, and there are 3 remote sites 10.1.0.1/16 and 10.2.0.1/16

    If I want to put a PFSense in in order to run Snort IPS, maybe NTOP to monitor.
    Evidently I have to change the IP scheme interally to not conflict with the existing network defined at the MPLS provider (or do I? - subnet it?)

    The issue is internal users will want internet access. Can I use OPT1 port as gateway to internet?
    Or is that stupid idea and use a separate gateway & router for that funtion to the ISP?
    It would be nice to have IPSEC failover if the MPLS were to fail, so I could use VPN as a backup if necessary.

    Thoughts?



  • I'm not sure I understand your first question.  Which IP scheme defined by the MPLS provider?  Don't worry about their core, all you need to do is worry about the private networks, and you shouldn't need to change any of your own IP scheme at all.

    The MPLS provider is insulated from your IP routing as its whole purpose to begin with is to isolate several customers that may want to use the same IP address space.

    If you are going to provide your own ISP and connect say a DSL router to your network on OPT1, it's easy, just configure that interface with it's appropriate IP address/mask and tell it that there is a gateway on that interface.  You can then set up static routing on the PFsense or use policy based routing on a per/rule basis to use the gatway however/whenever you want..  or don't want.

    That help?
    –James



  • Regarding your suggestion to use IPSEC for failover,  and who's responsibility is it to provide internet access.

    The MPLS provider would/should be able to provide internet access for you if you'd like, you can also reject their internet service or ask them to use a separate VC/VLAN/DLCI on the CE<>PE connection that will be direct to internet.  You can most definitely use IPsec across their MPLS network, and it may even still be suggested if you don't want unencrypted raw traffic on their "trusted" network. (remember, from their core perspective, there is nothing confidential about MPLS, just a few protocol shim headers "popped" and your IP datagram and company secrets are exposed.)

    It will not be difficult to firewall your internet access (if provided by the MPLS provider) with the PFsense in this scenario. The best option is to put your own PFsense on the LAN side of each CE (customer edge) router they give you and treat them as an un-trusted network if you go this route.

    If you want a separate DSL or other ISP services at each site for failover VPN  and internet purposes, you can still do that with the PFsense using an OPTx interface and another set of IPSEC tunnels to be back-up.

    your IPSEC tunnels can be run PF<>PF from site to site over the MPLS and if that goes down, the DSL would/should automatically take over.  Just run the cost/benefit analysis; an MPLS architecture, if they're doing it right, is redundant by itself.  As long as they have redundancy in the core it should re-route itself easily.  Your only protecting yourself from a "last mile" outage and hoping that your MPLS proider isn't on the same transport run/LEC as your DSL/ISP provider.

    Hope this helps!
    –James


Log in to reply