Multi Site Network design - 1 link 2 vpn's



  • Hello All,

    We are currently expanding our offices to include another site several miles away. We intend to connect the sites via a 10Mbit fibre link however our current network setup is as follows.

    192.168.1.0 - voip data
    192.168.2.0 - normal network data

    These 2 networks currently terminate into our main switches which are basic netgear un managed 24 port devices. Our phone system will allow us to still make calls from our new site provided it is on the same physical subnet.

    The powers that be and the local telco are talking about ripping out our switches and installing cisco ones capable of VLAN's. This is actually quite an expensive option for us, especially when you consider that each new site we add will require the same kit. I also don't like the idea of having one massive network spreading over 3 sites combining voice and data traffic.

    What I've been considering is splitting the new sites up (since we do eventually intend to add more) into their own private subnets so that we do not have alot of extra unnecessary traffic going over each link. Site 2 is the proposed hub. Now what I am wondering is whether or not we can have 2 VPN’s running over our 1 fibre link to create 1 massive (layer 2 bridged) network spreading over all sites but only for 192.168.1.0 voice traffic then have a separate VPN between each site to pass all the data traffic – this would obviously be routed at layer 3.
    This way we can keep our existing switch infrastructure and each site can have its own DHCP server as well as its own gateway out on to the internet. By using this type of design (as I understand it) it also means we could have the possibility of using a VPN failover via the internet should one of our 10Mbit fibre links go down (not drawn on my network diagram, nor are the gateways at each site, just the potential pfsense routers).

    What I have drawn is quite possibly the most ugly network diagram ever created but hopefully it should demonstrate my thinking in pictorial form. I've been investigating building a Linux based solution as the router for deployment at each location however I would obviously much rather use something 'off the shelf' like pfsense. Can pfsense perform 'out of the box' what I am proposing? If so are there any caveats which I may stumble upon?
    The red lines signify the bridged 192.168.1.0 voip network, the blue lines signify the IP based VPN traffic which would be routed, the 2 black intersite lines are obviously my 10Mbit fibre links. I think at present there is no real need to run a routing protocol on top of this setup as with only 3 or 4 sites it is still quite manageable to maintain the routing tables manually (although the DHCP servers would obviously dish them out).

    I'd also be interested to hear any comments/critique as to whether or not there is a better way of doing what I am proposing - if so using what equipment/software/configuration; as much detail/feedback as possible.
    Currently I was planning to use fairly low end pc's (albeit new ones) with 3 network cards each however if there is any other device on the market more suited to running pfsense in this manner I’d also love to hear about it, i.e. some kind of embedded system.

    Kind Regards,
    Jamie.



  • I've been giving this a lot more thought over the last 24 hours..

    By having both the phones and data sharing the same switches is makes it quite hard for me to implement the layer 2 bridging. I think that perhaps physically segregating the voice and data networks is a cleaner solution.

    Here is my revised proposal.

    1 - VOICE) Use a separate unmanaged switch for the phone system (192.168.1.0) at each site. These switches can then be connected directly into an Ethernet card on the pfsense box via an uplink port on the switch. This network card will be configured as a layer 2 bridge using OpenVPN to the main site. This would be repeated at each additional site using SITE 2 as the hub. The PBX and DHCP server for the 192.168.1.0 network would reside at site 1 but it makes no difference as all sites would effectively be connected to 1 physical infrastructure.

    2 - DATA) Use a separate unmanaged switch for the data network at each site with each site having its own subnet. The pfsense box would then be connected to one of these switches and the various routes for each network distributed to clients so pfsense was configured as the gateway at each site using SITE 2 as the hub. This network card would be configured in an IP based VPN.

    These VPN's would then obviously be connected via my point-to-point fibre links - I could just use a fibre to Ethernet media convertor to connect each end of the links to the pfsense box via Ethernet card.

    At a later date it would then be possible to implement the failover via each sites own internet gateway should a fibre link die.

    This way we can monitor exactly how much voice and data throughput we are using since each service would be running on a separate network card on the pfsense box. I would also be able to implement QOS to give priority to certain types of traffic over the network. The total cost of the solution and that of adding further sites would be MUCH lower than that of a CISCO based solution and avoid the complexity of VLAN's.

    Is this correct?

    Please see the revised network diagram showing the physical separation of the 2 networks.



  • bump - 75 views and no comments?



  • @iclebyte:

    bump - 75 views and no comments?

    A lot there to digest.  :)  Network design over forum doesn't tend to get a lot of responses as it's a lot to go through, especially in a network that complex.

    Everything you've listed looks to be feasible. Shaping in a network that complex will be difficult or impossible pre-2.0, though this may be reasonable to deploy on 2.0 in the near future.

    Lots of things involved there, more than you'll probably find detailed help with gratis. Some time with one of us could go a long way to help with the deployment (see link for support in my signature).


Locked