Pfsense VPN to multiple locations from central office

Hi there, I am enjoying the pfsense content on the youtube channel and though I would ask about a project I am looking to undertake at my workplace.

I work at an optometry practice with 4 locations seperated by about 50 miles. Our head office is the main location with a network of about 20 windows machines, while the other locations only have 1 or 2 machines. All practiced have decent FTTC broadband with at least 40/10 bandwidth, the head office has 80/20.

The main application we run in an SQL 2008R2 based practice management database. We have one main server and another 2 backup servers all running at the main office. The PCs all run an access front end application which links to the server. In addition several of the PCs in all practices also need to connect to the NHS infrastructure using cisco anyconnect software VPNs, which are split tunnel and allow normal network traffice as well. One machine uses a closed ipsec forticlient software VPN to connect to an external NHS server, and it had no local or internet access while the VPN is enabled.

This all works fine in the head office, however we need access to our SQL database at the remote offices as well. At the moment we are using log me in hamachi gateway to create VPN links between the main office and remote offices.

I originally tried accessing the sql over the VPN, but performance was terrible. I then set up several windows VMs at the main office using virtualbox which we can access at the remote locations using a remote desktop app called remote utilities (we can't use windows RDP as the cisco anywhere VPN which need to run on the VMs will not function if they detect RDP is enabled).

Though this seems a bit messy in practice it all functions pretty well, but I find hamachi quite tempremental and not a week goes by when there isn't a drop in the VPN to one practice or another which pretty much stops work till it is fixed and takes me away from what I am doing to sort it using teamviewer. We also need to print from the local VMs to the remote locations, and the network printers frequently fail to work over the VPN.

I think a better solution would be to create a router to router VPN between the locations with the server at the head office and clients at the remote locations. Pfsense seems to be a very flexible option, and we could replace out current billion 7800n wireless routers with a psfense appliances with wireless to replicate our current set up, but with VPN now possible at the router level. We could then get rid of hamachi on the PCs and move all the network set up to the router which will hopefully be more stable.

This is as far as my current knowledge will take me. I have looked online at various guides about setting up different subnets in the different locations but are getting really confused. All I need is for all the locations to act as if they are on the same LAN. I can then reserve IP adresses based on MAC so all the machines have known ip adresses and then set up the host file in windows to link the ip to host name. This should sort the sql application and remote printing. I don't need normal internet traffice to go over the VPN however, as that would just slow down the network at the main practice if everything was being re direcyed through there. The cisco and forticlient VPNs would probable also need direct internet access as well, as I don't know if they would function over a second VPN, and would probably be even slower.

Am I on the right lines here, or does anyone have any better ideas or suggestions.

Thanks for any help.

When I worked in medical we did the site to site VPN stuff and it worked great, we just did it through sonicwall firewalls instead. Same concept.

I can't tell you off the top of my head how to configure it in PFSense but I have zero doubt the capability is there. Basically you just point each box to each other and setup rules and NAT configurations. It's a pretty easy job to do and I don't think you'll have any issue. When I get done with my morning roundup at work I'll see if I can gather some documentation for you.

If that doesn't work you might can look into some VDI technology like windows RDS server or something.

Thanks for the reply, I am going to fire up a VM of pfsense in virtualbox this afternoon and give it a try. I am sure I can figure it out but all the config settings in pdsense are a bit confusing when you are used to a basic router set up.

Well, I had a good look at pfsense in the VM and pretty impressed with the options available. I will need to do a fair bit of learning to be able to set it up properly, but I have found a good series on youtube and am getting there. In the meantime any suggestions for hardware? I am looking at posssibly using one of these

https://forum.pfsense.org/index.php?topic=114202.0

which seem to work well according to the pfsense forum. The only possible issue is the lack of hardware AES encryption support, though I will only have 3 open VPN users and only ever rwo at the one time so hoping it will be ok. I can also use our current wireless router an an access point.

Pfsense can handle this well. You are looking for a IPsec site to site vpn. Will post more later, have to finish the morning support tickets first.

cheers, I have pretty much decided to go for it, but struggling a bit with hardware choice. Those j1900 boxes are good and cheap, but the lack of AES support might slow down the VPN traffic, and they are cheap for a reason. If I could pick up a mini itx celeron MB with dual intel LANs I would build one myself, but there seem difficult to find. I could pick up a SFF optiplex 755 off ebay for £50 which would do the job, but power hungry compared to a modern machine and these are pretty old now so could't guarantee reliability. Space is also at a premium in our offices so no room for a full tower, and we would need 4 anyway. I also considered virtualizing pfsense on our main server, but that means a single point of failure would bring everything down so not a good idea.

I forgot to find that documentation for you. Sorry about tjay, but yes ipsec is the option desired. What's your budget per office for a tunnel device?

looking to keep under £300 per unit if possible, however I am not sure whether we would benefit with a more powerful unit as the server in the main office, as the three branch offices will be all connecting to it but not to each other. It is also unlikely we will have more than 2 running simultaneously due to manpower. One of those J1900 units would probably be ok but the fact they are non name from china with no docs etc is a worry. I would actually consider the official pfsense appliance (SG -2200 model) but they are hard to get in the UK and quite expensive to import with this brexit nonsense going on just now.

I'll throw you a couple of ideas when I get back from lunch. It's read only Friday so I don't have anything getting in the way today.

Be careful with those j1900 boxes, they usually come with Realtek nics, from my personal experience and the pfsense forum they don't play nice with pfsense. Intel nics are the usual recommendation.

Pfsense runs extremely well virtualized. My current site-to-site is between two virtualized instances of pfsense with Proxmox as the hypervisor. Now whether or not you should run it virtualized well get you lots of different opinions on security/reliability.

Pictures and links to guides on the way

My PFSense at home has a realtek and it works fine.

@AJBek -- We're using a Zotac Zbox for an IPSesque system and it's pretty sweet. Not this one, but I think this particular one will suit your needs:

One of the questions for that product is "are both NICS intel" and they aren't, but one guy said he's using PFSense fine with it.

That is the same box I was having problems with. Plain internet was fine, but when I would saturated the gigabit link, I kept getting Watchdog timeout errors. Of course this was about 6 months ago and things have changed since then. This link https://forums.freebsd.org/threads/55306/ talks about some of the problems with Realtek nics.

thanks guys, that z box looks nice but struggling to find the dual nic model in the uk, the only one I could find was on amazon.co.uk and cost £600!! Will keep looking though. My home mini server is based on a j1900 asus board with dual realtek nics and they work fine, but that is window server rather than pfsense.

Well according to @OriginalDotte he's had difficulty so be careful with your decision. Personally I have had zero issues with my realtek but apparently mileage may vary. I would suggest doing intel when possible though... that's a 'nix thing.

Personally i'm using a computer that we decommisioned at work that had a PCIE port and dropped the NIC in it and loaded up PFSense on an SSD. It's -slightly- overpowered but was free.

yeah, I am seriously considering picking up 4 SFF core 2 duo optoplex 755s off ebay for $50 sticking an intel nic in the pcie slot and using that. It will be over powered and not the most efficient but will be a known quantity and well proven. I think that was close to the system wendall built in his original pfsense video, and if it is good enough for him.

Yeah absolutely, it'll be the most powerful firewall you've ever had, haha.

I'm about to visualize mine at home to give it more "oomph" for the power usage. Virtualize PFSense/FreeNAS on the same box.