Before installing I have a few basic questions.



  • Hello,

    I will be installing on 2008r2 in a hyper-v role.
    I only want pfsense for its vpn as I already have a decent firewall etc.

    Q1. Do I need to set it up with more that one nic? or can i get away with just a WAN facing nic.

    Q2. Any advice about hyper-v settings.

    Cheers


  • Rebel Alliance Global Moderator

    Well if you only want to vpn to the pfsense box, then a wan interface would be enough.  But if you wan the vpn to allow you access to your lan, pfsense would need a lan interface to provide that access.


  • Netgate Administrator

    I'm not sure about that. Since 2.0 pfSense can run with a single NIC and in that situation will allow traffic to and from that NIC by default. I suspect it depends which VPN type you using, you may run into routing problems if your client, pfSense box and local LAN are all on the same subnet.

    Steve



  • OK so a bit confused about ip's.

    Setting this up to replace adito vpn in a very small primary school.

    To get to the router from the internet I can either type https://vpn.****.net or type an ip lets say 50.50.50.1.
    This then gets forwarded to a server at the school on an ip lets say 20.20.20.5 subnet is 255.255.255.0.

    In pfsense what would I put as the WAN ip? would it be 20.20.20.5?
    What whould I put as the LAN ip? would it be a free internal ip lets say 20.20.20.6

    thanks


  • Netgate Administrator

    I should preface this with: I've not tried this!  ;)

    Assuming 20.20.20.5 is your Windows 2008 server it depends how you have your virtual server setup. If you have the virtual NIC that is acting as the pfSense WAN interface bridged with the real NIC then it should pull another IP address (or have it statically assigned) say 20.20.20.6.

    If you are running pfSense with one NIC then this should be sufficient. If you running OpenVPN for example then remote clients will be on another subnet and pfSense should be able to route the traffic accordingly.

    Sorry if I only confused the issue.  ::) My post above was simply to point out that two interfaces may not be necessary, and in fact may introduce new problems. Though as I say, I haven't actually tried this!

    Steve



  • Setting this up to replace adito vpn in a very small primary school.

    not sure what you are trying to achieve here as both ipsec and adito are two different technologies.
    putting pfsense behind a router to become an ipsec endpoint would require either port forwarding/opening to allow ipsec through on the front facing router if you were going to use a private ip range.
    or you could use public ip's which would then need routing and optional dns records to access from the internet.



  • not sure what you are trying to achieve here as both ipsec and adito are two different technologies.

    Adito is not supported and not secure, so trying to set up some kind of replacement. As pfsense seems to come pre built with openvpn and has a nice gui I thought I would try this out.

    I am still confused how to set it up in hyper-v from a IP/NIC point of view.

    I have managed to enable a second NIC in my server so the 2008r2 server does have 2 physical NICs. But thought I could have one physical NIC as you can hang as many virtual NICS of that as you need.

    I do have port 443 forwarded to an internal ip lets say 20.20.20.5. So which NIC do I actually give this address to. Is it the physical NIC on the server or the WAN NIC in pfsense or neither.


  • Netgate Administrator

    Did you try it with one NIC in pfSense?
    As you say you should be able to have as many virtual NICs as you require. However they will be bridged to your physical NIC, as though both were attached to a switch. You would never normally setup both LAN and WAN attached to the same switch.

    Steve



  • So even if I do have 2 NICS the fact that the CAT5 cables from these NICS both plug in to the same switch is a big no no.

    If that is correct then I am stuck. This is a small school, The council supply a LAN cable for our internet that plugs in on our main switch.

    If that is the case how come Adito works and also my test version of OpenVPN AS server.

    Also when pfsense asks for a WAN IP is that the ip of the forwarded firewall port or the ip that a user on the outside would use to connect to the firewall before being forwarded.

    Bloody confused.


  • Netgate Administrator

    I'm not really the right person to answer this but I seem to have been sucked in!  ;)

    You are trying to create a VPN end point to replace Adito. This means you only need one NIC in your appliance (virtual or not).
    pfSense has supported single NIC configurations since 2.0 was released. In that situation the one NIC is named WAN by default. The virtual NIC you assign as this interface should be bridged to the real NIC in your server. It should have an IP address in the same subnet as your server. Either static or DHCP assigned. This would be 20.20.20.6 in your example. You can then forward your incoming OpenVPN traffic to that IP.
    In order for remote clients to connect to local resources the pfSense machine has to route between the VPN subnet and the local subnet. This is the part I've never tried. I can see that there might, potentially, be a problem routing in and out of the same NIC. Then again it may work fine. The only other thing I can think of is that you will probably have to add a route to your VPN subnet via the pfSense IP in your main router.

    Hope that helps (a bit).

    Steve



  • Some notes about Hyper-V settings, better late than never. I wrestled with it for a while before I got it to work; here are the things I thought I should remember for next time: http://vorkbaard.nl/pfSenseOnHyperV.asp

    This is about a two-nic setup but it may help.

    Good luck!



  • Thanks for the link to the hyper-v instructions.

    One very basic question, does the cat5 cable from the WAN adapter actually need to be plugged in to a switch physically connected to the internet or can I connect it to an internal switch that is connected to other internal switches and then connected to the internet. The reason I ask is in another post someone said it needs to be connected to the WAN switch only but our WAN switch is in another building.

    Not sure if I have made any sense, sorry.


  • Netgate Administrator

    The pfSense WAN adapter?
    No. The wan side of pfSense can be a private network.

    Steve


Locked