Will my scenario work?

  • Hi,

    While I have been using pfSense at home in a fairly basic capacity (and loving it!), I have recommended it to my company for use in a new system that we are deploying and I was wondering if my scenario will work.  But some background first.

    1. We have a number of headless devices that can be at any number of sites (Remote Site) and the number of devices and sites grows over time as more sales are completed.

    2. These devices are connected over WiFi to the remote pfSense box (which is local to them).

    3. We want to use Squid on the remote pfSense box because they all need to get content that is the same across the devices and would prefer to not have each individual device talk over the internet to get this content.

    4. The remote pfSense box could be connected to the Internet directly, through someone elses firewall or over 3g (the last being the primary reason we don't want duplicate content to be sent over the internet).

    5. Each remote site will have a dynamic IP address and possibly natted and/or firewalled.

    6. We would also like to be able to address each one of those devices for maintenance purposes directly from Head Office (Central Site).

    My initial thought is to create a VPN connection to each of these remote pfSense boxes but from a logistical point of view, I would prefer to not have to create seperate subnets for each site.  If possible I would like to have a DHCP server centrally located which will help us track the MAC address to the IP address relationship.  I would also prefer to not have to configure the central site each time we add a new remote site.

    The Central Site will be located at Rackspace and will have to be a Windows Server 2008 R2 machine.  It has a static IP address.

    I have never set up a VPN before and I am currently trying to go through the documentation to set up two pfsense boxes together as an experiment.

    From browsing the forums it looks like IPSec may not be my best option as it may not be capable of dealing with 3g networks.

    Any ideas how I can go about doing this?


  • Hi,

    i'm thinking you should look if squid will be able to cache the content you want it to cache …. it may be a showstopper if at the end of the line you find out it doesn't or is hard to manage.

    for all other things it should be plausible todo without too much tinkering (read: possible from webgui).
    For not having multiple setups search the forums for a "bridge setup". Personally i've never had the need for it, nor know the details

    I understand you will have a multi-wan setup (3g & something else).

    • You can setup a VPN on each of the wans or use dynamic routing  to decide what traffic goes over what VPN

    • With openvpn you could also bind it to a LAN interface and use basic gateway balancing/failover

    kind regards

  • We have already tested that the remote system with squid will do the right kind of caching.  So that shouldn't be a problem.

    The concern right now is how to manage all of the devices and vpn sounds like the right option because we need the pfsense box to do tunneling in scenarios where we are connected to 3g or behind someone elses firewall.

    I am not clear on what you mean by mult-wan.  The pfsense will only be connected to one WAN connection at a time.  ie. it may only be 3g or only behind someone elses firewall or only directly connected to the internet.

    I think I saw mention in the documents that bridge setup doesn't work in the 2.0 version of pfSense when using OpenVPN?  Can someone confirm this?

Log in to reply