OPNsense, IPSEC VPN and Cisco Umbrella

Started by bx2, October 23, 2025, 06:42:01 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 23, 2025, 06:42:01 PM
Hello everyone,

Our organization uses Cisco Umbrella for web filtering. Our our primary site (Home Office) I have two Cisco Umbrella Virtual Forwarders that are used for DNS resolution.

I am working on configuring and testing two DEC2752 units in a HA configuration for a remote office. The remote office will connect to Home Office via IPSEC site to site VPN connection.

This remote office is small enough that there is not and won't be any server onsite. Due to this, I want our web traffic from the remote site to traverse the VPN tunnel back to the home office.

Now, in the event that the VPN tunnel is down, I want to use Cisco Umberella public DNS IPs.

The remote office staff get their IP addressing/DNS information VIA AD/DHCP. This of course won't work when the tunnel is down.

I was thinking that I might be able to configure the public DNS IP addresses in the OPNsense System/General settings but I am not sure if that would help.

Within OPNsense, I have not configured Unbound/DNSMasq.

Any suggestions with my current configuration on what I can do to keep web traffic flowing if IPSEC is down?


Thank you,
Today at 07:12:40 AM #1
Hi there,

In fact, you'd want to avoid a tunnel down from "remote office", although what are the risks:
1 -- "Remote Office" ISP line/hardware down/bricked.
2 -- OPNsense cluster down.
3 -- local Layer2 devices (switches etc) down.
4 -- "Home Office" unreachable.

In the occurrence of either 1, 2, 3 (and/or); there won't be any connectivity to anything at all from "Remote Office" anyways.
Hence, how many times a year is the "Home Office" unreachable?

If I'd be in your shoes, I'd raise a few questions and would try to get their real answers:
-- do we really "need" all the "remote office" traffic to "break out" at "home office" ? Wouldn't internal resources be enough I.E: 10.0.0.0/8
-- Connectivity behind a FW typically means Layer3, does it make sense to cross a tunnel to get the needed Layer3 remote endpoints setup (DHCP over IPsec)?
-- what is the "remote office" sustained bandwidth need at an average ?
-- what about adding a cheap LTE 4G/5G local break out at "remote office" ?

I would go for a backup "line" with LTE 4G/5G if sustainable.
Also, is IPsec a compliance tied item? WireGuard tunnels would come up extremely fast from which ever source IP coming from your "Remote Office".

Hope this helps a bit.
Cheers
Print
Go Up Pages1
User actions