Adding multiple subnets to VPN tunnels

  • I'm trying to add multiple subnets to the subnet rules of a VPN tunnel, but it seems as though you can only add one local or one remote subnet to each VPN tunnel. Is there a way this can be done?

    For example I have 2 local networks and which need to connect to a remote subnet How could this be done of pfsense, similar to how you can add multiple access lists with Cisco or Checkpoint rules?


  • You either have to sum up subnets (like + = or build parallel tunnels. If using parallel tunnels between the same public endpoints.  Each tunnel has to use unique identifiers if you do it this way.

    Adding different subnets to the same tunnel is not supported atm.

  • Thanks for the reply.

    Do you know when and if this will become a feature of pfSense? ???

    Also will using parallel tunnels mean that we have to create multiple tunnels at the other end if we have a Cisco/CheckPoint device there. Have you had any experiences in this?

    Thanks again.

  • I think nobody is working on multiple subnets in one tunnel atm.

    Only used the parallel tunnel attempt between pfSense systems yet. Don't know how well or if this will work with other systems.

  • I've successful parallel tunnel to SonicWall 1260.

  • Since posting this I have test parallel tunnels between pfsense machines, between pfsense and cisco pix, and between pfsense and checkpoint.

    It seems to work fine, but my only concern is how the pfsense box will work with heaps of parallel tunnels (terminating to different devices) for multiple VPN tunnels. Not sure if anyone has tested this, but would be nice to get some feedback on it.

  • I have a pfsense acting as concentartor that runs tunnels to 13 sublocations and additional to that 2x2 parallel tunnels to datacenters. The way it is setup traffic between sublocations even gets routed through the concentrator. No problems with that setup. The sublocations run pfSense as well, the devices at the datacenters are unknown as they are not managed by me but I doubt that these are pfSense as well  ;)

  • OK that sounds good. We are looking at moving all our VPN tunnels from an existing checkpoint firewall to pfsense infrastructure. We've currently got over 30 VPN tunnels to customer sites, and most of these will have parallel tunnels, but sounds as though you have a similar setup.

    We are looking at using a HP DL360 G4 (3.4GHz CPU, 2GB RAM) as the pfsense platform. I'm not too sure what the loading is like with heaps of tunnels running at once (plus all the traffic running through them). Would this run quite nicely, or do we need more power?

  • Depends on the throughput you need. What's your max wan bandwidth?

  • We have a pretty big WAN connection from our datacentre (100 Mbit), and the internal network runs on gigabit. I guess I'm just looking at load on the server itself, but think that it should run happily.

    Thanks for your help. :)

  • There is nothing like real life testing but I have a feeling that this machine should do the job.

Log in to reply