Site to Site VPN Help



  • Hello guys
    1st of all let me say that pfsense is a great piece of work, thank you all for your hard work.
    Now the difficult part… the dumb question :D

    Let me describe the scenario:
    I have a Dell server with two nic’s one with my internal IP 192.168.1.22 and other that I in the future can define.
    And what I need is to connect two sites using a VPN site to site but I don’t want that they have access to my docs and things at my network. Im not a network guru or something so I don’t have a clue how to do it.
    But i want that the users connected to my server can acess the client server to do some manteinence at the client side

    My idea its more or less this….

    [PFSENSE]–-->PublicIP----------------vpn-site-to-site--------------[clientserver]
                  |
                  |
              [nic1] (what IP?)
                  |
                  |
              [myserver - windows 2003]  |
                  |
                  |
              [nic2]
                  |
                  |
            [192.168.1.22/24]–----------->MY NETWORK SERVERS

    Thanks in advance



  • What are docs?
    Where is your problem? (you dont ask any questions)

    I wouldnt let your Win2k3 machine do any routing.

    More something like this:

    [PFSENSE] [WAN] (PublicIP)–--------------vpn-site-to-site--------------[clientserver]
                  /           
                /               
    [DMZ] (192.168.2.1)  [LAN] (192.168.1.1)
                |                            |
                |                            |
                |                            |
            Servers                    Clients

    Right now you CANNOT firewall the OpenVPN Interface.
    Also traffic is only filtered on the interface on which the traffic comes in.
    You would have to make rules on the other side of the tunnel (Clientserver) which block/allow access to your servers/clients.



  • Thanks for your quick answer

    but the thing is i need to connect site to site two networks but i dont want them to see any of my shared folders (docs) or browse my network.
    I dont want the remote server even see my internal network pc's.

    My ideia was to use my windows 2003 server that actually already have 2 nic's, one with my network ip (192.168.1.22/24) and other with some ip that will be used for the site to site VPN

    I understand your ascii but i cant change the actual layout of my network.

    Do you have any further ideas?



  • @g0x:

    but the thing is i need to connect site to site two networks but i dont want them to see any of my shared folders (docs) or browse my network.
    I dont want the remote server even see my internal network pc's.

    My ideia was to use my windows 2003 server that actually already have 2 nic's, one with my network ip (192.168.1.22/24) and other with some ip that will be used for the site to site VPN

    If you dont want the other side too see your shares just create a firewall rule on your client pfSense that blocks destination port 139 and 445.
    Or if you dont want them to access your clients at all, dont allow destination "forbidden destination".

    How is th layout of your network right now?
    (just because you wrote that you cannot change the layout)

    Or do you want to run pfSense on top of Win2k? O_o



  • Ok here it is my network layout
    Maybe you guys have some other opinions… all of them will be apreciated :D

    ISP [Poll of 5 Pubic IP's]
                                            |
                                            |
                                            |
                                      [16 Ports HUB]
                                            |
                                            |
                                            |
                                            |–--------------------------[router Drytek Site to Site other Office]
                                            |
                                            |
                                            |
                                            |
                                            |
                                            |–--------------------------[PFSENSE - VPN SITE to SITE][Lan-192.168.1.254][Wan-Public IP]
                                            |
                                            |
                                            |
                              [IP NOKIA 330-Firewall-Def. Gateway]–------------------[DMZ - Linux - Trustix - SMTP - PostFix + Squid]
                                            |
                                            |
                                            |
                                            |
                                            |
                                      [192.1168.1.1]
                                            |
                                            |
                                            |
                                            |
                                            |
                                            |
                              –----------------------------------------------------------
                              |                                    |                                            |
                [D.C->192.168.1.17]        [Exchange->192.168.1.30]              [App Server->192.168.1.20]

    IP330 NOKIA -> default gateway for servers and pc's with fixed IP's

    PFSENSE -> default gateway and Proxys for lan PC's

    –--------------------------------------------------------------------------------------------------

    Its Pfsense that i want to connect to someother pfsense or cisco etc etc need to be IPSec
    But i dont want that the other end of the site to site vpn see / browse my office pc's / Shares etc etc

    Thanks


Locked