Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using PFS to secure a Metro-E line…

    General pfSense Questions
    3
    5
    917
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kevin972
      last edited by

      hey all,

      I am sure this is in the wrong place…feel free to move.  I am a noob to a lot of this so my terminology is probably problem.

      I propose this question:  How do I configure two PFS boxes, one on each end, to communicate traffic but yet secure a line?  We previously used internet connections between our two offices and had MonoWall's on each end.  That worked GREAT!!  Now, we have a 10M dedicated "private" line between us...it is not routed, switched, or anything...it's basically a long fiber line between the two offices, and I DON'T want to leave it up to AT&T to secure it for us.  The "Slave" office has a switch and several devices (prn, PC, scanners, etc)...the "Main" office has the servers and the internet connection (for access to the WWW).  The Slave office, and the Main office, use RDP sessions to do all their work and then the servers send appropriate data back through the line to the printers and such at the Slave office or the Main office.  Basically, it is like the slave office is here at the main office...it only has a really long line between switch A and Switch B.  What I want is security on the fiber line, so noone can "jump in" on it as they would then have total access to our Network!  I hope this is enough info for somebody to help me/us.

      Thanks!!

      1 Reply Last reply Reply Quote 0
      • S
        SeventhSon
        last edited by

        Securing this would still be a VPN (like before), and if you don't want to route between the sites, a bridged VPN like OpenVPN TAP (TAP is the important bit, TUN is routed, TAP is bridged).

        Easiest physical setup would be:
        Site1 - LAN switch - pfSense - Metro-E - pfSense - LAN switch - Site2

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Really should route between the sites (isolating any layer 2 issues to a single physical location always best), which also makes the VPN cleaner. It's effectively no different from an Internet VPN, just across the metro E instead.

          1 Reply Last reply Reply Quote 0
          • K
            kevin972
            last edited by

            @cmb:

            Really should route between the sites (isolating any layer 2 issues to a single physical location always best), which also makes the VPN cleaner. It's effectively no different from an Internet VPN, just across the metro E instead.

            OK…so...basically, I will need to have a different subnet at the Slave site and will have to route between them?  Can you give me an example of how I would set this up?  10.0.x.x at main and 10.10.x.x at the slave?  Would I have to set up the Metro-E section as something like 10.20.x.x and route all traffic as well or what?  Sorry...this is totally new to me. :)

            1 Reply Last reply Reply Quote 0
            • S
              SeventhSon
              last edited by

              You're on the right track, seperate subnets for both LANs and the Metro-E section

              So you would have
              site1:
              pfSense LAN: 10.0.0.1/24
              pfSense WAN (Metro-E): 10.20.0.1/24

              site1:
              pfSense LAN: 10.10.0.1/24
              pfSense WAN (Metro-E): 10.20.0.2/24

              and then follow:
              http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_%28Shared_Key,_2.0%29

              1 Reply Last reply Reply Quote 0
              • First post
                Last post