3 Location Site to Site VPNs, Setup Help



  • Hello PFsense community!

    I am a newly crowned IT Manager at a small 25 employee, 6 location non profit. I am new here, trying to shine, and one thing I have noticed is we are paying alot of money for dedicated 1.54mb t1 tunnels for site to site technology. The speeds are abysmal and tests I did using pptp client on DDWRT crushed the speeds we have now.

    We have very little site to site traffic and I'd love to setup a pfsense as ( I love the interface and its logical/simple enough for me to use ) a site to site network.

    Our layout is 6 locations, 3 of them are actual offices

    Office 1 (Main Office, ASA router, exchange server, file server, dhcp,2 printers) 8 users
    Office 2 (file server, dhcp, 2 printers) 4 users
    Office 3 (file server, dhcp, 1 printer) 3 users

    The rest are small 1 user retail stores, who connect into the ASA via the cisco client. I know openVPN has a desktop client.

    I have about 10 years in the field, but Ive worked exclusively with Smartnet managed routers and devices, so Ive been hands off. Concepts, terms, everything its all clear, I just really need help getting it setup and I have no problem taking it from there. If someone could help me, I could even pay if that's what it takes, I'd greatly appreciate it and it would certainly help out greatly. Its a puzzle and Im missing a few pieces.

    Kind Regards,
    T



  • I do a lot of work for a local non profit and have a very similar setup. I went with openvpn of course, Setup my main office as a server and connected that to the satellite offices I used  jimp's advice from https://forum.pfsense.org/index.php?topic=36388.0 and this guide https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site to help. I had limited experience with openvpn (still do) but it really was not very difficult. I did the entire setup from the main office over rdp and every remote site is running a pfsense VM, as each of our servers is running esxi.

    also we previously had asa devices that I replaced because of the software based licensing and a lack of funds to pay (we dont qualify for cisco's tech soup offerings)

    btw if you have your servers on esxi:
    for a non profit I found a pfsense VM to be an easy, cheap, reliable firewall/router solution for the entire office, It does mean you rely on the host to be up to do anything but so far this has not been an issue at all, for us if the host went down not much would be getting done anyway. the only downside is its very difficult to fix a down host remotely as nothing will have internet. to get around this I setup an old wrt54g at each site, taped over all unused ports and used a red wire from our internet modem so if something goes wrong I can just get someone locally to "move the red wire to the only open port on the blue box with antennas" and then fix the issue remotely

    I would say if you have esxi just go for it and try to set it up (if you dont have esxi you could try vsphere or even vmware workstation as a proof of concept, if you have issues post back and Im sure someone will be able to help.

    I know thats a long post for really not saying much but theres not a lot that can go wrong.

    if theres any specific pieces your missing now by all means post them and someone will help you out or theres always the pfsense paid support.



  • Just put peer-to-peer from Office 2 and 3 to Office 1. If there is not much traffic between office 2 and 3, then let it just route via Office 1, otherwise make a 3rd peer-to-per.
    If the other locations really are 1-user things, then you could have a "road warrior" style server in Office1 for them to connect to from OpenVPN client on their PC. But those other locations will need some internet connecting device, so sometimes it is just as easy to put a basic pfSense there and let it be the internet gateway and have a peer-to-peer link back to Office1.
    Post questions when you get stuck - plenty of people here that are happy to help.


Log in to reply