3 LANs, 2 VPNs for Three Different Offices sharing one connection

  • OK, here's the deal. A couple companies I'm working for (company A and B) are moving into a shared office space with a 3rd company (company C). The building they're moving into already has a T1 line dropped into the office with a Netgear VPN router plugged into it calls back to company C's main office. Ideally, we'd rather not have to run a new connection for everybody, and would rather just have everybody go out that T1 line, but the VPN complicates things, especially since company B will be needed a VPN setup as well (company A just needs a reliable 'net connection). The companies are all working together in the same building to control costs (they're housekeeping companies, sharing costs of laundry, labor, etc…) but they all represent competitors, for the most part, so their stuff needs to stay seperate.

    I've run Multi-Lan/WAN setups with pfsense before (typing this on a 3-lan, 2-wan connection right now), but here's what I'm thinking I'd do (and input gladly appreciated as this is a more complicated of a setup than I've ever done).

    T1 Line         Cable Modem (backup)
             \                  /
              -----pfsense box------
            /         |            \
      Rtr A        VPN Rtr B     VPN Rtr C
       |              |              |
      Lan A        Lan B          LAN C
    ```Each company's router would provide their own DHCP and do whatever VPN, firewalling, and NAT and such would be necessary, each company would be on their own private IP space, etc… (routers would probably have to be hard-coded with gateway information and such). I'm just trying to see if this is the best approach or if this is just all wishful thinking. How I would setup pfsense to handle this properly? Anybody else have any tips/gotchas?
    EDIT: Forgot to point out that company B's VPN is done via OpenVPN on a dd-wrt hacked Linksys router.

  • Bump, just for giggles.

  • Anybody? I'm also toying with the possibility of running all the VPNs on the pfsense box instead of having the separate VPN appliances (which is what I'd ideally do), didn't know if that would even be possible to run (VPNs aren't something I play with a ton, obviously).

  • Your diagram will work but you will likely need to put pfsense in a routing only mode. No NAT, no firewall other than restricting traffic between segments, etc. You will need public IPs assigned to each router downstream of the pfsense box (company A could get away without though since they aren't using VPN). For that matter if you didn't have the backup ISP to work with you could use a basic switch in place of the pfsense box but you wouldn't get isolation (just as an example to show how little the pfsense box will be used to it's potential).

    I've only setup IPSEC tunnels but you can terminate the VPN(s) on the pfsense box. You will need 5 NICs in the box anyway, one for each LAN (3 total) and one for each WAN (2 total). Don't setup any allow rules between LAN segments to keep them isolated like they should be (no rules at all should default to a "deny all" but test to confirm). The VPN segments would be equally isolated (again only tested with IPSEC, never setup any others). You would have all 3 companies share the same public IP on the primary/backup WAN interface(s) but that's usually not an issue and if it becomes an issue for a specific need you could do 1-1 NAT for that server. I could give you further config details if you are still interested in this, just need to let me know if it's 1.2.3 or 2.0 (I have boxes running both to test on).


  • Thanks for your input on this. I think that the pfsense box wouldn't be getting used to it's full potential, either, which is why I'm thinking of just scrapping the idea. I actually have line-of-sight for one of the companies (company B) and am going to try a wireless bridge link back to their main office (approx 100 meters) and ditch the VPN idea. The other company, since all their stuff is SSL and Web based, can just use the existing T1 connection in the building and we can call it good.

  • Yeah VPN to go 100 meters is kinda silly. You could almost string an ethernet cable that distance for that matter. Point-to-Point wireless would be great, could even do it with unlicensed gear with directional antennas (2.4/5 GHz most likely). If wireless doesn't work out, you could always run fiber with media converters on each end assuming nothing gets in the way, such as crossing a roadway. In this case only one company would need VPN support. It won't help with the backup ISP but just hang a switch off the T1 router, connect their routers to the switch and give them all public IPs. Their routers will prohibit talking between each other by default because they would cross the WAN port on each router so you've got isolation there.

  • I have a load of asphalt and a local permitting system that's a pain in the butt to deal with in the way of using something wired. I have basically 10 days to get this working (they're moving on the 30th) and one of the IT guys at one of the companies has a pile of old WRT54G v3 routers running dd-wrt, so I'm thinking I'm going to build a directional antenna bridge with those and call it a day.

Log in to reply