Is the following setup viable on pfsense ?



  • HI,

    I have two pfsense boxes, one master and one failover, kept in sync, and I have an external VIP CARP address set up as my endpoint of an IPsec VPN, the other end is at a third party supplier.

    The IPsec VPN between my supplier and my pfsense box isn't an issue - use the CARP address as my tunnel endpoint and it should be fine.  I have this working on my test network in my office, so I'm pretty confident about this, using just a single web server on my network.

    What I am unsure of is how to have my two web servers on my network load balanced to traffic coming in over the VPN.  I have supplied my network addresses to the supplier in order to get working configs, but I don't want to have to make them use one or other of the specific IP addresses of my servers.  I want to give them a single IP address and then load balance that across my two servers.

    I keep seeing things like Binat and extra virtual network addresses for my LAN, but it's a bit above my current understanding.

    I think I have visualised the layout a follows :-

    web server A } ==> IPsec VPN ==> supplier network
    web server B

    10.10.2.1  ==>  46.0.0.1  85.0.0.1 ==> 172.16.5.11
    10.10.2.2

    10.10.2.[1-2] is the IP addresses of my web servers on my LAN
    46.0.0.1 is my CARP address - my IPsec endpoint
    85.0.0.1 is the remote IP address of the supplier - supplier IPsec endpoint
    172.16.5.11 is the IP address of the host I need to talk to/will be talking to me on the supplier network

    I don't know how to address the load balancer bit from my web servers to the VPN.  I'm OK with setting up pools/VIP's to do the load balancing, I just don't know how to work out the addressing to make it work.

    Any suggestions, pointers to a documented working solution etc would be gratefully received.

    Cheers,
    Gary



  • Sorry, should have added that my pfsense boxes are version 2.1-BETA0 (amd64) built on Thu Nov 8 06:41:07 EST 2012


Log in to reply