Site-to-site tunnel in transparent mode?

  • We’re currently looking to update a SonicWall on our network with a pfSense appliance. One of the features that we use at the moment is the ability to run the SonicWall in transparent mode and still handle our site-to-site VPN tunnel.

    If we run pfSense (currently trialling 1.2.3) as a transparent bridge is it possible to have an IPSec tunnel terminated on pfSense?

    When I tried to set a tunnel up I could send traffic into our network, but the return traffic isn’t being put onto the tunnel presumably because the server is using our router as a gateway rather than pfSense.

    I’ve attached a diagram showing the layout we’re trying to achieve. Is this something that’s possible in bridge mode or do we have to use Route/NAT mode?

  • It will certainly be a thousand times easier to configure if you have pfSense doing the NATing and then set up the IPSEC endpoint.  pfSense will definitely terminate a VPN endpoint with Sonicwall, its just a matter of matching up the fields.

  • Thanks, I've already managed to get a tunnel up and running successfully when routing between the LAN/WAN in a test setup. I'm just wondering if there's a way to do it transparently to avoid having to re-number some of the addresses?

  • Not the way you have your network laid out.  Honestly, re-working it really wouldn't be that painful.  You would either configure your router to pass traffic transparently, and then have your LAN interface on pfSense be (I hope you're not actually using this network space on your LAN), or you could keep the network configuration basically the same and double-NAT on pfSense and your router.  Alternatively, you could advertise routes to the remote network using as the gateway.

    Each of these options has merits and drawbacks depending on the size of your network how things are set up inside it.

Log in to reply