PFSense OpenVPN IP scheme possible?
I am evaluating PFsense plus OpenVPN for a large rollout, but I need to support a very, very explicit IP scheme. This proposed solution will need to support this exactly or we won't be able to use it. I plan to have a virtualized PFSense instance at each location if it will support this config.
Explanation of environment that needs to be replicated exactly:
The HQ Office is on the 10.1.1.x/24 range and will need VPN's to around 100 satellite sites where each site internally (LAN Side from the remote sites perspective) will be identical on the 10.10.10.x/24 range.
I need to have a bidirectional VPN between HQ and each site that has one to one IP mapping in place from HQ to the site. So the following examples are from the HQ perspective.
HQ 10.1.1.x –-> 172.16.<site number="">.y will access the remote sites 10.10.10.y where y equals the IP of the machine needing to be accessed.
So if 10.1.1.37 at HQ wants to access an FTP server on 10.10.10.138 at Site number 57, it would be ftp 172.16.57.138 from HQ perspective. Of course since there is only 1 HQ, there would need to be no one to one mapping for the route back.</site>
That seems like a pretty stupid way to do it.. Why would each site be 10.10.10/24 ??? Why not just make them 172.16.sitenumber/??
But sure if you want to create nats to all these different 10.10.10 networks down their tunnels you could do that - just seems like a lot of extra config when just using the 172.16 range at each site would make it much easier setup.
Thats actually why supporting this is such a big deal. It is the way it is set up now. We can not change it without going to each already up and running site and re-addressing. We are simply replacing a VPN hosting provider with virtualized PFSense UTM + VPN under our control. Each network is already documented and set up for 3rd party support vendors who have to have the same IP scheme at each site.
Still sounds pretty stupid.. dhcp makes re addressing pretty freaking simple..
3rd party who that want the same IP in all sites.. Yeah tell them to F off and use actual real company with real support.. I can understanding having to nat if you have to support a company that steps on addresses your already using, and they don't want to change.. But to do such a thing on purpose just seems moronic to me..
But your use case will work.
You would 1:1 NAT the LAN to your 172.16.X.0 network at each remote site.
It will require an OpenVPN assigned interface at each satellite to do the NAT on.
The HQ VPN server could be one instance with 172.16.0.0/16 as the remote network route and iroutes for each /24 to the appropriate site instance.