Two subnets neccessary?



  • Hello guys,
    I am about to set up pfSense on my thin client (3 NIC's) using a vpn tunnel. Currently my network consists of only one single subnet. With the new pfSense box I would like to separate netwerk devices into two groups: one group using a normal "clearnet" connection to the internet and the other group is using the vpn tunnel to access the internet.
    Is there a need for setting up two different subnets or can I configure two NIC's for one local subnet so there is only one subnet but two gateways for the clients to chose from? I do not need the strict separation of two subnets as devices need to communicate with each other which would require to set up routing as well. Furthermore, unfortunately not all my switches are managed / can handle VLAN.
    What would you recommend to do? Best practice?  :-\



  • I would use policy routing, take a look at this guide.

    http://www.retropixels.org/blog/use-pfsense-to-selectively-route-through-a-vpn



  • I would use 2 subnets and set appropriate firewall rules to allow comunication between them.
    A dedicated subnet for VPN, connected to an unmanaged switch, could be useful, any device you add to that switch will use VPN. You need to setup accordingly.
    This is exactly how my home network is designed.



  • @Borage Thx for the link that is kinda what I am looking for, just in the opposite way: tunneling all clients and have some exceptions of that using clearnet. For sure these excluded hosts need to have a static IP.

    @Wolf666 The idea sounds good but as you said the setup needs to be adjusted accordingly. I have two network cables to most rooms of the house already. So I have to attach to each line a switch and build two completely separate networks as every room contains devices of both groups. So i can decide between buying a bunch of unmanaged switches or less but more expensive managed switches.  :-\


  • LAYER 8 Netgate

    All you have to do is have a way to identify the traffic you want to go over the VPN versus the traffic you want to go out the normal WAN.

    This could be a separate subnet, static IPs (or DHCP static mappings) in a certain range, dot1x authentication with dynamic VLANs. There just has to be some mechanism to identify the traffic and you can route it accordingly.



  • Sorry for this (maybe uneducated) question but is it also possible to do the PBR by specifying MAC address? Or do I have to go by static IP / DHCP reservation?


  • LAYER 8 Netgate

    You probably want to use DHCP Static Mappings.  You can use IP addresses in any subnet, say .225 through .254.  You can then put a rule sending traffic to the VPN above your normal rules by using source network x.x.x.224/29.  No need to change the interface subnet.



  • Thats's how I will do it! Now I am looking for a way to deal with DNS forwarding. Currently all clients use the windows server (AD) as primary DNS. The DNS service also handles the  DNS forwarding. Unfortunately, and like in pfSense, the dns forwarders are global and cannot be set only for a specific range of hosts, subnet or interface.
    While all clients supposed to have the windows server as primary DNS to work properly, external requests supposed to be resolved by different DNS servers for the clearnet and VPN individually. How can I achieve that?


  • LAYER 8 Netgate

    In the static DHCP mappings you can configure different DNS servers for those clients, say servers run by the VPN provider.  Getting them to work with your domain controller DNS and the other DNS servers at the same time will be tricky if not impossible.

    It depends on how serious you are about traffic from these machines never going out the WAN if, say, the VPN is down.  There are mechanisms to deal with that.

    I personally think most people take DNS leakage a little too seriously for the typical PIA VPN use cases.



  • I totally agree with you and I'm not that paranoid but the DNS of my VPN has proven to be fast and reliable - so why not use it especially since I paid for it :) As expected it is only accessible from clients using the VPN tunnel. I have set up pfSense for two NIC's according to this guide: https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/
    Well I cannot omit using the Windows Server's DNS: for the sake of AD and also to block (redirect to localhost) certain URL's. The only thing I could do is to forward DNS requests to the pfsense box. But then I am stuck with the problem there…


  • LAYER 8 Netgate

    Yeah there is no good solution.  Your clients get configured with DNS servers.  They query the servers.  The servers need to know which zones to send over the VPN and which zones to send to some other DNS servers.  If that's easily definable, you could do it with the zone overrides in the forwarder.  But it's not easily definable because you not only need to forward your main domains to the right place, but all the resources on all the pages loaded.



  • Hey I guess I just found a way to do this while browsing through the various settings. In the "general setup" tab where you enter the dns servers you have the option to chose a gateway for each server individually! I am not sure if this option was available during initial setup since there was only one gateway (WAN). But now there is both available: WAN for clearnet and VPN. So I set the DNS forwarder on my windows server to the IP of my pfsense box only and removed the others. That seems to work :)


  • LAYER 8 Netgate

    Interesting.  I didn't think it worked that way.  I thought that just locked the DNS server to a particular gateway but a DNS forwarder query could still be resolved using any of the DNS servers, regardless of gateway.



  • Indeed it not seems to work as I expected. What happens now is that both client groups only use the OpenDNS service that I provided along with my VPN provider's DNS. The DNS server of my VPN provider doesn't seem to be used for either connection - what could cause this? I have specified the OpenVPN tunnel as gateway and it is accessible.
    As I understand it, all DNS servers in the list are queried simultaneously (and using the gateway assigned to them) and the first (fastest) response is accepted. The strict-oder order option changes the behavior to do the queries subsequential.
    How about this: setting the strict-oder option, first DNS is my VPN provider's server (VPN tunnel as gateway) and the second DNS is OpenDNS using the WAN interface. The secondary DNS is neccessary to establish the tunnel as I do not know how reliable static IP's in the VPN config will work with this provider.
    What do you think about this  setup?


Log in to reply