Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PFSense OpenVPN IP scheme possible?

    OpenVPN
    3
    5
    715
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      getut last edited by

      I am evaluating PFsense plus OpenVPN for a large rollout, but I need to support a very, very explicit IP scheme. This proposed solution will need to support this exactly or we won't be able to use it. I plan to have a virtualized PFSense instance at each location if it will support this config.

      Explanation of environment that needs to be replicated exactly:

      The HQ Office is on the 10.1.1.x/24 range and will need VPN's to around 100 satellite sites where each site internally (LAN Side from the remote sites perspective)  will be identical on the 10.10.10.x/24 range.

      I need to have a bidirectional VPN between HQ and each site that has one to one IP mapping in place from HQ to the site. So the following examples are from the HQ perspective.

      HQ 10.1.1.x –-> 172.16.<site number="">.y      will access the remote sites 10.10.10.y where y equals the IP of the machine needing to be accessed.

      So if 10.1.1.37 at HQ wants to access an FTP server on 10.10.10.138 at Site number 57, it would be ftp 172.16.57.138 from HQ perspective. Of course since there is only 1 HQ, there would need to be no one to one mapping for the route back.</site>

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        That seems like a pretty stupid way to do it..  Why would each site be 10.10.10/24 ???  Why not just make them 172.16.sitenumber/??

        But sure if you want to create nats to all these different 10.10.10 networks down their tunnels you could do that - just seems like a lot of extra config when just using the 172.16 range at each site would make it much easier setup.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

        1 Reply Last reply Reply Quote 0
        • G
          getut last edited by

          Thats actually why supporting this is such a big deal. It is the way it is set up now. We can not change it without going to each already up and running site and re-addressing. We are simply replacing a VPN hosting provider with virtualized PFSense UTM + VPN under our control. Each network is already documented and set up for 3rd party support vendors who have to have the same IP scheme at each site.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            Still sounds pretty stupid.. dhcp makes re addressing pretty freaking simple..

            3rd party who that want the same IP in all sites.. Yeah tell them to F off and use actual real company with real support..  I can understanding having to nat if you have to support a company that steps on addresses your already using, and they don't want to change.. But to do such a thing on purpose just seems moronic to me..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

            1 Reply Last reply Reply Quote 0
            • Derelict
              Derelict LAYER 8 Netgate last edited by

              All true.

              But your use case will work.

              You would 1:1 NAT the LAN to your 172.16.X.0 network at each remote site.

              It will require an OpenVPN assigned interface at each satellite to do the NAT on.

              The HQ VPN server could be one instance with 172.16.0.0/16 as the remote network route and iroutes for each /24 to the appropriate site instance.

              Chattanooga, Tennessee, USA
              The pfSense Book is free of charge!
              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post