Close

Results 1 to 4 of 4
  1. #1
    DF Jedi eblaster101's Avatar
    Join Date
    Aug 2003
    Location
    London
    Posts
    2,827
    Thanks
    142
    Thanked:        121
    Karma Level
    385

    Advice Advise on complicated VPN setup

    Hey guys hoping someone can advise on a VPN setup I want to implement.

    I have attached an image which helps illustrate what I am trying to accomplish. The IT company I used to work for had a similar setup but they setup each customer with a RODC which connected to a master domain controller.

    So the permissions for remote access would be set on the master domain controller and propagate to the RODCs.
    I don’t have my clients DCs setup in this method. I believe pfsense can be configured to connect to multiple ADs but I don’t want to complicate things.

    Pfsense can be setup with groups and users so the idea is that if someone asks for remote access you just create a new login on pfsense and assign it to the correct group.

    I may be wrong and the setup may not be possible, any advice is appreciated.

    Technical information:
    Each customer has a static IP address and the endpoint is a Juniper SSG5
    Pfsense firewall has a static public IP address on its WAN port
    Some users are using OSX to remote onto work machines.
    Attached Images Attached Images

  2. #2
    DF Super Moderator Over Carl's Avatar
    Join Date
    Apr 2006
    Location
    London
    Posts
    13,204
    Thanks
    4,348
    Thanked:        1,779
    Karma Level
    1322

    Default Re: Advise on complicated VPN setup

    Sorry it's been a couple of years since I played with this stuff and I haven't seen the latest pfSense versions, but there is only one thing I am not sure about in your proposed setup:

    Will pfSense allow you to configure different VPN users to dial in and see different remote VPN networks?

    I have no idea why you would want to do it this way, instead I would let the clients connect direct to their own VPN routers, and only have support staff connecting to your pfSense.

    Also if possible I would do some throughput testing out of hours before finalising on a solution. If you are looking at high VPN traffic, you may find it better to run pfSense native rather than on ESXi.

    Whatever solution you go for, I would advise first getting a client router and pfSense speaking to each other on the bench, run bandwidth tests on the bench, then install a router at client site for final testing.

    IPSEC is the preferred protocol. If your client routers have shitty VPN throughput or haven't got static IP's, then you may wish to think about PPTP, but I believe this is not considered secure.

    3 Thanks given to Over Carl

    eblaster101 (2nd October 2014), evilsatan (2nd October 2014), JonEp (2nd October 2014) 


  3. #3
    DF Jedi eblaster101's Avatar
    Join Date
    Aug 2003
    Location
    London
    Posts
    2,827
    Thanks
    142
    Thanked:        121
    Karma Level
    385

    Default Re: Advise on complicated VPN setup

    Thanks for your advise overcarl. I managed to get site-to-site to work to the pfsense box with all the clients. I then configured openVPN on the pfsense box and set it up to route traffic to the specific ipsec tunnel depending on the customer. Its working well openVPN does compression as well which is handy.

    I did not setup direct links for clients because it would mean buying an expensive router. OpenVPN is free and considered very secure. I needed a solution which could allow people to remote on their ipads and other devices. I managed to get it to work with DDNS although i force every client to have a static, the server it self is static.

    Thanks to eblaster101

    Over Carl (10th October 2014) 


  4. #4
    DF Super Moderator Over Carl's Avatar
    Join Date
    Apr 2006
    Location
    London
    Posts
    13,204
    Thanks
    4,348
    Thanked:        1,779
    Karma Level
    1322

    Default Re: Advise on complicated VPN setup

    Sorry I'm not familiar with the SSG5, I just assumed Juniper would allow dial up vpn users.

    IPSEC can be a pita without static ip's, I looked into OpenVPN but I stuck to IPSEC or PPTP as I found support to be more widespread (well at least with the kit I was using or considering using ages ago).

Similar Threads

  1. Replies: 1
    Last Post: 18th January 2006, 07:56 AM
  2. So Complicated
    By GhettoMoose in forum Unlocking Questions & Solutions
    Replies: 3
    Last Post: 16th October 2005, 09:49 AM
  3. Looking at a setup please advise
    By lloydi in forum Digital Satellite TV
    Replies: 1
    Last Post: 18th September 2005, 06:46 PM

Social Networking Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •