Specific VLAN over VPN only
-
I have been using pfSense for around a year now and have a decent understanding of the basics. I am trying to move my configuration to something more complex, and seem to be hitting a wall, most likely due to lack of knowledge. My goal is to have a vlan dedicated to VPN traffic. This traffic should be able to reach other devices on the other vlans, and gain internet access through the VPN group, but never the WAN, even in the event that the VPN group is completely down.
Current config, right or wrong:
Gateways
Wan
VPN1
VPN4
VPN5
Gateway Group: VPN 1,4,5Interfaces
WAN (physical)
LAN (physical)
General (physical)
VPN (physical)
VPN1 (virtual? created with VPN client addition)
VPN4 (virtual? created with VPN client addition)
VPN5 (virtual? created with VPN client addition)VLANS
10 General (parent interface General)
20 VPN (parent interface VPN)DHCP Server
192.168.10.1 for vlan 10
DNS is set to public IPs via the WAN GW on the General settings
192.168.20.1 for Vlan 20
DNS 1 and 2 are set to the VPN required address on the DHCP server settings page for vlan 20.
**I have done this since i cannot assign DNS addresses to my VPN gateway group.Open VPN Clients
VPN1
VPN4
VPN5Firewall
VLAN 10: Allow IPV4*/LAN Net/Any/Any/Any/Any
VPN Vlan (20): Allow IPV4*/Any/Any/Any/Any/VPN Group
VPN1: Allow IPV4*/VPN1/Any/Any/Any/VPN Group
VPN2: Allow IPV4*/VPN2/Any/Any/Any/VPN Group
VPN3: Allow IPV4*/VPN3/Any/Any/Any/VPN GroupCurrently with any/all VPN clients on
VLAN 10 can ping internal vlans, WAN, external IPs, but cannot resolve external names
VLAN 20 can ping internal vlans, WAN, external IPs, and resolve external names. Devices also show public IP from VPN providerCurrently with no VPN clients on
VLAN 10 can ping internal vlans, WAN, external IPs, and resolve external names, as well as pull a public IP from my local ISP
VLAN 20 can ping internal vlans, WAN, external IPs, and resolve external names, as well as pull a public IP from my local ISPI am speculating the issue/s exist in my configuration of the Firewall NAT/Rules, but after messing with different combos for weeks now, i have given up on getting this resolved without external help. I ripped out most of my rules and NAT configs to keep it basic to hopefully assist in making it easier to get working.
I will post up configs from any areas that are needed as requested.
-
You can't send VLANs over a VPN. However, you can route from each VLAN as appropriate.
-
Bear with me as i may ask some dumb questions, but i am just seeking to better understand the inner workings and concepts. If VLANs can't be routed over a VPN, how does traffic flow over the VPN vlan when i have the VPN connections established?
In case it matters, this is just routing over a VPN for general internet access, not a site to site where i need the vlan tag to properly direct traffic on the other side of the connection.
-
You have to go back to the basics of the protocol stack. Ethernet is layer 2, IP is 3. A VPN emulates an IP connection and as such carries only IP traffic. VLANs are Ethernet and can't be carried over an IP connection, without being encapuslated in an IP packet. Regardless, if you have mulitple VLANs, they'd each have their own subnet. pfSense can route all of them over the same VPN and sort them out at the other end, just as if it was over an ordinary IP connection.
There may be a method to support VLANs over a VPN, but it requires a TAP VPN, rather than the usual TUN VPN. While pfSense supports TAP, I don't know if it supports VLAN over TAP.
-
@JKnott I definitely need to go study up on the OSI model again. Networking class was so long ago! Thanks for offering some schooling. I will focus my efforts on trying to get a particular subnet to route over the VPN group i have set up then.