pfSense OpenVPN neighborhood network idea / request for help

[OBasel]

Here's a question for the STH'ers.

Has anyone done a larger number of endpoints (e.g. 16 sites) and put everything onto one subnet?

We have been discussing making a LAN in the neighborhood/ school for Minecraft and a Squid proxy for filtering content for the kids. It would be a way to ensure that the kids aren't just going next door to view questionable material since that household is less tech savvy.

If each house has a pfSense machine or something that can run site-to-site VPN, is there anyway that the "hub" pfSense instance can bridge a network for all the spokes? Let's say we have 10.199.199.1/24 as the network. Then give the devices for each of the kids an IP address on the 10.199.199.1/24 range so we know they're devices are going to be on that network.

Is the OpenVPN config for site to site basically local/ remote networks are both 10.199.199.1/24 then the tunnel network is something else like 10.0.1.1/24?

We were thinking that even colo'ing the hub nearby where one of the guys has some space and power might work for us. It also let's us turn off WAN access by stopping the VPN.

I wonder if pfSense can even do DHCP in this mode? Then we can get AP's that we can put certain MAC addresses on their own VLANs/ only the VPN network. That way the kids who are all still young, will not have any idea how we are turning off their access because they think they are connecting to the normal network.

 

[eroji]

I don't think the current version of pfsense is capable of what your are planning to do. I recall reading OpenVPN implementation creates a x.x.x.x/32 tunnel, which local and remote routes are pushed through. However, I believe they are changing this in the next version of pfsense that is currently in alpha. I also don't think you can DHCP in a site-to-site configuration. You can however, configure different subnets for each site, then connect them all to a single "hub" pfsense and push each subnet network route to all the client pfsense, and that way, they can all get to IPs on each other's networks.

 

[bds1904]

Note: the way you are describing this it sounds like you would still be using an ISP for interconnection, hence the OpenVPN requirement.

Can you? Kind of. Enough horsepower and bandwidth and you can have 16 routable endpoints but not really 1 LAN. Bandwidth is the big issue, you would have to have enough for everyone at the main site, upstream.

Bigger question, why would you want to? If you are putting a pfsense box locally at each enpoint why not run squid locally and remotly manage it? Doesn't take much horsepower.

If you are building the network yourself and the only ISP connection is at the main pfsense box then you don't need OpenVPN. You are overcomplicating things with OpenVPN if you own the physcial network.