Can complex VPN/Routing/Firewall Scenario be handled by pfSense?!?

  • Hi everyone!

    I've spent several days with research on a solution to handle the following scenario. At the moment it seems to me that there is no existing single product which can handle it. pfSense seems to be closest to what it try to achive.
    Could anybody be so kind and help me out on telling if I can manage to handle it with pfSense.

    I have two sites each with several subnets.
    The sites are connected via 2Mbit Leased Line. It acts like a cable connection between switch and switch.
    Each site has its own DSL 16Mbit connection to the internet.
    Each site has several VPN IPSEC connections for mobile users and Site2Site which are at the moment handled by the DSL Router (AVM Fitz!Box 7390) of the site. There is also a VPN IPSEC connection between the sites as backup for the Leased Line. All is based on DynDns Names, as there are no static IPs.
    Each internal Subnet has its own VLAN and routing is completely handled by Netgear L3 Switches, no firewalls and/or filtering.

    Goal 1 (Firewalling):
    Take the routing for some subnets off the switch to a pfSense box and enable firewalling.
    I'm aware that the throughput will decrease remarkably - that's no problem.

    Goal 2 (Multiple WAN):
    Establish a backup internet AND VPN connections for each site via LTE.
    If the DSL line goes down all Internet an VPN traffic should automaticaly switch to LTE.
    In addition to that it would be optimal if the LTE connections also could be used for load ballancing of the internet trafic and the Site 2 Site VPN.

    Goal 3 (VPN)
    Centralize all VPN connections of all sites for all users to one gateway.
    There are 2 Problems:

    • each user has his own policy for accessing only specific subnets
    • Mobile Userers have to stay on IPSEC, as there are different VPN Clients which can not easily been changed.

    I hope this is not to confusing.

    My idea to solve this with pfSense is:

    • Install pfSense on a rented Root Server with fixed IP and proper Internet Connection
    • Install a pfSense Box on each Site
    • Per Site: Build a Group over DSL and LTE connection and use it as Internet Gateway
    • Per Site: Build 2 OpenVPN Tunnels (1x DSL, 1x LTE) to the rented server
    • Per Site: Build a Group over the Leased Line and the 2 OpenVPN Tunnels and use it as gateway to the other site
    • Rented Server: Build a group over the 2 incomming OpenVPN Tunnels per site and configure the routing, configure VPN IPSEC and routing for the mobile workers.

    This is complex - at least for me…
    Do you think that could work?
    Any other suggestions how to achive the goals?
    What can i do to restrict mobile workers only to certain subnets?

    Any suggestions and hints are highly appreciated.
    Thank you in advance!


  • Yes you can do all that, you'd be far from the first. It does get a little complex, more than I have time to explain in any kind of detail, but it is doable.

  • @cmb:

    Yes you can do all that,

    Does pfSense have native support for LTE modems or would you use an external box for that?

  • @wallabybob:

    Does pfSense have native support for LTE modems or would you use an external box for that?

    Some, yes. I use a UML290 as do some of our customers. There are others supported as well.

  • Thanks Chris for working through my post and helping me to make a decission towards the right solution.

    The only thing where I´m stuck is the VPN IPsec restrictions for the mobile users.
    Could anybody give me any hints how to restrict diffenet users to different local subnets.
    For example:
    LAN has 3 subnets,,
    IPsec User 1 should only be able to access
    IPsec User 2 should only be able to access
    IPsec User 3 should only be able to access and
    Where can I set those restictions in pfSense?

    Thanks again!