Local Subet with Alias
I have a pfSense firewall for my main office. On the lan side of the firewall are 15 subnets separated via various routers and connection methods. All of these networks are a simple class C network in the 192.168.0.0/24 network, and I have created an alias holding them all for use in the firewall rules and it is working very well.
I would like to create an IPSec connection between my home network and my main firewall, but the only choices I see for the local subnet are LAN Subnet, Network or Single Computer.
Using LAN Subnet won't work as the only things on that lan are my firewall and an interface for my main router.
The Network option would allow me to use 192.168.0.0/16 will not work because my home network is in that space so the routing would be wrong. I suppose I could create a Network connection for each network my home network would connect to, but that just seems very .. clumsy?
This VPN connection is actually a proof of concept setup, as I have other offices that currently are connected to a different VPN service using another firewall technology that I would like to replace with pfSense if possible.
We just recently started pfSense recently and overall it is a wonderful product. Thank you very much for your hard work.
Any help would be greatly appreciated.
I think that's one of the limitations with the current IPsec implementation that OpenVPN does not have.
Will your other offices have conflicting subnets as well?
No, there are no conflicts.. to me a little more concrete with my example..
Main Office LAN - 192.168.42.0/24
Office 1 - 192.168.4.0/24
Office 2 - 192.168.6.0/24
Office 3 - 192.168.10.0/24
etc.. there are a total of 15 of these networks that all are protected by the pfSense Firewall.
My Home Lan - 192.168.48.0/24
Ideally, I'd like to create one IPSec connection between the two, but as it stands I believe I have to create one per network protected by the pfSense firewall at my Main Office.
If that is indeed correct, I will do that. I just wanted to verify it before I went through the trouble. Where is the appropriate place to file a "wish list" item? I'd have a hard time filing this as a defect, more a feature request I guess.
Thank you for your time and help.
Here's my take on it:
If you can, change your home network scheme to 192.168.64.x/24 or something higher than a value of 63 in the third octet. That way, you could create one ipsec vpn tunnel and run a parallel vpn design. Say you chose 192.168.75.0/24, you could use the following scheme:
From your home to the office:
Of course, from the other end, you will reverse the groups and it should work just fine when you create the respective rules on the office side to allow entry into the different work subnets.
In case you have your 15 subnets ranging all over the place, change your home ip scheme to something either in the 172.16.x.x range or the 10.x.x.x range. With that done, make the respective changes to your IPSEC vpn and you should be fine with the one IPSEC vpn tunnel.
Enjoy and good luck!