Getting my feet wet – a few questions first



  • Hello everyone, I hope this is an appropriate forum for my questions.  I don’t think they are specific enough yet for any of the other forums.

    I have a small business with one remote location, possibly expanding to two in the future.  Right now, I only have 4 employees total between my office and our remote office.  I have a business 35/35 FiOS connection at my main office with a static IP.  Both office locations have their own file servers, but I would really like to link the two offices together and share a common file server.

    I’m not new to networking concepts, just their implementation.  I have a computer with an Intel Atom D510 processor, 2 GB of RAM, and a dual port Intel server NIC, and one on-board Realtek NIC.  I’m planning on turning the machine into a router with pfSense.  Using pfSense, I would also like to create a site-to-site VPN between the two office locations.  The main office with the 35/35 FiOS line would have the pfSense router configured as a VPN server, while the remote office on a crappy Comcast connection would be a Netgear WNDR3700 running DD-WRT configured as a VPN client.  Since I don’t have to worry about many employees and large amounts of traffic, I think the hardware I’ve chosen is decent.

    However, if I am going to be setting up the site-to-site VPN, I want to make sure it can behave the way I want, and that I set it up correctly.  The main location is going to be set up as 10.0.10.1/24 and the remote location would be 10.0.20.1/24.  I need to be able to see the server at the main office as a network share, and the server needs to be able to see the client PCs, despite being on different networks.  If I add another remote office (let’s say 10.0.30.1/24), it needs to perform the same way, but communication between remote networks (like 10.0.20.1/24 and 10.0.30.1/24) isn’t that important (if it works, cool…if not, oh well). Additionally, I only want traffic destined for my private network to go over the VPN.  I don’t want other traffic, such as web browsing, to go through the tunnel and out the remote gateway.  The only reason I could see doing that is for web filtering and protocol control, but that would be total overkill for my situation.  Is all of this possible without pulling my hair out?

    Another concern I have is the NICs in the pfSense router.  Ideally, what I would love to be able to do is to have one port configured for WAN, while the other two are configured as separate LANs on their own networks (let’s say 10.0.10.1/24 and 10.0.15.1/24).  10.0.10.1/24, as I mentioned above, would be the main office with servers and all, and would be configured for the VPN.  10.0.15.1/24, however, would be configured for the wireless access point.  pfSense would have to issue DHCP leases to these two networks as well.  Although all of my office is hardwired, I still want an access point for mobile devices and guest computers, such as clients’ laptops, cell phones, and iPads.  I want the wireless network to be totally isolated from the rest.  I’m sure pfSense can do this rather easily too, but there’s a catch.  Since one of my ports on the router is a Realtek NIC that’s not even GBE, and since I’ve read that pfSense has issues with Realtek chipsets, I’m thinking of avoiding that port at any cost (plus it provides me an opportunity to experiment with something new!)

    I’ve read on these forums about users who have only one NIC and wish to use pfSense as their router.  They are told to get either a supported USB to Ethernet adapter or a managed switch.  I’d like to explore the option of getting a managed switch.  Basically, I envision having one of the ports on the pfSense router’s Intel NIC being for WAN, while the other Intel port is configured as a trunk line to the managed switch.  From there, one port on the switch would be set up as LAN1 (10.0.10.1/24) going to the internal network, and the other port would be LAN2 (10.0.15.1/24) going to the wireless access point.

    One of the recommended managed switches I’ve seen is the RB250GS.  It supports VLANs, but I’ve never really explored those before.  From what I’m gathering, it seems that VLANs are basically the same thing as what I want to do with these virtual interfaces, just on a very small scale.  Is that accurate?  If I get this switch, what kind of configuration steps would I need to take to get it working with pfSense?  I’ve tried searching very hard for someone with an identical scenario to myself, but I’m only finding threads that either don’t have instructions, or don’t have solutions.

    So, I really need someone to help get me moving in the right direction.  I need to know exactly what resources could help me do what I want, and any issues I could expect along the way.  A lot of what I’m asking might be totally possible right out of the box, but I don’t know that yet.  That’s why I want to ask the community before I spend any money and time implementing it.  I’m not totally incompetent, and I don’t believe this is way over my head, I just haven’t put anything I’ve learned from books into practice.  I really want to learn from this experience.


  • Netgate Administrator

    Hi,
    Looks like you're learning already!  ;)

    I have limited experience with VPNs so I can't really advise you on the details. One thing I will say is that you won't max out a 35/35Mbps connection using VPN traffic with an Atom. However as you say you have a much smaller pipe at the other end it shouldn't be a problem. Read this post for some detailed test results.

    Is all of this possible without pulling my hair out?

    You'll probably loose some hair.  ::) It is possible.

    There are plenty of people using Realtek NICs with no problems at all. Test it and see. Do you know which realtek chipset it is?
    Does your Atom board have a mini-pci or mini-pci express slot? Many do. You could use it as an access point directly, assuming it's located somewhere centrally.

    From what I’m gathering, it seems that VLANs are basically the same thing as what I want to do with these virtual interfaces, just on a very small scale.  Is that accurate?

    You can use Vlans to get extra virtual interfaces no problem. Yes.
    I've never used the RB250GS but VLANs are surprisingly straight forward.

    It sounds to me like you are asking all the right questions and have a good idea of what you're getting into.
    I would try using the Reatek NIC first (you'll probably have no trouble) and get a managed switch if you need it. Remember to go one step at a time testing as you go. A lot of people run into trouble when they swap their current router for pfSense and try to match the previous configuration setting up every feature in one go. Have fun!  :)

    Steve


Log in to reply