In the past several years, my organization has grown from 1 to 3 sites (each site with its own pfSense firewall), is now adding a 4th, and I’m hearing rumors of a 5th.
I’m using IPSec routed VTI tunnels to connect these sites together. As per the norm, every time a site adds a network, not only do I define rules on the network/subnet of where the clients live, but also have to add rules to the IPSec rules tab on each affected firewall to allow the traffic from the new subnet at the other site to come in.
As the number of sites and subnets has grown, it’s gotten to be a lot of hassle and spaghetti rules, because I tried to be careful and limited the scope of rules in the IPSec tab in the same way that I would the rules on a new network/subnet.
I’m thinking of setting a single rule on the IPSec tab of each firewall that allows RFC1918 networks to talk to RFC1918 networks. Then hone in on each network/subnet and scope those rules appropriately, as to where those clients can go.
This would greatly simplify administration for me, and having good rules on each network/subnet would still provide the needed level of security. Am I missing something?