Using PFS to secure a Metro-E line…



  • hey all,

    I am sure this is in the wrong place…feel free to move.  I am a noob to a lot of this so my terminology is probably problem.

    I propose this question:  How do I configure two PFS boxes, one on each end, to communicate traffic but yet secure a line?  We previously used internet connections between our two offices and had MonoWall's on each end.  That worked GREAT!!  Now, we have a 10M dedicated "private" line between us...it is not routed, switched, or anything...it's basically a long fiber line between the two offices, and I DON'T want to leave it up to AT&T to secure it for us.  The "Slave" office has a switch and several devices (prn, PC, scanners, etc)...the "Main" office has the servers and the internet connection (for access to the WWW).  The Slave office, and the Main office, use RDP sessions to do all their work and then the servers send appropriate data back through the line to the printers and such at the Slave office or the Main office.  Basically, it is like the slave office is here at the main office...it only has a really long line between switch A and Switch B.  What I want is security on the fiber line, so noone can "jump in" on it as they would then have total access to our Network!  I hope this is enough info for somebody to help me/us.

    Thanks!!



  • Securing this would still be a VPN (like before), and if you don't want to route between the sites, a bridged VPN like OpenVPN TAP (TAP is the important bit, TUN is routed, TAP is bridged).

    Easiest physical setup would be:
    Site1 - LAN switch - pfSense - Metro-E - pfSense - LAN switch - Site2



  • Really should route between the sites (isolating any layer 2 issues to a single physical location always best), which also makes the VPN cleaner. It's effectively no different from an Internet VPN, just across the metro E instead.



  • @cmb:

    Really should route between the sites (isolating any layer 2 issues to a single physical location always best), which also makes the VPN cleaner. It's effectively no different from an Internet VPN, just across the metro E instead.

    OK…so...basically, I will need to have a different subnet at the Slave site and will have to route between them?  Can you give me an example of how I would set this up?  10.0.x.x at main and 10.10.x.x at the slave?  Would I have to set up the Metro-E section as something like 10.20.x.x and route all traffic as well or what?  Sorry...this is totally new to me. :)



  • You're on the right track, seperate subnets for both LANs and the Metro-E section

    So you would have
    site1:
    pfSense LAN: 10.0.0.1/24
    pfSense WAN (Metro-E): 10.20.0.1/24

    site1:
    pfSense LAN: 10.10.0.1/24
    pfSense WAN (Metro-E): 10.20.0.2/24

    and then follow:
    http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_(Shared_Key,_2.0)


Log in to reply