What you are describing sounds similar to what we are doing. PF works great with routed networks and depending on the details of your VPN connection I think it should work in your situation.
I have never setup a PF deployment like the one you are talking about however if your VPN is setup in a point-to-point configuration then it will very likely work. Logically speaking the packets from the satellite locations are encapsulated and sent to your central site. Once there the encapsulation is stripped, they are routed and the replies are encapsulated and sent back. If this is the case the presence of the VPN tunnel is invisible to PF and the deployment should be the same as any other routed deployment. If my guess about they way your VPN is setup is correct then I see no reason why it would not work. I would love to hear how your deployment goes, good luck! Jake Sallee Godfather of Bandwidth System Engineer and Security Specialist University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________________ From: Erik via PacketFence-users <packetfence-users@lists.sourceforge.net> Sent: Wednesday, April 22, 2020 9:43 AM To: packetfence-users@lists.sourceforge.net Cc: Erik Subject: [PacketFence-users] VLAN isolation and routed networks EXTERNAL Exercise Caution Hi, I have recently begun to investigate PacketFence to see if it can be used under the circumstances I am faced with. What I have found in the documentation sofar is rather little and tells me that routed networks are possible, but the example does not match my circumstances. I am guessing it is just an example and other options are available. I will be building a test site as soon as the necessary equipment arrives. Hope I can pick your brains in the mean time. So the circumstances are these. There are several separate locations that are connected to one central location via VPN (OpenVPN). Every location has their own local network and none of the address ranges overlap. Locations can talk to each other because the central location, where the VPN server is, routes traffic between locations. Every location is going to be split up into a trusted and untrusted LAN. There is a local firewall on each location that can manage this, but I am looking for a solution that can be managed at the central location. So I thought of PacketFence and wondered if it might fit. The general idea is that the switches on each location access the PacketFence at the central location for authentication and that PacketFence tells them if the client can be authenticated, into which VLAN they must be put. The switches can communicate with PacketFence at the central location via the VPN. The clients cannot, because by default they are blocked by the firewall. I do not need or want PacketFence to provide DNS or DHCP. Once the local switch has put the client on the correct VLAN and has allowed the port the client is on to forward traffic, the clients will get DHCP and DNS from the local servers. So basically, PacketFence will not needed to know about the local networks. It will only have to authenticate credentials and let the switch know what VLAN to use. The switches will use 802.1x for those clients that support it and MAC authentication for those devices that don't. I have used FreeRADIUS in the past with 802.1x and MAC authentication to simply enable and disable switch ports. Back then the VLANs had been fixed and defined on the switch. You either got access or you did not. The current situation is similar with the notable exeption that now the switch does not know the VLAN id beforehand and has to be told not just whether to enable the port, but also in which VLAN to put it. What do you think am I barking up the wrong tree here? thanks for your time, Erik van Linstee _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=DwICAg&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=Zh9JRoxj0jirhMFSqM384cbN1cbabr-OQXzDkWzBlzs&s=rVGvx_Pwfde8evljeAcbeVumxYzzCgxDNKKtCaYLU_A&e= _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users