• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Using PFS to secure a Metro-E line…

Scheduled Pinned Locked Moved General pfSense Questions
5 Posts 3 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    kevin972
    last edited by May 16, 2013, 6:20 PM

    hey all,

    I am sure this is in the wrong place…feel free to move.  I am a noob to a lot of this so my terminology is probably problem.

    I propose this question:  How do I configure two PFS boxes, one on each end, to communicate traffic but yet secure a line?  We previously used internet connections between our two offices and had MonoWall's on each end.  That worked GREAT!!  Now, we have a 10M dedicated "private" line between us...it is not routed, switched, or anything...it's basically a long fiber line between the two offices, and I DON'T want to leave it up to AT&T to secure it for us.  The "Slave" office has a switch and several devices (prn, PC, scanners, etc)...the "Main" office has the servers and the internet connection (for access to the WWW).  The Slave office, and the Main office, use RDP sessions to do all their work and then the servers send appropriate data back through the line to the printers and such at the Slave office or the Main office.  Basically, it is like the slave office is here at the main office...it only has a really long line between switch A and Switch B.  What I want is security on the fiber line, so noone can "jump in" on it as they would then have total access to our Network!  I hope this is enough info for somebody to help me/us.

    Thanks!!

    1 Reply Last reply Reply Quote 0
    • S
      SeventhSon
      last edited by May 16, 2013, 6:56 PM

      Securing this would still be a VPN (like before), and if you don't want to route between the sites, a bridged VPN like OpenVPN TAP (TAP is the important bit, TUN is routed, TAP is bridged).

      Easiest physical setup would be:
      Site1 - LAN switch - pfSense - Metro-E - pfSense - LAN switch - Site2

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by May 17, 2013, 4:01 PM

        Really should route between the sites (isolating any layer 2 issues to a single physical location always best), which also makes the VPN cleaner. It's effectively no different from an Internet VPN, just across the metro E instead.

        1 Reply Last reply Reply Quote 0
        • K
          kevin972
          last edited by May 17, 2013, 5:20 PM

          @cmb:

          Really should route between the sites (isolating any layer 2 issues to a single physical location always best), which also makes the VPN cleaner. It's effectively no different from an Internet VPN, just across the metro E instead.

          OK…so...basically, I will need to have a different subnet at the Slave site and will have to route between them?  Can you give me an example of how I would set this up?  10.0.x.x at main and 10.10.x.x at the slave?  Would I have to set up the Metro-E section as something like 10.20.x.x and route all traffic as well or what?  Sorry...this is totally new to me. :)

          1 Reply Last reply Reply Quote 0
          • S
            SeventhSon
            last edited by May 17, 2013, 5:36 PM

            You're on the right track, seperate subnets for both LANs and the Metro-E section

            So you would have
            site1:
            pfSense LAN: 10.0.0.1/24
            pfSense WAN (Metro-E): 10.20.0.1/24

            site1:
            pfSense LAN: 10.10.0.1/24
            pfSense WAN (Metro-E): 10.20.0.2/24

            and then follow:
            http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_%28Shared_Key,_2.0%29

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received