Cloud-based pfsense instance for home servers via IPSec?



  • I've used Comcast business class Internet service with a /29 block of static IPs for several years.  It lets me run home servers free from the limitations of no static IPs and more restrictive residential ToS.  Gigabit fiber Internet is just around the corner (well, literally it's on the poles behind my house, although I'm not sure if it's technically turned up yet, it was strung in the last couple of months) but from what I've seen of the two providers who offer service, static IPs are either unavailable or require a monthly cost 3-4 times what I'm paying now for Comcast business.

    The idea I've had if I decide to switch is to find a cloud-based host run a pfsense instance with a static IP on it and then an IPSec tunnel back to my home to provide static IP service my home servers.

    I've tested this as a VM lab and it actually seems to work (ie, an IPSec-connected subnet can be forced to forward all its traffic over the IPSec tunnel out the public interface of the remote pfsense server, and NAT forward traffic from the public interface to the remote network).

    I'd structure it in a way that my home general purpose network (PCs, etc) didn't forward all their traffic over the tunnel (speed, probably transit costs) but the servers did, and of course have local access that didn't need to traverse the network.

    I'm assuming I'd mostly dodge any residential ToS limitations of a fiber provider as my traffic would be IPSec encapsulated, and generally low utilization enough on average.

    Is this a crazy idea unworkable for other reasons?  I'm assuming there would be some hoops to jump through in terms of keeping the IPSec tunnel up when/if the home side's dynamic address changed, but it otherwise seems usable barring rubber-hits-the-road issues like unusually high latency.


Log in to reply