Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN only VPN endpoint

    Routing and Multi WAN
    1
    1
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rvdv
      last edited by

      Hello all,

      I hope I'm in the right category with this question.

      I want to setup two PfSense installations, one remote and one in our extensive LAN.
      The remote configuration is easy: two NICs, one with an internet (WAN) IP, one with a LAN IP. Both connected to different switches, nothing special.

      However, on our local side I want to put PfSense into our existing LAN and use it as a VPN endpoint/router only.

      I already have a working LAN with a router handling all traffic to the internet. It's IP address is 172.18.0.1 and all LAN clients have this as their default gateway. This router is also handling some other VPN connections.

      My question is, since PfSense always needs a WAN (and doesn't really seem to require a LAN – it can be deleted but WAN cannot), how should I configure PfSense?

      I have several options:

      1. Put in 2 NICs, configure them as WAN and LAN, setup a LAN ip of 172.18.0.2 and don't connect any cable to WAN.
        --- This does not seem to work, because PfSense can't connect to the internet in this manner. Even though I did set-up a LAN gateway (172.18.0.1) and DNS properly, it won't work. For example, the PING diagnosis will resolve the hostname but can't ping it. I also tried adding a firewall rule forcing all traffic to go out through LAN, but this doesn't seem to be the way to do it. One question though: what is the LAN default gateway ever used for?

      2)Put in 2 NICs, configure as WAN and LAN, setup a fixed LAN IP of 172.18.0.2 and a fixed WAN IP of 172.18.0.3. In this case, both NICs are connected to exactly the same switch/network. This would enable PfSense to PING hosts on the internet and also receive incoming VPN connections on its WAN interface (let's say for PPTP (unsafe protocol) I would forward the correct port 1723 from the internet-facing router to IP 172.18.0.3). If I were establishing an IPSEC connection, with 192.168.1.x on the remote side, I would create additional routes on all other LAN computers telling them to route traffic destined for 192.168.1.x to 172.18.0.2.

      3)Perhaps a better option?

      I also tried option two, but got strange results after setting up both IPs. The network-switch just kept flashing in the same pattern on all activity ports and no traffic whatsoever was possible until I disconnected the PfSens box. Even LAN-LAN traffic was impossible. It is highly possible this happened because of some 'strange' rules I still had in place from trying setup #1, but still I don't understand why this would happen. I had disabled the DHCPserver of PfSense and it should never interfere with LAN->LAN packets anyway, and it's also not the default gateway or anything. Perhaps it was sending out RIP-packets that caused this? But anyway, I thought that I'd ask here first before trying this experiment again.

      Any help or pointers would be greatly appreciated.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.