MultiWAN has multiple public IP's needing their own OpenVPN Client connections



  • Hello,

    I have a small business connection that has around 10 WAN IPv4 ips. My pfsense router is connected directly to the cable box. I have verified that I can associate to all of my ISP's provided IP addresses. I was able to use OpenVPN client to cover the whole router, but what I'm looking to do is designate (through possibly NAT) LAN IP's to WAN IP's where a WAN IP could be forced to connect to an OpenVPN Client connection.

    Example-

    WAN:

    200.1.2.1 = Public WAN IP 1
    200.1.2.2 = Public WAN IP 2
    200.1.2.3 = Public WAN IP 3
    200.1.2.4 = Public WAN IP 4
    200.1.2.5 = Public WAN IP 5
    200.1.2.6 = Public WAN IP 6
    200.1.2.7 = Public WAN IP 7
    200.1.2.8 = Public WAN IP 8
    200.1.2.9 = Public WAN IP 9
    200.1.2.10 = Public WAN IP 10

    LAN:

    192.168.1.1 = Direct connection to default gateway
    192.168.1.2 = Direct connection to 200.1.2.2
    192.168.1.3 = Direct connection to 200.1.2.3
    192.168.1.4 = Direct connection to 200.1.2.4
    192.168.1.5 = Direct connection to 200.1.2.5
    192.168.1.6 = OpenVPN Client connection to WAN IP 6 which always enforces an OpenVPN Client connection
    192.168.1.7 = OpenVPN Client connection to WAN IP 7 which always enforces an OpenVPN Client connection
    192.168.1.8 = Direct connection to default gateway
    192.168.1.9 = Direct connection to default gateway
    192.168.1.10 = Direct connection to default gateway

    To clarify,

    WAN IP 6 would have a persistent connection to Private Internet Access (for example)
    WAN IP 7 would have a persistent connection to StrongVPN (for example)

    So I would change my LAN adapter to 192.168.1.6 if I wanted to make sure I was using P.I.A.
    and 192.168.1.7 to force a StrongVPN connection.

    I am not yet familiar with all that pfSense can do. If this plan will do the trick, I would very much appreciate a how-to. I know that each OpenVPN provider has different setups, so I'm hoping the particulars can still be set according to the provider's requirements. If this setup is not a good solution, would anybody be able to provide a better means to achieving this goal of multiple OpenVPN client connections.

    Thank you


  • LAYER 8 Netgate

    There is really no reason to use different IP addresses for that.  One IP address can have multiple outbound OpenVPN client connections.  You would then use policy routing to send traffic from, say, 192.168.1.2 out the correct OpenVPN client connection.

    But if you really want to, I believe you would create VIPs on WAN for the IP addresses then select that VIP as the Interface in your OpenVPN client config.



  • @Derelict:

    There is really no reason to use different IP addresses for that.  One IP address can have multiple outbound OpenVPN client connections.  You would then use policy routing to send traffic from, say, 192.168.1.2 out the correct OpenVPN client connection.

    But if you really want to, I believe you would create VIPs on WAN for the IP addresses then select that VIP as the Interface in your OpenVPN client config.

    Thanks for the prompt response. I have tried that initially, but every time I have an OpenVPN client established, I loose WAN traffic even at the default gateway (non-openvpn directed) level. I saw a guide for Private Internet Access, where they used one of the available interfaces to dedicate OpenVPN traffic. I gathered the point of doing so was to reinforce the requirement to use the OpenVPN and maybe not to have an imperfect messy NAT chain of rules.

    I have tried both ways.

    I don't mind utilizing OpenVPN client connections on the same IP, however right now I haven't filled all thats paid for, so I thought to dedicate two IPs for use of pftop viewing at a glance and maybe some analyzing down the road.


Log in to reply