anon1701 0 Posted ... All, currently I use two firewalls - they are in parallel. One is for encrypted traffic only and the other is for normal traffic. I control this at the default gateway level for individual network hosts and some proxying. This is starting to cause me an issue so I am wondering of there is a firewall I can use that will do everything I want, as follows: 1. Gb speeds. I should be getting 900/900 internet access soon as opposed to my 350/50 that I have currently 2. VPN Server for RoadWarrior style access. Preferably OpenVPN (or similar) and not PPTP 3. VPN Client for AirVPN 4. The ability to select which LAN hosts use encrypted and which use unencrypted and if the VPN Client fails then any encrypted hosts get shut off. (aka kill switch, but for individual encrypted hosts only). Currently I do this in pfsense by blocking all traffic not going down the tunnel. Note that if I am road warrior'd in I still want to access encrypted hosts 5. Force access to certain internet hosts to use encrypted channels only (by destination address) 6. Force all DNS enquiries to use encrypted channels 7. Multiple VPN channels to AirVPN - or indeed multiple providers 8. Run as virtual appliances with the option of running on suitable hardware (if I have any) 9. Normal port forwarding - although I use very little of this preferring to use a VPN when I can At the moment GW1 (Encrypted) is pfsense whilst GW2 is Sophos UTM - I much prefer the Sophos Interface (I find pfsense non-intuitive) but I understand that getting it (Sophos) to work as a client to AirVPN is non-trivial. Any ideas about where to start? Quote Share this post Link to post
flat4 79 Posted ... I'm pretty sure that either pfsense or sophos could do this unless your systems are under powered. Have you thought about using vlans. I use pfsense and have vlan dedicated for vpn and all devices going thru the vpn do not leak. my RW also uses the vpn to get to the intenet but all so access devices on all vlans. Quote Hide flat4's signature Hide all signatures pFsense it works Share this post Link to post
anon1701 0 Posted ... (edited) I have thought of using VLANs. Unfortunately not gonna work. A number of the hosts that I want to use the encrypted channels are sitting in containers on a TrueNAS Scale NAS. They use the default gateway of the Scale box, meaning they all have to be on the same VLAN. It is truly a nusiance and (in my opinion) not a sensible design. It might change in the future - but not for a while, there are other more important issues with Scale. I could of course run up my own docker host - and may do that - but I ought to at least consider a single GW. CPU is not an issue - both firewalls are virtualised - I have lots of CPU. Having said that if I stick with pfsense I MIGHT put it on hardware eventually. RW? Also I thought getting Sophos to talk VPN Client had been determined to be non trivial Edited ... by Aardvark56 Quote Share this post Link to post
flat4 79 Posted ... Add a nic to truenas and make vlans using pfsense. ( I assume that you have a managed switch that can do vlans, if not adding another nic is required for pfsense) I also have a dhcp server running for the vpn vlan. In truenas tell it to use the second nic and assigned an ip in the vpn vlan subnet or let it get one via dhcp. Use portainer to manage your docker containers make it easy. Assuming you add the nic, docker will see it as br0 or br1 or whatever. using portainer go to the docker that needs the vpn vlan and in the network section add the interface that is on the vpn vlan. I use unraid with a quad port nic and one of those ports is in the vpn vlan and I've assigned containers to use only that network interface and they work just fine. all internet goes out the vpn. Quote Hide flat4's signature Hide all signatures pFsense it works Share this post Link to post
anon1701 0 Posted ... I do have managed switches - so VLAN's not an issue I haven't been using portainer. Been testing with the Truecharts tools. (This is all testing - to see whats possible and what isn't). I have found that adding a second NIC to TrueNAS Scale does not make the containers avaiable on that NIC, which is irritating Quote Share this post Link to post
flat4 79 Posted ... That sounds more of a docker setup than truenas. I have not use truenas since it was freenas but I bet there’s a way to get docker to recognize the second nic Quote Hide flat4's signature Hide all signatures pFsense it works Share this post Link to post