VPN for Dedicated Network Device

I hope this message finds everyone well! I’m new to the community and thought I would post a question. I’m eager to get input and suggestions from everyone!

I’m currently looking to replace the firewall (currently SOPHOS) in the office with pfSense and a Netgate device. Probably thinking something along the lines of a Netgate 6100/7100 or even the higher-end 1500 series. In doing some of my research, it’s kinda gotten me interested in replacing the firewall at home as well (I think I may VPN them together… just a thought). Anyways, here is my question and I’m not finding much info that speaks to what I’m trying to do. What I’m trying to do on the home-end is to use a pretty standard configuration, except for one device - a video streaming device (VSD). I would like to do one of two things - either setup a dedicated “video” VLAN for my VSD or perhaps keep it a bit simpler and just route based on the VSD local IP address instead of separate VLANs. I want to route ALL traffic just like I normally would for all devices on the network and send everything out to my local ISP (simple so far). The only exception to that rule/policy is I would want to route the VSD traffic through a VPN service (perhaps something like NordVPN???) or if it’s not too expensive, setup a virtual pfSense “box” in a U.S. data centre and establish a VPN between the two Netgate boxes (or I guess one Netgate box at home and a virtual pfSense “box” in the USA). Either which way I do it, I need all of the traffic to/from the VSD to be routed to and from the USA. I don’t want data from my VSD to be routed out over the default gateway (to/from my ISP here in Ontario) - it has to segregated. If I don’t route it out of the USA, the VSD simply won’t work. I’ll be honest, the reason I’m doing this is because I’m in Canada and some streaming services (most…) based out of the USA don’t want Canadians streaming from their service (for obvious reasons). So I’m looking for a way to route all traffic to/from the VSD (and only the VSD) to the USA.

Am I asking for too much or does this seem like something pfSense would do well? I’m new to pfSense, but not data networking (I spend all day in VLAN world, IPv4/IPv6 routing, etc.).

I’m eager to hear what people say and/or suggest.

Thank you everyone!

Yeah what you want to do is pretty straight forward.

What I’d suggest is to setup two vlans, ISP and VPN. Then you need to setup up your vpn providers details on a OpenVPN client in pfSense. On your VPN vLAN you set your gateway to your VPN WAN.

Other things I’d suggest add a kill switch, if your VPN providers servers go down, then no traffic exits your WAN. Normally these VPN providers allow five “connections”, so you could set up five openVPN clients, put them in a gateway group, then you can set some criteria so that you always use the fastest connection for example, or switch to another connection if the current one goes down.

Then if you really want to get carried away, you can setup a further OpenVPN server at home that exits via the VPN gateway. Meaning you can connect to your VPN service, via your phone, without using up one of your “connections”.

Yes, pfsense can do policy routing to send traffic over a VPN:

1 Like

Toms video above (along with potentially a few others he has) provided me with the info needed to do exactly this.

I use a raspberry pi at a family members house running WireGuard, and have a tunnel set up between that and my pfsense firewall at my residence. In pfsense that WireGuard tunnel is set up as a gateway and I use policy routing to pump only specific local IP’s over the VPN tunnel as I want some local devices to only talk over the secure VPN tunnel. More or less exactly what you seem to want to do, and it only requires WireGuard at the other end - doesn’t even have to be pfsense to pfsense explicitly.