Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Site to site VPN with one static IP possible in 2.1?

    General pfSense Questions
    3
    9
    3079
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pwb last edited by

      Hi, is it possible to run site to site VPN where only one site has static wan IP?

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis last edited by

        Yes, put the VPN server at the static IP. Then the client can connect from any IP (as long as you make a rule on the server WAN to pass source any to destination WAN IP, port "VPN server port".
        For a bit of extra security, register for DynamicDNS with a dynamic DNS provider. Make the client register a dynamic DNS name so it translates to the current client end dynamic public IP.
        On the server, make an alias for that dynamic DNS FQDN. Put that in the WAN pass rule source.
        Then connects will only be allowed from the known client end IP. pfSense at the server end will check the name every 5 minutes and update the table/rule in pf. So it will take 5 minutes after the client gets a new dynamic DNS from the ISP, for the server end to realise and start allowing it access.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • P
          phil.davis last edited by

          For the benefit of other readers, the server end can also be a dynamic IP, with a dynamic DNS name kept up-to-date automatically from the server end pfSense. The client connects to this name + VPN port.
          As long as the server end has a public IP, you should be in business. The client end can even be on a crappy ISP somewhere that gives private IPs or carrier-grade NAT IPs to its customers.

          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

          1 Reply Last reply Reply Quote 0
          • P
            pwb last edited by

            @phil.davis:

            Yes, put the VPN server at the static IP. Then the client can connect from any IP (as long as you make a rule on the server WAN to pass source any to destination WAN IP, port "VPN server port".
            For a bit of extra security, register for DynamicDNS with a dynamic DNS provider. Make the client register a dynamic DNS name so it translates to the current client end dynamic public IP.
            On the server, make an alias for that dynamic DNS FQDN. Put that in the WAN pass rule source.
            Then connects will only be allowed from the known client end IP. pfSense at the server end will check the name every 5 minutes and update the table/rule in pf. So it will take 5 minutes after the client gets a new dynamic DNS from the ISP, for the server end to realise and start allowing it access.

            ok, i have tested this with one Sonicwall in client site and pfsense in office site, the problem was that i could set up site to site on pfsense on the office without pointing to a static ip on the client. But i will test this with two pfsense boxes, thanx.

            1 Reply Last reply Reply Quote 0
            • P
              pwb last edited by

              Tested it, its not possible to have blank gateway on the IPSec on the home office site, so still not possible to make a site to site VPN (not client to office, but site to site) with two pfsense boxes where only one has a static IP, or?

              1 Reply Last reply Reply Quote 0
              • P
                phil.davis last edited by

                All my comments above are specifically valid for OpenVPN. Not being an IPsec user, I can't comment on the flexibility or otherwise of Ipsec configurations - so others can jump in now…

                As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                1 Reply Last reply Reply Quote 0
                • P
                  pwb last edited by

                  Is it possible to run site to site with OpenVPN?  i need the pfsense box on the home office site to connect to the pfsense on the office and that the PCs behind the home office pfsense get ip from the DHCP server on the office site. I dont need to use IPSec, if its possible with OpenVPN i could use that.

                  1 Reply Last reply Reply Quote 0
                  • M
                    mauirixxx last edited by

                    I'm running a Fortigate 80C @ work and have a site to site ipsec VPN connecting my home office to it. I've yet to try openvpn, as the ipsec config "just worked" for me. Office is a static, home is dynamic. So yeah, totally doable with ipsec.

                    –mauirixxx

                    1 Reply Last reply Reply Quote 0
                    • P
                      pwb last edited by

                      @mauirixxx:

                      I'm running a Fortigate 80C @ work and have a site to site ipsec VPN connecting my home office to it. I've yet to try openvpn, as the ipsec config "just worked" for me. Office is a static, home is dynamic. So yeah, totally doable with ipsec.

                      Yes, i know its doable, but not with pfsense on the work/office since pfsene NEED a static IP on your home box. I have setup other solutions and many boxes dont need to have a IP for the home box. I think it is made this way so the office could connect to the home, but if home had a stay alive checkbox there isnt any reason to use static ip on both places.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post