D-link firewall and pfsense/openvpn in parallel?



  • I have have a fully working network setup where I use a D-link DFL-210 firewall protecting the LAN (192.168.0.1/24) and DMZ (10.0.0.1/24) networks.
    I also have a pfsense 1.2.3 "box" that is currently not used for anything.

    Since the DFL-210 does not provide any openVPN functionality, I would like to use the pfsense box to enable openVPN tunnels (to services and computers on the LAN) to my fellow colleagues working from remote sites (from home, from customers sites etc.) with very small or no changes at all to the current DFL-210 firewall setup. The question is: how should I make use of the pfsense box to achive my goal (openVPN) without too many changes to the current network topology. I don´t want to get rid of the DFL-210 as the primary firewall since its hardware is much faster. (The DFL-210 has 1 Gbit network interfaces while the pfsense box is only 100 Mbit.)

    I have several unused external IP addresses that can be used for the new fpsense box. My idea was to set up the pfsense box in parallel to the DFL-210, with its own external IP address, and to connect the LAN port of the fpsense box to the same LAN-switch as the DFL-210 is connected to. Is this possible? Is there a better approach?

    Advice on how to proceed is much appreciated.

    /Hans



  • My idea was to set up the pfsense box in parallel to the DFL-210, with its own external IP address, and to connect the LAN port of the fpsense box to the same LAN-switch as the DFL-210 is connected to. Is this possible? Is there a better approach?

    Only problem with that is the devices that your clients will access inside the LAN will have to have their default gateway set to the pfSense box for them to be able to access them.  How fast is your internet connection?  Most people don't have faster than 100mbit internet connection so 100mbit would be fine for a firewall.

    -Rich



  • Only problem with that is the devices that your clients will access inside the LAN will have to have their default gateway set to the pfSense box for them to be able to access them.

    Is this true even if the openVPN is setup in bridged mode?

    Yes, it is true that my Internet connection is only 100 Mbit. However, the network between LAN and DMZ is at Gbit speed today. I don't want LAN/DMZ communications to be affected negatively.

    /Hans



  • Is this true even if the openVPN is setup in bridged mode?

    I can't speak to Bridge mode as I've never tried it, but theoretically then your clients would be on the same IP network so I would say no it probably wouldn't be true for that scenario.  I don't think pfSense has bridge mode as an option out of the box but you might be able to configure that using the custom options field.

    Yes, it is true that my Internet connection is only 100 Mbit. However, the network between LAN and DMZ is at Gbit speed today. I don't want LAN/DMZ communications to be affected negatively.

    Well….. pfSense runs on a PC, can you use Gbit NICs?  Or are you running it on an embedded device?

    -Rich


Log in to reply