Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    3 LANs, 2 VPNs for Three Different Offices sharing one connection

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    7 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      orty
      last edited by

      OK, here's the deal. A couple companies I'm working for (company A and B) are moving into a shared office space with a 3rd company (company C). The building they're moving into already has a T1 line dropped into the office with a Netgear VPN router plugged into it calls back to company C's main office. Ideally, we'd rather not have to run a new connection for everybody, and would rather just have everybody go out that T1 line, but the VPN complicates things, especially since company B will be needed a VPN setup as well (company A just needs a reliable 'net connection). The companies are all working together in the same building to control costs (they're housekeeping companies, sharing costs of laundry, labor, etc…) but they all represent competitors, for the most part, so their stuff needs to stay seperate.

      I've run Multi-Lan/WAN setups with pfsense before (typing this on a 3-lan, 2-wan connection right now), but here's what I'm thinking I'd do (and input gladly appreciated as this is a more complicated of a setup than I've ever done).

      T1 Line         Cable Modem (backup)
               \                  /
                -----pfsense box------
              /         |            \
        Rtr A        VPN Rtr B     VPN Rtr C
         |              |              |
        Lan A        Lan B          LAN C
      ```Each company's router would provide their own DHCP and do whatever VPN, firewalling, and NAT and such would be necessary, each company would be on their own private IP space, etc… (routers would probably have to be hard-coded with gateway information and such). I'm just trying to see if this is the best approach or if this is just all wishful thinking. How I would setup pfsense to handle this properly? Anybody else have any tips/gotchas?
      
      EDIT: Forgot to point out that company B's VPN is done via OpenVPN on a dd-wrt hacked Linksys router.
      
      Thanks!
      -Jake
      1 Reply Last reply Reply Quote 0
      • O
        orty
        last edited by

        Bump, just for giggles.

        1 Reply Last reply Reply Quote 0
        • O
          orty
          last edited by

          Anybody? I'm also toying with the possibility of running all the VPNs on the pfsense box instead of having the separate VPN appliances (which is what I'd ideally do), didn't know if that would even be possible to run (VPNs aren't something I play with a ton, obviously).

          1 Reply Last reply Reply Quote 0
          • J
            JoelC707
            last edited by

            Your diagram will work but you will likely need to put pfsense in a routing only mode. No NAT, no firewall other than restricting traffic between segments, etc. You will need public IPs assigned to each router downstream of the pfsense box (company A could get away without though since they aren't using VPN). For that matter if you didn't have the backup ISP to work with you could use a basic switch in place of the pfsense box but you wouldn't get isolation (just as an example to show how little the pfsense box will be used to it's potential).

            I've only setup IPSEC tunnels but you can terminate the VPN(s) on the pfsense box. You will need 5 NICs in the box anyway, one for each LAN (3 total) and one for each WAN (2 total). Don't setup any allow rules between LAN segments to keep them isolated like they should be (no rules at all should default to a "deny all" but test to confirm). The VPN segments would be equally isolated (again only tested with IPSEC, never setup any others). You would have all 3 companies share the same public IP on the primary/backup WAN interface(s) but that's usually not an issue and if it becomes an issue for a specific need you could do 1-1 NAT for that server. I could give you further config details if you are still interested in this, just need to let me know if it's 1.2.3 or 2.0 (I have boxes running both to test on).

            Joel

            1 Reply Last reply Reply Quote 0
            • O
              orty
              last edited by

              Thanks for your input on this. I think that the pfsense box wouldn't be getting used to it's full potential, either, which is why I'm thinking of just scrapping the idea. I actually have line-of-sight for one of the companies (company B) and am going to try a wireless bridge link back to their main office (approx 100 meters) and ditch the VPN idea. The other company, since all their stuff is SSL and Web based, can just use the existing T1 connection in the building and we can call it good.

              1 Reply Last reply Reply Quote 0
              • J
                JoelC707
                last edited by

                Yeah VPN to go 100 meters is kinda silly. You could almost string an ethernet cable that distance for that matter. Point-to-Point wireless would be great, could even do it with unlicensed gear with directional antennas (2.4/5 GHz most likely). If wireless doesn't work out, you could always run fiber with media converters on each end assuming nothing gets in the way, such as crossing a roadway. In this case only one company would need VPN support. It won't help with the backup ISP but just hang a switch off the T1 router, connect their routers to the switch and give them all public IPs. Their routers will prohibit talking between each other by default because they would cross the WAN port on each router so you've got isolation there.

                1 Reply Last reply Reply Quote 0
                • O
                  orty
                  last edited by

                  I have a load of asphalt and a local permitting system that's a pain in the butt to deal with in the way of using something wired. I have basically 10 days to get this working (they're moving on the 30th) and one of the IT guys at one of the companies has a pile of old WRT54G v3 routers running dd-wrt, so I'm thinking I'm going to build a directional antenna bridge with those and call it a day.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.