I have this setup using mikrotik devices and have about 10 sites that I remotely connect to that are accessible via a /24 overlay network using Wireguard. I also have another /24 that I use for my daily road warrior connections.
I’m not much help for OPN/PFsense, but I can give you a few pointers.
For your management network, choose something unique (as in, avoid 192.168.1.0/24). I have the Mikrotiks setup to do NAT from my mgmt subnet to the local subnet that they get a DHCP from (sometimes these devices aren’t the actual router of the remote side I’m trying to access).
This way, when a request from my mgmt subnet is sent, it gets NATed to the Mikrotiks local IP and then the remote resource can respond without having to go through its gateway directly. This does require a little work, as I need to know exactly which device I’m trying to reach and which ports. This isn’t a big deal though and works seamless for my use case.
As far as securing access, I simply have a firewall rule in place that drops any traffic originating from the management network that isn’t established or related to existing traffic that originated from my other subnets.
As far as road warriors go, I have another subnet that is treated like my local subnet, and I just configure the peer to use the other subnet. Since my road warrior subnet is a “LAN” network/interface list, it’s not subject to the firewall rules above, which allows my phone to seamlessly reach my file server, etc.
It gets even more fun when if you have an iPhone and configure VPN on demand profiles. If I’m out and about and try to reach any of my subnets, it triggers con automatically and then disconnects as soon as I’m back on my home wifi.
I have this setup using mikrotik devices and have about 10 sites that I remotely connect to that are accessible via a /24 overlay network using Wireguard. I also have another /24 that I use for my daily road warrior connections.
I’m not much help for OPN/PFsense, but I can give you a few pointers.
For your management network, choose something unique (as in, avoid 192.168.1.0/24). I have the Mikrotiks setup to do NAT from my mgmt subnet to the local subnet that they get a DHCP from (sometimes these devices aren’t the actual router of the remote side I’m trying to access).
This way, when a request from my mgmt subnet is sent, it gets NATed to the Mikrotiks local IP and then the remote resource can respond without having to go through its gateway directly. This does require a little work, as I need to know exactly which device I’m trying to reach and which ports. This isn’t a big deal though and works seamless for my use case.
As far as securing access, I simply have a firewall rule in place that drops any traffic originating from the management network that isn’t established or related to existing traffic that originated from my other subnets.
As far as road warriors go, I have another subnet that is treated like my local subnet, and I just configure the peer to use the other subnet. Since my road warrior subnet is a “LAN” network/interface list, it’s not subject to the firewall rules above, which allows my phone to seamlessly reach my file server, etc.
It gets even more fun when if you have an iPhone and configure VPN on demand profiles. If I’m out and about and try to reach any of my subnets, it triggers con automatically and then disconnects as soon as I’m back on my home wifi.
Good luck!