Extended network connecting via hosted pfSense?

Hello everyone,
We are a very small company made of several individuals working out of home offices for the most part.
We exchange documents via mail and other things such as apps, etc.
I’m trying to improve our security and ease the communication processes by creating a global network where all home offices would be a part of a “local network” and internet access would be provided and secured by a “small” firewall machine such as pfSense or OPNSense hosted with a provider. This firewall would serve as a proxy to manage internet and oblige all members to go through it and its rules. So in fact, instead of managing 6 FW, we would have to manage only the one hosted…
Of course, each home office would be able to manage what they share with others and restrict access to information they don’t want to share…
Some of the members travel as well and would use openvpn to access the network and apps, backups or files.
Advantage would be that there would be only one machine managing all users, accesses, etc. instead of several machines managing each access.
I understand that we could have pfsense on each home office and synchronize everything but it doesn’t seem cost effective or easy to manage.
If anyone has some thoughts on this, I would very much appreciate sharing.
Please understand that we are far from being experts in network management!!! :slight_smile:
Have a great day!

Personally, with this few users… I would keep things simple…

  1. each user connects to a remotely hosted windows desktop with zerotier installed on each desktop.

  2. Each is configured with email/apps and shared network drive(s) etc… so no data ever leaves the network

  3. Each remote user then has zerotier also installed on their home desktop/laptop with an rdp shortcut setup to connect to the zerotier ip address of their “assigned remote desktop” (with printer redirection enabled)

a low maintenenace, easy to manage/understand system, securely accessible from anywhere over any network

just have to decide where to host the remote desktops… go diy route (home hosted on a nice beefy proxmox (say) server), or purchase them of a cloud provider for ease of setup/support/maintenenace

Hi and thank you for this answer.
I agree that this solution is simple to put together but as we are simpletons in the matter, wouldn’t it be more efficient to have a hosted pfsense or opensense manage the security of all points of presence?
Objectives are two-fold, make sharing easy and mostly importantly manage the security of each network by sharing resources in network and security hardware. That’s why I thought a kind of “star shaped” network would be more efficient as there is only one entry and exit point for everybody.
Then, adding a new member to the group would be only implicating another entry in the freeradius part of pfsense and sending the openvpn file to the new member.
Last but not least, I spent a lot of time getting to learn pfsense and making it work for us. We use pretty much everything we need in pfsense (double wan, FW rules, pfblockerNG, snort, openvpn, captive portal, etc.).
Introducing another element would mean spending more time getting knowledge about a new product and learning curve is very flat :slight_smile:

For what it’s worth these are my thoughts on your scenario…

You’ve got pfSense in your office location by the sounds of it, running OpenVPN.

If your users are using “work” laptops and phones, then, simply provide OpenVPN client certs to these devices. Route all traffic through the VPN tunnel, then you will have a star topology, somewhere in the OpenVPN setting you can set the option for devices to communicate with each other. That would be the least painful option.

Some routers, I know Asus’s have it, support OpenVPN clients, so it can also be setup on a router without pfSense, but then the user will need to know a bit more.

Some users seem to have problems using Windows over OpenVPN, using IP addresses or OpenVPN in TAP mode might overcome the issue.

Your problem shouldn’t be difficult to address.

Personally was shocked at how simple and easy zerotier setup/config was… and how elegant and simple once setup (reminded me of when small business server 2000 came out years ago)

Can still leverage you’re skill set if conceptually just few the zerotier sdwan as your “internal LAN” wrt to pfsense and the wider internet .Easier with OPNsense since it already has a zerotier addon which conceptually just sets up the sdwan network as just another interface

Probably just been too long in IT (and lazy)… now just view IT as something that is just secondary to “getting staff to get the job done with minimal excuses” :slight_smile:

This firewall would serve as a proxy to manage internet and oblige all members to go through it and its rules.

I am going to not recommend pfsense for this. Pfsense is powerful, but not when it comes to web traffic security (squid proxy sucks). It sounds like you are describing a next-gen utm firewall (fortigate, palo-alto, zscaler, etc). You might be better off outsourcing this type of task to a cloud hosted fortigate (azure), zscaler (as a service), a palo-alto instance, or any reliable on-prem solution that actually has proper proxying security solution.

Hi and thank you for your answer.
Yes this is how we work now. pfSense here and exterior components connecting via openvpn to our local network.
I was thinking about beefing up the security for every home office by centralizing a pfsense where all home offices would connect via openvpn and use the connection therefore provided.
Point is that most home offices are just using their ISP provided FW and far from secured. Trying to find a way to make it a bit more safe with this.
Maybe not the best solution… Don’t know.

Hi and thank you for your answer.
Agreed on squid. It does suck! Your solutions are something to think about. I’ll investigate this.
Firewall as a service would be a good idea… Someone doing it?

I’ve used fortigate and zscaler before with great success. When it comes with any kind of rules, security companies spend lots of money being on top of things. Any time you delve into this territory, you have to be ready to spend some money yearly subscription fees. Fortigets are solid value for what they provide, but you can also use something like zscaler as an aggregation point / final route out to the internet to have any kind of filtering policies. If I am not mistaken, you might be able to get some trials set up to test things out with some different providers.