Hello everyone. I want to apologize in advance as I hate bringing up something that I'm sure has been discussed many times already and the length of this e-mail is rather long.
I've found a few examples, but they were dealing with older versions of pfSense and in the pfSense docs, I found something like I wanted to do, but it had a notice that it doesn't work with the 2.0 branch. I would play around with it and see if I could figure it out, but this is a really busy time at work right now (I'm actually at home right now typing this as I don't have much spare time at work until a few weeks after the new school year starts) and I would like to find out if this is possible before trying to convince my boss to go this route. I brought this idea up about a year or so ago, but was shut down. I'm hoping this time, if I have more information available, and possibly set up a pair or so of working boxes, we'll go through with the idea. Especially since our phone system is now all tied together with VOIP between buildings. Anyway, here's the background info on our setup. We're a K-12 school district and we have 5 buildings. 2 of our buildings are next to each other and connected via fiber. Then between our main DMARC and the other 3 buildings, we have 100meg wireless bridges. Last year, Comcast provided us with free broadband that we use as a backup. Currently, it's set up as a manual backup in that we can manually plug a computer into the Comcast network if needed. What I want to do is configure a couple of pfSense boxes at each of the 3 remote locations to connect via VPN to the a pfSense box in the building that is connected via fiber. (Not the main DMARC, most likely look into plugging that Comcast connection into the main Cisco router for main network failover.) The Comcast is not static addressing if that makes a difference. I do have dynamic addresses set up for these Comcast boxes though, which I think is all that I need for OpenVPN. Preferably, what I want to do is keep the setup working the same as it is now, with the addition of a VPN failover. I believe that our core L3 switches are performing basic routing which I think will make this easier. I can provide relevant info (and am going to verify this is indeed what is going on later) from the switches if needed, but I think they are basically routing anything outside of the 10.x range that the individual buildings are using to the main DMARC which then has routes to the other buildings and sends everything else over the main internet connection. If this is what is going on, it should be fairly easy to insert a pfSense box between the core switch and the wireless bridge and Comcast CSU/DSU. Now comes the question on the VPN failover setup. I basically will need to pass all traffic over the VPN when the main link is down, including VLAN information. Is this possible? I will also need to prioritize the VOIP VLAN over all other traffic. I'm also curious if it is possible to detect if one of the other links went down and switch to failover if it has. Our one building bounces through another building on the wireless bridge, so when the in-between building goes down, it knocks out both buildings, even if the link between those buildings is still up. So if possible, I'd like to detect when that connection goes down and switch from using the wireless link between buildings (except possibly any traffic that needs to go between those two buildings) and use the failover VPN to get better performance instead of all going through one Comcast connection. I think I explained everything in a semi-understandable manner, if anything needs explained further in order to explain what I'm trying to do, I can clarify or possibly include a diagram (I should still have the original Visio diagram I made to present to my boss last year saved somewhere) to show things better. (I'm not sure if this list scrubs attachments or not.) I don't need anyone to come and set this up for me, though that may be an option in the future if we decide to upgrade to some appliances instead of using old spare PC's and want a support contract to go with them, but just some clarification on if what I want to do is possible and some pointers on where to look to figure out how to configure. Though, I'll gladly also accept any specific configuration examples as well. As I said, I don't have much spare time at work, though I might work on setting up the boxes in my spare time at home. Thanks in advance for any help you can provide. -- John McDonnell [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
