Dual WAN, dual LAN

  • The more I think about this the more I think it would be better to use two pfsense boxes, but for various reasons I'd prefer to avoid that. Let's see if I can describe the plan without drawing a diagram…

    Site with WAPs with multi-SSID delivered via VLANs, one for staff wifi, one for guest wifi.

    Staff VLAN (security via 802.1x/RADIUS) is bridged to the local network.

    Guest VLAN (security via CP/RADIUS) is routed through an OpenVPN tunnel to a remote site where there's another pfsense box acting as an internet gateway.

    The pfsense box at the internet gateway actually serves a number of tunnels to sites with the pfsense boxes providing staff/guest VLANs.

    The guest network must never see the staff network, and vise versa! So, dual-WAN, but for dual networks rather than for failover or load-balancing.

    What's working so far, in isolation; WAPs, VLANs, 802.1x/CP/RADIUS, OpenVPN tunnelling.

    What's not working: routing. It seems that I need two default routes, one for the staff to the local network, and one for the guest network through the VPN tunnel to the remote internet gateway.

    Is this scenario reasonable, or am I barking up the wrong tree entirely? Is policy-based routing via firewall rules the way to go?

    I've learned a fair amount over the last few weeks but I'm a bit stuck at the moment (and taking a step back to pause and think).

  • That's reasonable. You'll have to policy route the clients out the VPN.

  • @cmb:

    That's reasonable. You'll have to policy route the clients out the VPN.

    Thanks for the response cmb. I've got policy-based routing working now (forcing guest traffic down a VPN tunnel, though I had to disable gateway monitoring for that to work).

    However, I've had to abandon rolling staff and guest networks through pfsense - it turns out that running pfsense in bridging mode, while using VLANs, and in an ESX high-availability virtual environment, is a bit of a nightmare of layer 2 loops, and it seems that there's no way to resolve it. Ah well.

  • Yeah, running anything with bridging and HA in ESX will be a mess. Not something I'd recommend, either don't do HA, or don't do bridging, generally the latter the only good option.

Log in to reply