Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Which tunnel to use?

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 521 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Eduardox
      last edited by Eduardox

      Hi,

      I have 2 locations with both pfSense running on it:

      location 1 (home) = 192.168.1.0/24 - pfSense1 on 192.168.1.254 - DHCP for clients .100 to .199
      location 2 (vacation home) = 192.168.2.0/24 - pfSense2 on 192.168.2.254 - DHCP for clients .100 to .199

      I have a working IPSec tunnel between both sites. So everything fine so far, I can reach all devices from both sites.

      Now, I would like to have one interface on pfSense at location 2 that behaves like it's on a switch on network 1. So it should get an IP from pfsense1 - but not just that, it should route "all" protocols, VLANs, etc.

      I think I need a GRE tunnel for that? If that correct?

      The purpose is this: I have an TV decoder installed at location 1, connected to a separate DSL line and modem, and I want to be able to take my TV decoder to location 2 to watch TV there, occasionally. This does not simply work with routing IP, I think they use VLANs or maybe some other protocols.

      So would a GRE tunnel be good for this purpose? If yes, then I need a bit of help, because I already tried setting up the GRE tunnel (both pfSense's have a free NIC for this purpose) but so far I failed...

      Can I use both an IPsec tunnel AND a GRE tunnel between the same endpoints?
      Or better to tunnel the GRE over this IPsec tunnel probably... but how?

      Thanks a lot!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        GRE would not help since GRE can only carry layer 3 information. GIF would be what you want for L2, but that would be a problem here. If you add a bridged interface that will break your existing tunnel since it can't have the same network both "locally" (even bridged) as well as connected over IPsec. There is no way for it to determine which path it should take.

        Also, neither GIF nor GRE are encrypted so you'd have to run that over something else (e.g. transport IPsec).

        You'd be better off using an OpenVPN tap bridge, to be honest. Though you'd still have the same routing issue.

        If the decoder is on its own separate DSL line and modem, you could use a separate pfSense firewall to handle that traffic in an isolated way to remove the potential conflict.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • E
          Eduardox
          last edited by

          Thanks for your reply, it's appreciated.

          I'm willing to remove the IPsec link then, if there is no other way.

          Basically I just want an RJ45 port on pfSense2 that connects to an RJ45 of pfSense1, like it was just a simple switch inbetween them.

          So I have to use GIF then. I don't mind that the traffic is not encrypted (it's just an IPTV stream), but would that also mean that my pfSense could be entered more easily by hackers?

          Can you point me a bit in the right direction? So on both sides I create a new GIF interface. What would I use as the "GIF tunnel local address" and "GIF tunnel remote address"? Can I use something random (like 10.0.0.1 and 10.0.0.2) or does it needs to be in the IP range that the TV decoder uses?

          Thanks!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.