Small office network planning in WFH land

BreakfastBrett93

New Member
Jan 25, 2021
5
0
1
UK
Not quite sure if this is the right section to post this in - I failed to locate posting guidelines in the forum. Please redirect if I am off course here.

We are a small media company adjusting to a primarily WFH reality and with the powers that be deciding to make this change permanent regardless of what the future might look like, I have been given quite free hands to set up a more permanent solution to our current very-temporary "solution".

I am looking to set up a Proxmox install with a couple of pfSense virtualized containers handling our network isolation and VPNs, but as I am quite new to these tools (previous solution involves a number of interconnected routers barely running NAT and OpenVPN), I would like some feedback on the viability of my plan. If you don't mind, I have outlined it in the attached illustration.

Notes:
  • Ethernet 1-4 represent physical ports on the server.
  • All VPNs are TAP.
  • Solid connections represent actual wires to physical devices.
  • Dashed lines represent virtual connections in Proxmox/pfSense configuration.
  • Dotted lines represent implicit/automatic connections from one network to a VPN'ed network.
    • Is that even a thing? I would like to avoid asking the team connecting to VPN 5 to also have to separately connect to VPN 6 and VPN 7. Not an absolute, but it would definitely make the setup easier to sell to them.
  • While this would run on a single Proxmox install, I would assume that each firewall/NAT node (and optional VPN module) needs to be a separate pfSense install.
Does this make any sense? And is it even possible in a Proxmox + pfSense setup?
 

Attachments

zunder1990

Member
Nov 15, 2012
94
15
8
I am failing to understand at what you are trying to get at. Why so many vpn and nat? are those devices in different locations?

When you say that you are a small media company I am assuming that alot of staff are working on large files like pictures or videos and you want to allow then to work from home. If I was to design then network something like that I would be looking at some type VDI setup so that the desktops could have highspeed access to the file server.
 
  • Like
Reactions: RobstarUSA

BreakfastBrett93

New Member
Jan 25, 2021
5
0
1
UK
Thank you for your response!

When you say that you are a small media company I am assuming that alot of staff are working on large files like pictures or videos and you want to allow then to work from home. If I was to design then network something like that I would be looking at some type VDI setup so that the desktops could have highspeed access to the file server.
Some colleagues with the need are indeed running VDI with great results :)

I am failing to understand at what you are trying to get at. Why so many vpn and nat?
The multiple NAT/VPNs are supposed to provide separate access to a limited subsection of the network for third party collaborators like freelancers and partner companies. The VMs on those networks provide services and asset access relevant to specific projects.

are those devices in different locations?
Everything below the Ethernet 1-4 line is on the Proxmox server. Only things above that line are different physical devices.

Apologies for not being clear earlier - I hope this makes more sense now.
 

zunder1990

Member
Nov 15, 2012
94
15
8
If it was my network I would keep this simple, single firewall(pfsense) and run vpn on it. I would make pfsense the gateway for all of the vlans and do all of the isolation on it. Looking at your diagram with that much nat and vpn it will be a nightmare to troubleshoot. Every time you add a nat layer troubleshooting become a factor of two harder.
 

BreakfastBrett93

New Member
Jan 25, 2021
5
0
1
UK
If it was my network I would keep this simple, single firewall(pfsense) and run vpn on it. I would make pfsense the gateway for all of the vlans and do all of the isolation on it. Looking at your diagram with that much nat and vpn it will be a nightmare to troubleshoot. Every time you add a nat layer troubleshooting become a factor of two harder.
Very interesting. This is literally a naive replication and extrapolation of what we are running with individual routers so I am not at all surprise that it does not pass basic review :)

But you're saying that while this setup is indeed possible, more importantly it can be done with a single pfSense install running all those self-contained networks each with their own isolated VPN access?
 

zunder1990

Member
Nov 15, 2012
94
15
8
Yes will good firewall rules and use of vlans you can build in the isolation and protection you are looking for with a single box/vm. For myself I have found managing firewall/routers to be easier if they are a physical box. I find it easier to do all of the networking outside of the hypervisor and just bridge VM traffic out.
 
  • Like
Reactions: BreakfastBrett93

BreakfastBrett93

New Member
Jan 25, 2021
5
0
1
UK
Very interesting. You have clearly saved me a ton of time and maintenance effort with this direction vs. my original naive approach.

Thanks a bunch! I’ll be booting up a single pfSense VM with the network adapter directly forwarded and get going on that VLAN+VPN structure :)
 

Marsh

Moderator
May 12, 2013
2,472
1,294
113
After prototyping with a pair of pfsense vm with HA function.

Considered buying a pair of physical pfsense hosts,
purchase direct from Netgate with hardware and software support.

You won't regret in the future.
 
  • Like
Reactions: BreakfastBrett93