Accessing specific VLANs via VPN?



  • I am trying to figure out the best solution for my problem.

    I have a large number of VLANs, many with identical ip addresses. Just to make this easy let's say I have 200 VLANs. VLAN 1 contains servers that need to be accessed from all of the other VLANs, VLAN 2 contain users that need to be able to access any other vlan at any given time.

    My current thinking is to have VLANs 3-200 NAT back to the servers on VLAN 1 and have the users (on VLAN 2) access their desired VLAN via VPN.

    Is this a dumb way to go about this? Is there something that I am missing? I have spent a fair amount of time searching and reading and this is the best solution that I can come up with.

    Thanks,
    .dok


  • LAYER 8 Netgate

    I have a large number of VLANs, many with identical ip addresses.

    Oops.

    Maybe you could describe your situation in more detail.



  • @Derelict:

    I have a large number of VLANs, many with identical ip addresses.

    Oops.

    Maybe you could describe your situation in more detail.

    Absolutely.

    I have a list of "guest" networks that I do not control the IP scheming of. These networks do not need to talk to each other but they do need to access a few servers.

    I also need to access these networks individually for remote administration/etc.

    I am trying to come up with a configuration that prevents the guest network from talking with each other but allows them to reach the services on the servers. I also need to access all of the devices on these networks from a central desktop.

    I hope that clears it up.

    .dok


  • LAYER 8 Netgate

    You have a mess on your hands.  How about an example of two problematic, conflicting networks, all the IP schemes and interfaces involved, and what you have and do not have the power to control or change?  Please be as detailed as possible, but stick to two (or three) "guest networks" and perhaps one community server.



  • Here is an example.

    VLAN1

    • Server A
    • 172.16.1.1
    • 172.16.1.0/24 Network
    • FTP server
    • I have control over this ip scheme

    VLAN2

    • Workstation A
    • 172.16.2.1
    • 172.16.2.0/24 Network
    • Needs FTP access to Server A
    • I need to be able to access any machine on any port on VLANS 10-12
    • I have control over this ip scheme

    VLAN10

    • 172.16.10.0/24 Network full of devices
    • All devices need ftp access to Server A
    • I do not have control over this ip scheme

    VLAN11

    • 172.16.10.0/24 Network full of devices
    • All devices need ftp access to Server A
    • I do not have control over this ip scheme

    VLAN12

    • 172.16.1.0/24 Network full of devices
    • All devices need ftp access to Server A
    • I do not have control over this ip scheme

    Thanks,
    .dok


  • LAYER 8 Netgate

    And what are VLAN10 and VLAN11 using for routers?  What is their default gateway? How do they get internet? Do you control that piece?



  • On VLAN10 and VLAN11 all devices are statically ip'd. They do not have (nor do they need) internet access. They are all connected to the pfsense box via a vpn connection.

    I can set the gateway on all of the devices but that is all. Setting pfsense as the gateway would allow me to do routing on the pfsense box correct?


  • LAYER 8 Netgate

    You're going to need to better describe your topology.  What on VLAN10 and 11 is making the VPN connection?  What type of VPN?  If they're behind a VPN router why are you calling it a VLAN?  Is there a managed switch somewhere?  Do you control that?

    I'm thinking some sort of 1:1 NAT might work for you, but it depends.

    You really should tell them they have to renumber and do something sane with your subnets.  That is the best solution to your problem.  Let me guess:  They don't want to spend any money either.



  • You called it.

    I will simplify the setup some more.

    VLAN 1

    • Server A
    • 172.16.1.1
    • 172.16.1.0/24 Network
    • FTP server
    • I have control over this ip scheme

    VLAN 2

    • Workstation A
    • 172.16.2.1
    • 172.16.2.0/24 Network
    • Needs FTP access to Server A
    • I need to be able to access any machine on any port on Networks 2-4
    • I have control over this ip scheme

    Network 1

    • Contains VLAN1 and VLAN 2
    • Gateway is my pfsense box.

    Network 2

    • IPsec VPN to pfsense box
    • 172.16.10.0/24 Network full of devices
    • All devices need ftp access to Server A
    • I do not have control over this ip scheme
    • This network does not need to be able to talk to any other network directly

    Network 3

    • IPsec VPN to pfsense box
    • 172.16.10.0/24 Network full of devices
    • All devices need ftp access to Server A
    • I do not have control over this ip scheme
    • This network does not need to be able to talk to any other network directly

    Network 4

    • IPsec VPN to pfsense box
    • 172.16.1.0/24 Network full of devices
    • All devices need ftp access to Server A
    • I do not have control over this ip scheme
    • This network does not need to be able to talk to any other network directly

    I assumed that Networks 2-4 would each have their own vlan but that is not necessary.

    Is there anything else that I can do to make this easier to understand? Like drawing a picture?


  • LAYER 8 Netgate

    Diagrams are always good.  What type of IPsec VPN are they connecting with?  Site-to-Site via a router (what are the routers) or are all the workstations individually connecting using Remote Access?



  • Here is a rough drawing.

    site to site (I do not know the routers and they are guaranteed not to be the same since the number of these networks are growing.)


  • LAYER 8 Netgate

    I'm going to have to build that.  I honestly don't know if IPsec has enough flexibility for that.  I know I could figure something out with OpenVPN assigned interfaces for each endpoint, but that does you no good.

    Are you using pfSense 2.1.5 or 2.2?



  • I am using 2.2 but I can definitely change versions if that helps.

    What options could I have with OpenVPN? I doubt I could make that an option but it would still be nice to know.

    Thank you for your help.


  • LAYER 8 Netgate

    I'm not going to waste any time labbing this.  Jim pretty much sums it up here:

    https://forum.pfsense.org/index.php?topic=47349.msg249020#msg249020



  • Thank you


  • LAYER 8 Netgate

    And to answer your prior question…

    With OpenVPN you can assign interfaces to OpenVPN server instances then, on that interface, perform 1:1 NAT.

    So you would be connecting to distinct IP addresses and they would be NAT translated.  You'd still have your work cut out for you.  They would all have unique IP addresses as far as pfSense is concerned.  On the ones that are the same scheme as the local pfSense networks, you'd have to translate both source and destination IPs.


Log in to reply