Interesting situation – need to route all local traffic through remote pfSense

breakaway

Hello Everyone

I am in an interesting situation. I have a office site and a datacenter site. At the data centre, I have a large /26 IP block. I have a few addresses on this block that I am not yet using.

I am wanting to share my internet connection at the office with others in the office building. Now this would be very easy to do, unfortunately due to ISP limitations, we are not able to do this. At the datacenter we have 'unmetered' carrier grade bandwidth.

The ISP limitation is that we are allowed 'unlimited' national traffic over the link, but we are limited to only 200GB of 'international' traffic. As it stands, we are hitting this 200GB limit almost every month. If I start sharing our internet with other entities, we will quickly exceed this cap and it will start to become very expensive (ridiculous overage charges). Switching ISPs to get one with a better plan or getting a second connection in for sharing purposes is NOT an option due to the political atmosphere and the timeframes involved. It's totally out of the question.

So I have come up with a creative way to solve this problem – give the companies requiring an internet connection in the office building a non-routable subnet (e.g. 192.168.240.0/24), connect them to our pfSense and then route all their traffic through the office internet connection to the datacenter; then and NAT it using one of the IPs on my /26 block on the internet.

This way, our ISP at the office would see all traffic as "National" traffic and not surpass our tiny 200GB cap.

I need some insights and instructions on

(a) whether this is possible
(b) if (a) is true, what tech is best to use? I am very experienced with using IPSEC for site to site tunnels (but that's done using non-overlapping subnets -- is it possible to NAT everything out of the 192.168.240/24 subnet into my datacenter IP?
(c) is there a better way to do this?

Any insights appreciated.

kejianshi

Me personally, I'd need a picture of how you want this set up.

phil.davis

It should be possible. I use OpenVPN, but I expect IPsec would work also. For example:
a) Put them on their own interface and subnet like you suggest 192.168.240.0/24 - using different private IP range than is used anywhere else in office or data centre. Let's call it OTHERLAN.
b) Make a VPN from office to datacentre (maybe you have one already?).
c) Add a gateway that is the data centre end of the VPN - DATACENTREGW
d) Put a policy-routing rule on OTHERLAN to pass all traffic but send it to DATACENTREGW. (no NAT on this hop)
e) In the data centre router, pass all traffic arriving on the VPN with source 192.168.240.0/24 and destination not a private subnet (i.e. you do not want OTHERLAN users accessing private IPs of devices in the data centre.

The data centre router should then NAT the OTHERLAN traffic out its public internet and the replies should flow happily back the reverse path.

breakaway

kejianshi – here's what I want

I think phil.davis has hit the nail on the head here. I will try it and report back

breakaway

Ok I am giving this a shot now. The Office pfSense has been assigned with 192.168.254.10/24, and the datacenter pfSense is configured with 192.168.253.10/24. The IPSEC phase 2 has been added as well and the tunnel is up. Now, I need to figure out how to force traffic from 192.168.254.0/24 at the office into the 192.168.253.10/24 gateway at the datacenter.

phil.davis, can you clarify the second part of your post? i.e.

c) Add a gateway that is the data centre end of the VPN - DATACENTREGW
d) Put a policy-routing rule on OTHERLAN to pass all traffic but send it to DATACENTREGW. (no NAT on this hop)

How do I add the gateway that's on the datacenter end of the VPN? If I go to System > Routing > Gateways and try to add the  datacenter end of the tunnel (i.e. 192.168.253.10), I can't do that because the only possible drop downs in the "Interface" list are the physical interfaces on this end of the tunnel.. how do I tell it that I want the gateway to be on the other end of the tunnel? I hope that makes sense.

Edit: I also thought I'd add that I found this guide https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel that allows me to accomplish what I want, however the guide assumes you want to send everything from Site A to Site B – that's not what I want, I only want to send traffic from a specific interface from the Site A pfsense to Site B.

NOYB

Do these internet sharing clients need or want to host any services?  Such as DNS, SMTP email, Web Site, VPN access to office, etc.?  It may be easier or even necessary to assign them their own dedicated IP address at the data center rather than NATing.

kejianshi

You can tell pfsense to use openvpn as the outbound interface for a particular LAN interface by configuring that in firewall > NAT Manual outbound NAT.  Just be sure to add a virtual interface for openvpn (I'd use openvpn).

So, as an example, if everything on OPT5 was on 192.168.201.0/24 and you wanted anyone on opt5 to get internet through your pfsense/openvpn server in the datacenter, you would put that into your manual outbound NAT on the client pfsense and select your openvpn interface instead of WAN in manual outbound NAT.

cmb

Firewall rules can direct traffic in this case, or can set a default route across the VPN.

@kejianshi:

You can tell pfsense to use openvpn as the outbound interface for a particular LAN interface by configuring that in firewall > NAT Manual outbound NAT.

No, NAT strictly defines translation, not where traffic goes.

kejianshi

Yeah - Its does work.

If a openvpn client interface is selected on manual outbound NAT, that interface is where all the outbound traffic that meets the criteria stipulated will exit.

I'm sure you know lots more than me, but you can't tell me that something that has been working for me for a long time doesn't work.  I know it does because its working for me now.  Not theory.

However, I agree, that doing it in firewall rules also works.

Derelict

But why NAT VPN traffic between distinct private lans?

kejianshi

What this guy is asking for isn't actually uncommon at all if I'm understanding correctly.

There is a site A and a site B

He wants all internet bound traffic from a particular interface on site B to go out over vpn to a server at site A.

Seems simple enough.  Anyway - Will be interesting to see what he works out.

breakaway

Hi,

Sorry my diagram is somewhat incorrect and my original phrasing of the question is quite poor.

Here's what I want – I want to route all traffic coming into OPT3 at the office sent to the datacentre, then out the datacentre's internet connection.

I would have thought this is a fairly typical configuration. I've found guides on how to send ALL traffic from the pfSense through the IPSEC tunnel, but no guide on how to funnel traffic out a single interface through an IPSEC tunnel.

I'd rather not use OpenVPN because all our Site to Site VPNs are established using IPSEC. But if it so happens that IPSEC cannot accomplish what I want, I will use OpenVPN

Can someone answer the million dollar question: 192.168.254.0/24 at Site A; 192.168.253.0/24 at Site B; IPSEC tunnel established between the two. Now, I need to send traffic from 192.168.254.0/24 at Site A through the IPSEC tunnel to Site B, then NAT it out the WAN connection of Site B.

I hope that explains it!

kejianshi

Why don't you just have both "sharing clients" connect directly to the office pfsense directly via openvpn for internet sharing?

breakaway

Because I am trying to provide internet access to an entire business (so devices like their printers etc can get internet access), not a VPN system.

cmb

@kejianshi:

Yeah - Its does work.

If a openvpn client interface is selected on manual outbound NAT, that interface is where all the outbound traffic that meets the criteria stipulated will exit.

No, it doesn't. NAT only defines translation, the system routing table and/or policy routing rules tell traffic where to go. You have a route or rule that's directing the traffic out of the VPN.

kejianshi

If the vpn server is configured correctly and the client, routes exist.

If the interface associated with the vpn client is configured in outbound NAT to be used with a certain subnet, thats where the traffic will go.

Seems simple to me.