Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF)

prx

Hi,

I would like to connect 2 sites via a Layer 2 tunnel. Consider the following scenario:
Site A (Headquarter) with 3 Vlans:

• Vlan 10 LAN (192.168.10.0/24)
• Vlan 20 Server (192.168.20.0/24)
• VLAN 30 WiFi (192.168.30.0/24)

Site B with 2 Vlans

• Vlan 10 LAN
• Vlan 30 WiFi

I would like, if it is possible, to create a layer 2 tunnel between Site A and B for Vlans 10 and 30. In other words my goal is that a PC at Site B on VLAN 10 receive an IP via DHCP from the Pfsense installed on site A. Is it possible to bridge the two VLANs 10 in site A and B and route all the traffic of PCs in Vlan 10 in site B via this layer 2 tunnel, and do the same for vlan 30?
In few words, is it possible to "extend" one or more VLANs over internet?

Thank you very much

JKnott

The usual way to do that is to just route the VLANs through the VPN. No need to use layer 2 over the VPN. With OpenVPN, you'd use the TAP mode, for layer 2, but I'm not sure how well it handles VLANs.

prx

@jknott

At site B I have only the ISP Router (Cisco 1921), so I can't use OpenVPN. My goal is to use PfSense as a firewall for both the sites (A and B), how can I reach my goal?

Thank you

JKnott

@prx

Do you absolutely need L2? If all you want to do is have the same subnets available at each site, just route them as I said. Start with how you would do just one network and go from there.

bingo600

@prx said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):

how can I reach my goal?

Get a second pfSense for SiteB.

JKnott

@bingo600 said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):

Get a second pfSense for SiteB.

????

The normal way to connect two sites is to route through the VPN. It makes no difference how many subnets you do that with.

stephenw10

If you can't get another pfSense instance at Site B then what can the Cisco router do? That will determine what you use.

What you really want there is a VXLAN but we're not there yet....

Steve

JKnott

@stephenw10

I'm not familiar with that particular model but, generally, with Cisco you can do a lot. You could certainly route a couple of subnets over a VPN. Consider how you'd do this in pfsense. You'd set up the tunnel, which then provides an IP route between the two sites. Then you set up routing for each subnet you want to have at the other end. Cisco is all about routing, as that's where they started.

bingo600

@jknott said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):

@bingo600 said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):

Get a second pfSense for SiteB.

????

The normal way to connect two sites is to route through the VPN. It makes no difference how many subnets you do that with.

What does the above have to do with recommending the OP to use a pfSense on site B ?

Didn't the OP say L2 bridging ?
How would you do that on the Cisco ?

I'we done ipsec through GRE on Cisco's , prob. the closest you can come to "semi bridging" on a Cisco , and it was a PITA.

If L3 can be used , ipsec would be supported in both ends.

But IMHO , and considering the C1921 is "EOL/EOS" i still think that getting a 2'nd pfSense is the way to go.

/Bingo

prx

Hi,

first of all thanks to all.
My goals, if it is possible, is bridge vlan 10 on site A with vlan 10 on site B and bridge and do the same thing for vlan 30. If it is not possible, the important thing is that, on site B, PCs connected on vlan 10 will receive via DHCP (DHCP Server configured on PfSense) an IP of the the subnet 192.168.10.0/24 and the same thing for clients connected on vlan 30. If this is not possible I can use for vlans 10 and 30 on site B different subnets, but in this case how can I achieve my goals? the navigation must be centralized on PfSense in Site A.

thank you

JKnott

@bingo600 said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):

Didn't the OP say L2 bridging ?

One thing I've learned is it's often better to find out what the goal is, rather than what the person thinks has to be done. There's not a lot of reason to use L2 in a VPN. In this case, the OP has multiple VLANs/subnets he wants to pass through a VPN. What is the goal here? Putting VLANs through a VPN? Or connecting subnets at either end together. If the sole reason for L2 is to do that, then it's the wrong way to go.

JKnott

@prx

Do they have to be bridged, so that they have the same subnet addresses? If not, then just route.

prx

@jknott

Hi,
as I said, the subnet addresses can be different. All the traffic of all site B Vlans must be pass/fileter through the PfSense of Site A. Another important thing, as I said, PC on Vlan 10 (Site B) must receive via DHCP, the correct ip address (for example 192.168.50.0/24) and the same thing for clients on vlan 30 (for example 192.158.60.0/24).

Thank you

stephenw10

And to be clear you need to use the Cisco router at site B, you cannot replace it?

Because that would seem to rule out a L2 link anyway.

Can it do DHCP relay?

Steve

bingo600

@stephenw10 said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):

Can it do DHCP relay?

Cisco IoS , can do local DHCP server , or DHCP relay (ip helper)

JKnott

@prx

Since the subnets don't have to be the same at each end, just route from each subnet/VLAN at one end to the corresponding subnet/VLAN at the other. There is no need to try to pass the VLAN tags between the sites. As for DHCP, you can either run DHCP servers at each site or use a relay agent to get DHCP from one site to the other.

bingo600

@stephenw10
Stephen
Just for my info ...

Not that i need it ... yet.

Can we create a "Non interface" assigned DHCP scope on a pfSense. Aka get it to serve a scope that has no interface relation ? ... Ie. in relation with a remote site that can "DHCP forward"

/Bingo

JKnott

@bingo600

Wouldn't it be easier to just run a DHCP server at the other end? I could understand the need for relays back in the dark ages, when sites were connected with low bandwidth connections and you wanted to keep management local, but those days are long gone.

Derelict

@jknott @bingo600 Or use a DHCP server other than the one in pfSense if it doesn't meet your needs.

bingo600

@derelict said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):

@jknott @bingo600 Or use a DHCP server other than the one in pfSense if it doesn't meet your needs.

The question was just a "nice to know"

I do not use pfsense dhcp at home.
I use isc-dhcp & bind9 (Debian).

Has a few advantages, at the cost of complexity & "vi"
But i love the dynamic registration , and the occational mac matching.

I use pfSense dhcp at work, on all the sites.