PF-Sense Multi-WAN VPN Setup
Posted: Tue Sep 13, 2022 3:53 pm
Hello all. I'm sorry to say, but I am a complete novice at this, so please bear with me. I am an MSP who's taken over a client that utilizes PFSense for their router and OpenVPN for their site to site VPN. So far everything has worked without issue, however I now am having to make a change, and it is not going as smoothly as I had hoped it would.
My client purchased a TMOBILE 5G Hotspot with unlimited data which they would like to utilize as their primary ISP, and continue to use their old ISP as a failover. The client utilizes site to site VPN's for data transfer, and I need to maintain this communication. I seem to be able to bring the network up under the new 5G connection, but I cannot make the VPN work. What I would like to do is create a Failover for VPN with the TMOBILE connection being the primary. When I attempt to do this however I loose VPN. I've tried just adding the Interface Group and changing what the primary was, but did not work.
I realize this is a fairly vague post, but I'm unsure what information would be most helpful here. I am running version 2.4.4-RELEASE-p3 for the PFSENSE, based on FreeBSD 11.2-RELEASE-p10 on both sides. I've created an interface for the 5G TMOBILE hotspot and set it to DHCP. I have a server (disabled) and a client (disabled) already configured, both using shared key, both with the same encryption.
Server Side:
Mode : Peer to Peer (Shared Key)
Protocol : UDP on IPv4 only
Device Mode : tun - Layer 3 tunnel mode
Interface : (Live ISP Connection, set correctly)
Local Port : (Unique, but matches on both sides)
Description : (Location) Site to (Location) Site
Shared Key : Generated from server (then copied to client)
Algorithm : AES-256-CBC (256 bit key, 128 bit block)
Enable NCP - AES-128-GCM, AES-256-CBC (Matches on both sides)
Auth Digest : SHA512 (512-bit)
No hardware crypto
Tunnel network : 192.168.61.0/24 (unique, does not overlap other tunnels)
IPV6 : Not configured
Remote Network: 192.168.5.0/24
LZO Compression [Legacy style, comp-lzo yes]
Gatway Creation : Both
Client Side:
Mode : Peer to Peer (Shared Key)
Protocol : UDP on IPv4 only
Device Mode : tun - Layer 3 tunnel mode
Interface : TMOBILEGATEWAY
Server Host: Omitted
Local Port : (Unique, but matches on both sides)
Description : (Location) Site to (Location) Site
Shared Key : Copied from the server
Algorithm : AES-256-CBC (256 bit key, 128 bit block)
Enable NCP - AES-128-GCM, AES-256-CBC (Matches on both sides)
Auth Digest : SHA512 (512-bit)
Tunnel: 192.168.61.0./24
Remote Network : 192.168.0.0/24,192.168.2.0/24,192.168.3.0/24,192.168.4.0/24,192.168.6.0/24,192.168.16.0/20,192.168.17.0/24,192.168.32.0/20
LZO Compression [Legacy style, comp-lzo yes]
Gatway Creation : Both
My client purchased a TMOBILE 5G Hotspot with unlimited data which they would like to utilize as their primary ISP, and continue to use their old ISP as a failover. The client utilizes site to site VPN's for data transfer, and I need to maintain this communication. I seem to be able to bring the network up under the new 5G connection, but I cannot make the VPN work. What I would like to do is create a Failover for VPN with the TMOBILE connection being the primary. When I attempt to do this however I loose VPN. I've tried just adding the Interface Group and changing what the primary was, but did not work.
I realize this is a fairly vague post, but I'm unsure what information would be most helpful here. I am running version 2.4.4-RELEASE-p3 for the PFSENSE, based on FreeBSD 11.2-RELEASE-p10 on both sides. I've created an interface for the 5G TMOBILE hotspot and set it to DHCP. I have a server (disabled) and a client (disabled) already configured, both using shared key, both with the same encryption.
Server Side:
Mode : Peer to Peer (Shared Key)
Protocol : UDP on IPv4 only
Device Mode : tun - Layer 3 tunnel mode
Interface : (Live ISP Connection, set correctly)
Local Port : (Unique, but matches on both sides)
Description : (Location) Site to (Location) Site
Shared Key : Generated from server (then copied to client)
Algorithm : AES-256-CBC (256 bit key, 128 bit block)
Enable NCP - AES-128-GCM, AES-256-CBC (Matches on both sides)
Auth Digest : SHA512 (512-bit)
No hardware crypto
Tunnel network : 192.168.61.0/24 (unique, does not overlap other tunnels)
IPV6 : Not configured
Remote Network: 192.168.5.0/24
LZO Compression [Legacy style, comp-lzo yes]
Gatway Creation : Both
Client Side:
Mode : Peer to Peer (Shared Key)
Protocol : UDP on IPv4 only
Device Mode : tun - Layer 3 tunnel mode
Interface : TMOBILEGATEWAY
Server Host: Omitted
Local Port : (Unique, but matches on both sides)
Description : (Location) Site to (Location) Site
Shared Key : Copied from the server
Algorithm : AES-256-CBC (256 bit key, 128 bit block)
Enable NCP - AES-128-GCM, AES-256-CBC (Matches on both sides)
Auth Digest : SHA512 (512-bit)
Tunnel: 192.168.61.0./24
Remote Network : 192.168.0.0/24,192.168.2.0/24,192.168.3.0/24,192.168.4.0/24,192.168.6.0/24,192.168.16.0/20,192.168.17.0/24,192.168.32.0/20
LZO Compression [Legacy style, comp-lzo yes]
Gatway Creation : Both