Using PFS to secure a Metro-E line…

kevin972 · May 16, 2013, 6:20 PM

hey all,

I am sure this is in the wrong place…feel free to move. I am a noob to a lot of this so my terminology is probably problem.

I propose this question: How do I configure two PFS boxes, one on each end, to communicate traffic but yet secure a line? We previously used internet connections between our two offices and had MonoWall's on each end. That worked GREAT!! Now, we have a 10M dedicated "private" line between us...it is not routed, switched, or anything...it's basically a long fiber line between the two offices, and I DON'T want to leave it up to AT&T to secure it for us. The "Slave" office has a switch and several devices (prn, PC, scanners, etc)...the "Main" office has the servers and the internet connection (for access to the WWW). The Slave office, and the Main office, use RDP sessions to do all their work and then the servers send appropriate data back through the line to the printers and such at the Slave office or the Main office. Basically, it is like the slave office is here at the main office...it only has a really long line between switch A and Switch B. What I want is security on the fiber line, so noone can "jump in" on it as they would then have total access to our Network! I hope this is enough info for somebody to help me/us.

Thanks!!

SeventhSon · May 16, 2013, 6:56 PM

Securing this would still be a VPN (like before), and if you don't want to route between the sites, a bridged VPN like OpenVPN TAP (TAP is the important bit, TUN is routed, TAP is bridged).

Easiest physical setup would be:
Site1 - LAN switch - pfSense - Metro-E - pfSense - LAN switch - Site2

cmb · May 17, 2013, 4:01 PM

Really should route between the sites (isolating any layer 2 issues to a single physical location always best), which also makes the VPN cleaner. It's effectively no different from an Internet VPN, just across the metro E instead.

kevin972 · May 17, 2013, 5:20 PM

@cmb:

Really should route between the sites (isolating any layer 2 issues to a single physical location always best), which also makes the VPN cleaner. It's effectively no different from an Internet VPN, just across the metro E instead.

OK…so...basically, I will need to have a different subnet at the Slave site and will have to route between them? Can you give me an example of how I would set this up? 10.0.x.x at main and 10.10.x.x at the slave? Would I have to set up the Metro-E section as something like 10.20.x.x and route all traffic as well or what? Sorry...this is totally new to me. :)

SeventhSon · May 17, 2013, 5:36 PM

You're on the right track, seperate subnets for both LANs and the Metro-E section

So you would have
site1:
pfSense LAN: 10.0.0.1/24
pfSense WAN (Metro-E): 10.20.0.1/24

site1:
pfSense LAN: 10.10.0.1/24
pfSense WAN (Metro-E): 10.20.0.2/24

and then follow:
http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_%28Shared_Key,_2.0%29