VPN and Multi-Router Set Up

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Texas Flyer

New member
Oct 5, 2020
2
0
Following recommendations from Steve and some on this forum, I am running a Protectli Vault with PFSense CE as a firewall connected directly to my Cable Modem (400/20). Behind that I currently have multiple routers on separate IP networks for internal wired and wireless devices, guest devices, and IOT devices (cameras, thermostat, Fire TV, etc). I also run windows based apps for a VPN. I'm considering using a Flashrouters Configured router to enable VPN across at least a portion of the network to overcome VPN provider limitations on numbers of devices. Probably not IOT stuff nor guest devices, just internal wired and wireless items. What are your thoughts about this idea? And if implemented, would those connections run: Cable Modem --> PF Sense on hardware firewall --> multiple routers, one of which would enable the VPN.

Grateful to many of you but especially MichaelRSorg for his awesome router security site.
 
Why do you need multiple routers? The pfSense box is a firewall, but also a router... for all that you need a router to do. It could also run a VPN for you, I suspect. I get that you might want segmented wireless, so I presume there are WiFi access points built into each of those routers? Having multiple WiFi setups is asking for extra bandwidth congestion though, so hopefully you've got a quiet WiFi neighbourhood and are not in a very busy location like an apartment complex. If you didn't need WiFi on every segment, you could skip the router and just replace it with a switch. (That would assume you were doing wired networking only on that segment.)

What you really want to do is decide what groups of devices you want to have in isolation from other groups. If you have anything you want shared everywhere (like say a printer) you might put that into a group by itself. Of course this is limited by the number of ports you have of your firewall. Then you can decide if there is any reason why a device in one group needs to have access to something in another group, and make special rules to allow that. If it turns out you want devices in more than one group to use the VPN, then you might need to run your VPN in the firewall and not inside one of the groups.

My current belief is to put the WiFi on it's own segment and wired on its own segment. I generally don't want any WiFi device (be that an IoT one or even my cell phone) connecting into my PCs or other wired devices like a NAS. Yes that means my NAS can't serve my cell phone, but for me this is a bonus, not a negative. If your WiFi ever gets compromised, this will keep the attacker out of your wired PC and other devices.

If you were to spend significant money on WiFi, you could buy a business class system, like the Ubiquity, and then it has enough intelligence you could assign some devices to different VLANs and then you could allow some WiFi devices onto one segment of your network and some on others. (This gets quite complicated quite fast--having to manage SSIDs, VLANs, Firewall Rules and then probably needed managed switches too.)
 
Your setup sounds like overkill. Fine for Ed Snowden but a bit much for someone who is not a spy that knows classified secrets. I agree with the previous comment, the hard part is deciding how to group your devices. Devices that need only Internet are one group, but devices that need to see or be seen by other LAN side devices is where it gets hard.

As for the VPN, I do not suggest running a VPN client on the pfSense router. Too many eggs in one basket. I would run it on one or more of your secondary/inner routers. Look for a VPN provider that supports Wireguard as it takes much less cpu horsepower. I suggest pcWRT as secondary routers, they are $130 and run three flavors of VPN client, including WireGuard. Like the previously mentioned Ubiquiti, pcWRT also does VLANs.
 
Thanks for the replies fellas. I guess I didn't clearly communicate my question. My network set up as described has been up and running for years and all devices on all nets run at full cable modem speeds. I don't allow any device on any one sub-network to communicate with any other sub-network so have no need for a VLAN or potentially risky rules set ups. Yes it could be done with a single router/firewall using concepts you mentioned above including guest networks. I don't even trust these routers to be from the same manufacturer since all of them get compromised at one time or another and requiring patching.

My intended question was whether a VPN router behind the PFSense firewall device would function to provide VPN for all devices on that router's network or does the VPN router have to be the firewall router?

A side question I have been looking into is whether VPN makes sense AT ALL? Certainly good for point to point for work or while out and about on wireless you don't control for example, but a VPN for home for all traffic to the internet? I understand you are paying in effect for slowing your home internet connection and moving the exit point from your service provide (Spectrum) to whomever provides the VPN service. Do I gain anything by doing that?
 
Last edited:
VPN makes sense AT ALL
In a word, probably not. It depends on your goals. A VPN *can* help you hide your traffic from your ISP. That's about it... unless you're someone like a whistle blower and you want to use TOR or other alternatives to hide.

As for how a VPN would work internally in a sub-LAN: It could be made to work for outbound traffic, in that you could allow your packets to escape to the public Internet to reach your VPN gateway on the outside of your network. You would set the devices you want to use it to have their default gateway point at the VPN.

Something else you said is a problem though:
while out and about on wireless you don't control for example

If it's internal to your network, you're not going to be able to reach into your network from outside to see the VPN connection. You would end up needing to allow some packets to be routed from outside to inside... doable, but given your apparently cautious security stance, probably ill advised. If you want to operate a personal VPN service, you will need that VPN server to be publicly facing the Internet (in the DMZ as it were.)
 
It really isn't that difficult to run your own VPN server on AWS Lightsail for less than $5 a month by following this guide (which I've referenced many times):


Then you will have no limits on the number of devices you can setup. There's a second use to VPNs beyond hiding traffic that enables seeing traffic. I setup zeek and tcpdump on my private VPN and that enables me to monitor DNS requests (and any other traffic) from all my client devices to conduct threat hunting from time to time. That way if my network ever gets compromised, I can just see the attack.

I run a Pi on the edge because I can't afford a Protectli and the Pi is connected to ProtonVPN to keep the potentially evil ISP (in Ukraine) from seeing the private VPN tunnels. So I'm running a tunnel within a tunnel. All of this runs over 4G on the USB interface of the Pi and everything is fast enough to watch 1080 Youtube, or torrenting, or sftp of large ISOs. My priority isn't speed anyways its not having to trust ISPs or the local supply chain.
 
  • Like
Reactions: Barry Wallis