Inter-Vlan Routing Accross VPN
-
Hello,
I have one pfsense box setup in a test lab (to replace our cisco 2800s) we have 4 branches offices (1 of which is consider our main office as far as IT goes)
The test box I have configured right now which works great is for Branch 1 (site with the server farm)
It will have the following VLANs (I currently have the vlans setup with intervlans routing working fine)VLAN 10 - Branch 1 staff 10.10.100.0/24
VLAN 20 - Branch 1 VoIP (both Phones and contoller at this site) 10.20.100.0/24
VLAN 30 - Branch 1 Public Access Computers 10.30.100.0/24
VLAN 40 DMZ 10.40.100.0/24Currently I have this config working. VLAN 10 can get to VLAN 20, 30 & 40. VLAN 30 Can get to VLAN 40 (since 1 to 1 Nat's don't work internally)
I need 3 additional boxes over VPN with the corresponding VLANs only allowed to talk to there corspeonding vlan at the other site but the STAFF vlan needs to have access to all of them (from any site).
I know this needs to be done with ACLs/firewall rules somehow since it's Layer 3, but How, I know how to do it locally but doing it over a VPN tunnel is confusing me. and would this be better done with OpenVPN or IPSec (all Fiber connections are from the same ISP)
Here is a list of all the vlans
Branch 2
VLAN 11 - Branch 2 Staff 10.10.110.0/24
VLAN 21 - Branch 2 Voip (phones only) 10.20.110.0/24
VLAN 31 - Branch 2 Public Access Computers 10.30.110.0/24Branch 3
VLAN 12 - Branch 3 Staff 10.10.120.0/24
VLAN 22 - Branch 2 Voip (phones only) 10.20.120.0/24
VLAN 32 - Branch 2 Public Access Computers 10.30.120.0/24Branch 4
VLAN 13 - Branch 4 Staff 10.10.130.0/24
VLAN 23 - Branch 4 Voip (phones only) 10.20.130.0/24
VLAN 33 - Branch 4 Public Access Computers 10.30.130.0/24Any Help?? Please.
Thanks in Advance!
Jason
-
What sort of bandwidth will you be using via the VPN between the main office and the other offices?
Openvpn is better in almost every case, but it has to go back and forth between user-space and kernel space. This makes its upper limit of possible throughput lower than the theoretical upper limit of IPsec, which operates in kernel space.However, I say "theoretical" because depending on your hardware you might never reach that limit, in which case I like Openvpn much better.
-
It will be the same as our current VPN is on with the CISCO 2800's at each location (though there are no vlans in the current config) which is a 20MB Fiber connection (but I believe the 20MB may be a shared limit of all the links combined)
I guess I should have noted that normal internet bound traffic should go out the WAN connection at each site directly and not over the VPN (I guess that's assumed though)
-
OpenVPN really starts to measure up favourably performance wise against IPsec as the numbers of clients increases for each. At 20MB, especially shared between many client offices, OpenVPN is going to perform very well. If it were 100MB to a single client, it might be a different story.
Thats my feeling on that. Either will work, but one is definitely less fuss than the other.As far as what subnet can communicate with what subnet or not using VLANs, I'd think that would be an easy set of rules to establish using firewall floating rules to block or pass communication between subnets on each pfsense box. (Long maybe - but easy). I know a couple of the HERO guys are VLAN gurus. Maybe one will suggest something better.
If Staff, VoiP and Public each got separate VPN tunnels back to main office, this would all suddenly become easy to manage I think. (so says the amateur)
-
Do you think a P4 3.4ghz Box with 2GB RAM at the main office (old Checkpoint C6P-CP UTM-1 2050)
Main Site has
5 Servers (Domain/Webserver (internal mostly)/File Server/IT-MGMT (spiceworks/Antivirus console)/Terminal service for 3 users)
12 Staff Computers
18 Public Computers
Public Wifiand P4 1.5ghz Mobile Box with 1GB at each remote site could handle this (old Checkpoint UTM-1 450 C2P-CP)
Remote Sites Have
1 Domain Controller Each (no more Servers)
~10 Staff Machines
~14 Public Computers
Public Wifi -
I think the real question is can each of those handle 20MB/3 continuous over VPN, since thats the only CPU intensive thing you have mentioned thus far. So figure 20MB peak for any one and about 6MB throughput each on average. Yes. Piece of cake. Easy. If you can figure out the VLAN problem. (I'm assuming this is firewall/routing and not a bunch of snort intrusion detection)
Hint on the VLAN issue. I think "jimp" could answer to the VLAN question definitively.
-
Yes, I plan on doing just Firewall/Routing and maybe the Captive portal with no authentication on the Public Vlans, But I don't think that would really use much resources. Definitely no snort, I've always had issues with it.
I will see if Jimp can help
-
Yeah - The 1.5GHZ processors will do that no problems at all. I manage 5MB links even with a 300MHZ linksys E1000 as client to my servers and those have very weak processors. Hardware won't be an issue for you. Figuring out the VLAN layout should be your only worry. When you get this worked out, can you post the VLAN over Openvpn solution? It would be nice to know.
-
I guess I'm on my own on this one. He [Jimp] told me not to contact him. He want's you to buy commercial support. (which we being a public library could not do)
-
Sorry about that - Thats my mistake.
Referring this or that person by user-name here is probably a Faux pas.
In the event you can't get VLAN tagging to work accross the VPN:
I would probably handle this by having 3 Openvpn server threads running on that main pfsense in main office. One per function.
Then I'd probably have every computer in at every office be a client (24/7) to one of those VPN server threads and control their access to each other that way.
No VLANS required for that to work.
Are these computers windows? If they are, that makes my alternate solution ridiculously easy to implement. -
I think I found a solution, but it will require me to use IPSEC
http://doc.pfsense.org/index.php/IPsec_with_Multiple_Subnets
I can map the routes the additional subnets (vlans)
-
Hey - Thats neat. Not exactly what you were looking for but if that works as advertised, might be fine. Let me know how that turns out and how stable IPsec is for you. I've never needed to do this before, but for this scenario looks like, as far as I can tell, IPsec is better. Thats very cool if it works. I had read that using the TAP interface rather than the TUN in (maybe in bridged mode) might accomplish what you desire but if IPsec works for you, no need experiment.
-
For what its worth I don't think VLANs would work for what you were trying to do. Remember that Vlans are a layer 2 way of breaking up broadcast domains. Once you cross a layer 3 device your layer 2 Vlan tag will be lost. Remember that when the router moves the packet from one interface to another it will change the Ethernet header information which contains the source and destination MACs. Now if there were a way to keep your layer 2 information to persist over the routed connection then what you wanted to do could work.
-
https://forum.openwrt.org/viewtopic.php?id=33678
-
For what its worth I don't think VLANs would work for what you were trying to do. Remember that Vlans are a layer 2 way of breaking up broadcast domains. Once you cross a layer 3 device your layer 2 Vlan tag will be lost. Remember that when the router moves the packet from one interface to another it will change the Ethernet header information which contains the source and destination MACs. Now if there were a way to keep your layer 2 information to persist over the routed connection then what you wanted to do could work.
Yes, I know Lan is at layer 2. I don't plan on having the VLAN tags go across the VPN. The Layer 2 Vlans match up to Layer 3 Subnets (see my OP all of them are serperate subnets/vlan which would require routing, the vlans wouldn't match up for just tagging to work) anyway. All I need is to get all the subnets to be able to route across the VPN and use ACLs at each point to keep the correct subnets where they are suppose to be.
Also with my current config on my Cisco Routers I have A Multipoint VPN (I think it's technically called a Dynamic multi-point VPN) is there any feature like this in Pfsense, meaning that I don't have just one site being the server and the rest being clients (hub a spoke design) but all sites interconnect?
-
You mean full-mesh? TINC. Hmmm. Not in the packages for my 2.03 though.
-
yes
-
I think the open-source full mesh vpn solution is TINC. I know its been talked to go into pfsense but not sure if its in the 2.1
I know it can have NAT issues, but people like you don't have NAT issues. I'm sorta surprised if its not already a package in 2.1 -
Yes, I know Lan is at layer 2. I don't plan on having the VLAN tags go across the VPN. The Layer 2 Vlans match up to Layer 3 Subnets (see my OP all of them are serperate subnets/vlan which would require routing, the vlans wouldn't match up for just tagging to work) anyway. All I need is to get all the subnets to be able to route across the VPN and use ACLs at each point to keep the correct subnets where they are suppose to be.
Also with my current config on my Cisco Routers I have A Multipoint VPN (I think it's technically called a Dynamic multi-point VPN) is there any feature like this in Pfsense, meaning that I don't have just one site being the server and the rest being clients (hub a spoke design) but all sites interconnect?
I'm sorry I misunderstood your post, I thought you were trying to get your vlans to persist across the VPN connection. I did see that you are using different vlans. I was thinking you wanted routing across all sites but just wanted to be sure. I think you would probably need a point to point at each site, it sounds kind of ugly but it would accomplish your task. This has me interested now though, it should be possible with out all the extra configs so I will make a mock setup and report back. If you need it down quickly I would do it the ugly way and then work on the routing through the main site. Might be better to make the mesh setup because that way you don't lose connection to the other sites if the main site goes down and also there is less un-needed processing on the router at your main site.
https://forum.openwrt.org/viewtopic.php?id=33678
Neat trick but I don't think this would work if you wanted to have multiple vlans go across a VPN Connection.
-
I'm sure soon someone will figure a way to build VLAN support smoothly into VPN of some flavour or another, but I'm not seeing it being easy yet.