Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Adding multiple subnets to VPN tunnels

    Scheduled Pinned Locked Moved IPsec
    11 Posts 3 Posters 14.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hoba
      last edited by

      You either have to sum up subnets (like 192.168.1.0/24 + 192.168.199.0/24 = 192.168.0.0/16) or build parallel tunnels. If using parallel tunnels between the same public endpoints.  Each tunnel has to use unique identifiers if you do it this way.

      Adding different subnets to the same tunnel is not supported atm.

      1 Reply Last reply Reply Quote 0
      • M
        master_fungul
        last edited by

        Thanks for the reply.

        Do you know when and if this will become a feature of pfSense? ???

        Also will using parallel tunnels mean that we have to create multiple tunnels at the other end if we have a Cisco/CheckPoint device there. Have you had any experiences in this?

        Thanks again.

        1 Reply Last reply Reply Quote 0
        • H
          hoba
          last edited by

          I think nobody is working on multiple subnets in one tunnel atm.

          Only used the parallel tunnel attempt between pfSense systems yet. Don't know how well or if this will work with other systems.

          1 Reply Last reply Reply Quote 0
          • R
            rlai000
            last edited by

            I've successful parallel tunnel to SonicWall 1260.

            1 Reply Last reply Reply Quote 0
            • M
              master_fungul
              last edited by

              Since posting this I have test parallel tunnels between pfsense machines, between pfsense and cisco pix, and between pfsense and checkpoint.

              It seems to work fine, but my only concern is how the pfsense box will work with heaps of parallel tunnels (terminating to different devices) for multiple VPN tunnels. Not sure if anyone has tested this, but would be nice to get some feedback on it.

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                I have a pfsense acting as concentartor that runs tunnels to 13 sublocations and additional to that 2x2 parallel tunnels to datacenters. The way it is setup traffic between sublocations even gets routed through the concentrator. No problems with that setup. The sublocations run pfSense as well, the devices at the datacenters are unknown as they are not managed by me but I doubt that these are pfSense as well  ;)

                1 Reply Last reply Reply Quote 0
                • M
                  master_fungul
                  last edited by

                  OK that sounds good. We are looking at moving all our VPN tunnels from an existing checkpoint firewall to pfsense infrastructure. We've currently got over 30 VPN tunnels to customer sites, and most of these will have parallel tunnels, but sounds as though you have a similar setup.

                  We are looking at using a HP DL360 G4 (3.4GHz CPU, 2GB RAM) as the pfsense platform. I'm not too sure what the loading is like with heaps of tunnels running at once (plus all the traffic running through them). Would this run quite nicely, or do we need more power?

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by

                    Depends on the throughput you need. What's your max wan bandwidth?

                    1 Reply Last reply Reply Quote 0
                    • M
                      master_fungul
                      last edited by

                      We have a pretty big WAN connection from our datacentre (100 Mbit), and the internal network runs on gigabit. I guess I'm just looking at load on the server itself, but think that it should run happily.

                      Thanks for your help. :)

                      1 Reply Last reply Reply Quote 0
                      • H
                        hoba
                        last edited by

                        There is nothing like real life testing but I have a feeling that this machine should do the job.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.