Any hints or good ideas for numerating VPN tunnel networks so that they
can be easily and statically routed, just like the LAN's they serve?
(e.g. for a big private internal corporate network).
One idea
Allocate, say, a /23 in place of a /24, and waste an entire /24 as a
tunnel network.
Pro's - No addtional routing directives required on any of the hubs
and spokes of the VPN-connected LANs.
Con's - Wasteful, and even more problematic if you have to
renumerate because the proposed tunnel networks are in use.
Another idea
Allocate a parallel, yet similarly structured hierarchy in a different
netblock, say, 172.31.0.0/16
e.g. a static route to 10.240.0.0/12 would get a static entry for
the correlated tunnel network hierarchy say, 172.31.240.0/20
(i.e. 10.240.0.0 thru 10.255.255.255 maps perfectly to 172.31.240.0
thru 172.31.255.255
Pro's - A single /16 in (172.31.0.0) can exactly map and evolve
with the hierarchy of LANS (with granularity down to /23).
Con's - 2x the number of static routes
Any other ideas? From the real world, any thoughts about either schema?
Thanks!
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
