Remote Network Point to Point Link to VPN Over DSL Failover
-
I have two offices (25 miles apart) which are connected to each other over an "Ethernet Over Coax" (EoC) point to point connection from the local cable provider (who is also providing fiber to Site 2). As the EoC service comes with no service level agreement I am concerned that it may be unreliable, so I have established DSL Internet connections from the same provider at both ends and desire to establish an IPSEC VPN between the two sites for failover purposes. The connection is used to support Windows networking and a Health Information Management system that depends on SQL.
I have already implemented Internet connection failover (favoring the fiber connection) for Site 2 and will be also implementing it for Site 1 where it will fail over to the EoC connection and use the Internet through Site 1's fiber or DSL.
Site 1 is 192.168.0.0/24 and Site 2 is 192.168.2.0/24
What would be the best approach to failing over to the VPN - I'm thinking properly ordered rules, policy-based routing, and tiered gateways?
Does anyone have any suggestions for a better way to do it?
Internet–-------------
| | |
DSL Fiber |
| | |
| | |
--Site 2-------| VPN
| |
EoC |
| |
| |
Site 1-------| |
| |
DSL |
| |
Internet--------------- -
Doing further reading I have found info in this thread:
http://forum.pfsense.org/index.php/topic,53811.0.html
And think it will likely apply to my situation. If I make this work I will write a guide for it and post it here and to my blog (http://darnitol.blogspot.com)
If grasshoppers carried .45's birds would leave them alone.
-
pfSense: Remote Network Point to Point Link to VPN Over DSL Failover
The scenario:
You have two locations with Internet connections and a dedicated point-to-point connection between the two and two pfSense systems performing all routing at both sites. You desire the two sites remain connected should the dedicated connection fail.
The solution:
Create a pfSense configuration with failover from the point-to-point connection to a site-to-site VPN utilizing the existing Internet connections at each site.
Steps:
1. Create an OpenVPN Server on the main pfSense and Client setup on the remote pfSense (I used pre-shared keys). DO NOT set a route option in the Advanced box as most instructions for configuring OpenVPN will suggest nor should you have a static route to your remote network defined under System -> Routes. Also note that IPSec can not be used in this scenario as it doesn't create a new adapter that we can work with in the firewall rules and gateways.
2. Check and see that the VPN turns on and connects via Status -> OpenVPN before proceeding. If it does not then troubleshoot your Internet connectivity and OpenVPN settings.
2. Go to Interfaces -> Assign and add Interface OPT3 with Network port ovpns1 on both the server and the client pfSense systems.
3. On both your local and remote pfSense add a new Firewall Rule allowing all protocols from any source to to any destination under both OPT3 and OpenVPN.
4. On both your local and remote pfSense add OPT3 as a Gateway under System -> Routing -> Gateways leaving the Gateway and other options blank.
5. On both your local and remote pfSense create a new Group under System -> Routing -> Groups. The group will define your dedicated connection as Tier 1 and OPT3 as Tier 2. My trigger level is set to Member Down.
6. On both your local and remote pfSense create a new Firewall Rule under LAN which has all traffic from all sources bound for the remote network use the new Gateway Group (under Advanced) you created in Step 5.
7. Test - unplug the point-to-point connection, monitor things under Status -> Gateways, wait a minute or so, and hopefully you will still be passing traffic albeit through the VPN.