Perm VPN for 2 Homes - Same ISP - Connection Speeds [100/40-50/30] - Share 720P



  • Please note that this will be a new build out so both ends will be running most up to date PFsense on hardware that I have laying around.

    Purpose:
    To create a Perm VPN tunnel from my home to my in laws home.

    Info:
    Both home are on the same ISP, I can run some tracert's and report back to get a better idea of hops but normally the ISP does a good job of keeping hops to a min internally from past experiences.

    Site A is my home with a 101/40 MB connection
    Site B is my In Laws with a 50/30 MB connection

    The primary goal for this project would be to share the files on my synology to an XBMC instance I will have running at there home for 720P video.

    Secondary goal would be remote access to all of there systems to make administration easier on my part.  I want to set up some more security on there end and limit wireless connectivity for the kids and do some DNS based blocking to questionable material but would like to be able to work on that stuff over time from my home as there is no office there to work out of.

    Another goal would be to set up VPN access to Site A for me to protect my mobile devices and laptop while out and about but I would work on that part of the project later on but wanted to mention it just in case it affects configurations for the perm site to site VPN.

    So my question is, can this be done or should i quit while im ahead?  If it can be done, what would be the best configuration for this type of setup?  I tried my best to figure it out and it looks like IPsec tunnel would be best for this and I would need to use non overlapping IP ranges.

    This would be a work in progress so im not expecting a full answer for total configurations but hoping for some good starter information to help point me in the right direction.

    Thanks for all your help in advance.



  • Sounds doable.

    You'll need either a static IP (or static enough DHCP IP…mine hasn't changed since I installed pfSense), or dynamic DNS on your end.
    Make sure both private networks are on different private IP subnets.
    Set up an openVPN server and client.

    I'd put the synology on its own VLAN or firewall interface so you have more control over who and what has access to its contents



  • @almabes:

    Sounds doable.

    You'll need either a static IP (or static enough DHCP IP…mine hasn't changed since I installed pfSense), or dynamic DNS on your end.
    Im using DDYNS so that should work for that
    Make sure both private networks are on different private IP subnets.
    Im a little unclear on this so do you mean like sitea (192.168.1) and site be on one of those (10.10.1) or can i use (192.168.1.2) for siteb
    Set up an openVPN server and client.
    I was under the impression that IPSec would be the best protocol for this type of configuration based on the KB's i was reading:
    https://doc.pfsense.org/index.php/VPN_Capability_IPsec

    I'd put the synology on its own VLAN or firewall interface so you have more control over who and what has access to its contents
    Can you explain a little further or provide a link to read for more info?



  • I use openVPN.  Its free. it's SSL.  It's fast.  It's easier to configure.  It works.  It's part of pfSense.
    IpSEC works fine as well. It's configuration is just a little more involved.

    I've set up both.

    You'll need to be able to route packets between the two networks.  They'll both need to have separate private addressing schemes.

    For Example:
    Your house
    LAN:  192.168.42.0/24
    NAS:  192.168.10.0/24

    Inlaws
    192.168.43.0/24

    On my network, for security purposes, I have my NAS connected to a different interface on the firewall than the Kids, their PCs, and the WIFI.  I use firewall rules to control which IP addresses have access to the stuff on the NAS.

    Peruse this thread:
    https://forum.pfsense.org/index.php?topic=92838.0



  • This is awesome info, thanks for the heads up, I will read the link tonight when im home and reply back with anything out of that.

    Have another question on your example if you dont mind me asking, So could i do something like this?

    For Example:
    Your house
    LAN:  192.168.1.0/24
    NAS:  192.168.10.0/24

    Inlaws
    192.168.2.0/24

    Also, I think the /24 means the size of the IP block or something like that, could you potentially give me a quick break down on what that means?



  • @BigO:

    This is awesome info, thanks for the heads up, I will read the link tonight when im home and reply back with anything out of that.

    Have another question on your example if you dont mind me asking, So could i do something like this?

    For Example:
    Your house
    LAN:  192.168.1.0/24
    NAS:  192.168.10.0/24

    Inlaws
    192.168.2.0/24

    You could, use whatever private address space you want.

    Also, I think the /24 means the size of the IP block or something like that, could you potentially give me a quick break down on what that means?

    That's CIDR notation.  It's basically shorthand notation for a subnet mask, and the start of the network block.  It specifies the number of bits that are '1'.  For example:
    /16 means 255.255.0.0 
    /24 means 255.255.255.0 
    /29 means 255.255.255.248
    /30 means 255.255.255.252

    http://www.subnet-calculator.com/cidr.php
    http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_blocks
    http://en.wikipedia.org/wiki/IPv4_subnetting_reference



  • Just to add a small suggestion, if you're creating this from scratch.

    Don't use subnets like 192.168.1.x/24 or 192.168.0.x/24.
    They're perfectly valid of course, but they're also used as the default network by many routers, AP's and other devices.
    The net effect with VPN setups are ugly little routing problems that become less than fun to remedy.

    You may have noticed that almabes suggested addresses:

    For Example:
    Your house
    LAN:  192.168.42.0/24
    NAS:  192.168.10.0/24

    Inlaws
    192.168.43.0/24

    All of those addresses avoid 192.168.1.x and 192.168.0.x.

    One of my favorite ways to pick a subnet range in your type of scenario is to look at the house's street address and use that or a variant.
    Eg. "2375 Freen St" -> use 192.168.237.x.  It doesn't always work well, sometimes you're stuck with only two digits to work with ("9873 Freen" ->192.168.98.x or somesuch).
    But I find it helps me remember what subnet maps to which physical address and avoids the default subnet trap.

    Other than that I can heartily recommend almabes suggestion to use OpenVPN.
    It works and works well, I've got a number of setups that run smoothly with little or no intervention.

    Just my $.02 and good luck!



  • Thanks for all the suggestions guys.  I will need to change up my internal address's as im currently using the 192.168.1.X range at home and have a bunch of static addresses that would need to be changed to avoid conflicts.

    Im a not to close to getting this project off the ground as i have to stand up both instances and try to do some testing at home before I even move the second appliance to my brother in laws place but I will keep you up to date as to whats going on as things progress.



  • I will need to change up my internal address's as im currently using the 192.168.1.X range at home and have a bunch of static addresses that would need to be changed to avoid conflicts.

    pfSense's DHCP server for LAN makes handling "static" internal addresses very easy, just set all your devices to use DHCP and assign the addresses you want them to have as entries in the DHCP server "DHCP Static Mappings" table.

    Leveraging the DNS features in pfSense can greatly simplify your life across two linked subnets.  With a little proper setup you can create different domains for each house, say "freenhm1" and "freenhm2".  Then a computer or device on each network (say "mywrkpc") could be addressed as "mywrkpc.freenhm1" or "hiswrkpc.freenhm2" without having to remember all the IP addresses.

    As in all things computer related, pre-planning is your friend.  But pfSense gives you plenty of flexibility to accommodate most things you can think of….


Log in to reply