Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF)
-
Hi,
I would like to connect 2 sites via a Layer 2 tunnel. Consider the following scenario:
Site A (Headquarter) with 3 Vlans:- Vlan 10 LAN (192.168.10.0/24)
- Vlan 20 Server (192.168.20.0/24)
- VLAN 30 WiFi (192.168.30.0/24)
Site B with 2 Vlans
- Vlan 10 LAN
- Vlan 30 WiFi
I would like, if it is possible, to create a layer 2 tunnel between Site A and B for Vlans 10 and 30. In other words my goal is that a PC at Site B on VLAN 10 receive an IP via DHCP from the Pfsense installed on site A. Is it possible to bridge the two VLANs 10 in site A and B and route all the traffic of PCs in Vlan 10 in site B via this layer 2 tunnel, and do the same for vlan 30?
In few words, is it possible to "extend" one or more VLANs over internet?Thank you very much
-
The usual way to do that is to just route the VLANs through the VPN. No need to use layer 2 over the VPN. With OpenVPN, you'd use the TAP mode, for layer 2, but I'm not sure how well it handles VLANs.
-
At site B I have only the ISP Router (Cisco 1921), so I can't use OpenVPN. My goal is to use PfSense as a firewall for both the sites (A and B), how can I reach my goal?
Thank you
-
Do you absolutely need L2? If all you want to do is have the same subnets available at each site, just route them as I said. Start with how you would do just one network and go from there.
-
@prx said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):
how can I reach my goal?
Get a second pfSense for SiteB.
-
@bingo600 said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):
Get a second pfSense for SiteB.
????
The normal way to connect two sites is to route through the VPN. It makes no difference how many subnets you do that with.
-
If you can't get another pfSense instance at Site B then what can the Cisco router do? That will determine what you use.
What you really want there is a VXLAN but we're not there yet....
Steve
-
I'm not familiar with that particular model but, generally, with Cisco you can do a lot. You could certainly route a couple of subnets over a VPN. Consider how you'd do this in pfsense. You'd set up the tunnel, which then provides an IP route between the two sites. Then you set up routing for each subnet you want to have at the other end. Cisco is all about routing, as that's where they started.
-
@jknott said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):
@bingo600 said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):
Get a second pfSense for SiteB.
????
The normal way to connect two sites is to route through the VPN. It makes no difference how many subnets you do that with.
What does the above have to do with recommending the OP to use a pfSense on site B ?
Didn't the OP say L2 bridging ?
How would you do that on the Cisco ?I'we done ipsec through GRE on Cisco's , prob. the closest you can come to "semi bridging" on a Cisco , and it was a PITA.
If L3 can be used , ipsec would be supported in both ends.
But IMHO , and considering the C1921 is "EOL/EOS" i still think that getting a 2'nd pfSense is the way to go.
/Bingo
-
Hi,
first of all thanks to all.
My goals, if it is possible, is bridge vlan 10 on site A with vlan 10 on site B and bridge and do the same thing for vlan 30. If it is not possible, the important thing is that, on site B, PCs connected on vlan 10 will receive via DHCP (DHCP Server configured on PfSense) an IP of the the subnet 192.168.10.0/24 and the same thing for clients connected on vlan 30. If this is not possible I can use for vlans 10 and 30 on site B different subnets, but in this case how can I achieve my goals? the navigation must be centralized on PfSense in Site A.thank you
-
@bingo600 said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):
Didn't the OP say L2 bridging ?
One thing I've learned is it's often better to find out what the goal is, rather than what the person thinks has to be done. There's not a lot of reason to use L2 in a VPN. In this case, the OP has multiple VLANs/subnets he wants to pass through a VPN. What is the goal here? Putting VLANs through a VPN? Or connecting subnets at either end together. If the sole reason for L2 is to do that, then it's the wrong way to go.
-
Do they have to be bridged, so that they have the same subnet addresses? If not, then just route.
-
Hi,
as I said, the subnet addresses can be different. All the traffic of all site B Vlans must be pass/fileter through the PfSense of Site A. Another important thing, as I said, PC on Vlan 10 (Site B) must receive via DHCP, the correct ip address (for example 192.168.50.0/24) and the same thing for clients on vlan 30 (for example 192.158.60.0/24).Thank you
-
And to be clear you need to use the Cisco router at site B, you cannot replace it?
Because that would seem to rule out a L2 link anyway.
Can it do DHCP relay?
Steve
-
@stephenw10 said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):
Can it do DHCP relay?
Cisco IoS , can do local DHCP server , or DHCP relay (ip helper)
-
Since the subnets don't have to be the same at each end, just route from each subnet/VLAN at one end to the corresponding subnet/VLAN at the other. There is no need to try to pass the VLAN tags between the sites. As for DHCP, you can either run DHCP servers at each site or use a relay agent to get DHCP from one site to the other.
-
@stephenw10
Stephen
Just for my info ...Not that i need it ... yet.
Can we create a "Non interface" assigned DHCP scope on a pfSense. Aka get it to serve a scope that has no interface relation ? ... Ie. in relation with a remote site that can "DHCP forward"
/Bingo
-
Wouldn't it be easier to just run a DHCP server at the other end? I could understand the need for relays back in the dark ages, when sites were connected with low bandwidth connections and you wanted to keep management local, but those days are long gone.
-
-
@derelict said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):
@jknott @bingo600 Or use a DHCP server other than the one in pfSense if it doesn't meet your needs.
The question was just a "nice to know"
I do not use pfsense dhcp at home.
I use isc-dhcp & bind9 (Debian).Has a few advantages, at the cost of complexity & "vi"
But i love the dynamic registration , and the occational mac matching.I use pfSense dhcp at work, on all the sites.
-
@jknott said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):
I could understand the need for relays back in the dark ages,
Actually my home pfsense relays requests to my linux dhcp.
But hey are "same site".For doing remote relay, you have to take "line outage" , and thereby - Site outage (no dhcp) into account.
I have had users complaining during a line outage, that they couldn't print their local word doc , to their local printer (dhcp outage) . They kind of accepted that they couldn't "see the server" , now that the line was down. But their PC & printer was in the same room .... That was hard to understand.
All was because the IT Dept was "saving" , and wasn't interested in having a Win BDC at every site anymore.
And no $$ for redundant lines.Well you get what you pay for, but local dhcp & dns can be essential.
That's where pfSense is a super "One box fits it all"
-
Circling back I think the answer here is that if you have to use that Cisco router at site B you will need to just route the traffic and have different subnets at each end.
If you can replace it with pfSense there are more options but we would still recommend routing it with different subnets at each end.
Steve
-
Hi,
at site B I have to use Cisco router, and following you advice, we will try to configure a tunnel GRE or IPSec.
I'll keep you postedThank you very much to all
-
Remember gre alone is unencrypted , it's just tunneling
-
Hi,
I am doing some tests using 2 pfsense (remeber that in production on site B I must use a Cisco Router). I created 2 GRE Tunnels and I can ping GRE Interfaces (from pfsense at site A to pfsense at site B and viceversa).
The GRE interfaces are /30 subnets:
GRE Tunnel 1 (for vlan 10)- 192.168.33.1/30 (Site A)
- 192.168.34.2/30 (Site B)
GRE Tunnel 2 (for vlan 30)
- 192.168.34.1/30 (Site A)
- 192.168.34.2/30 (Site B)
Now the question is: how can I "bind" GRE Tunnel 1 (Site B) to vlan 10 and GRE Tunnel 2 (Site B) to Vlan 30? I ask it because all the traffic on vlan 10 at Site B must be forward at vlan 10 at site A (DHCP and all kind of traffic), and the same thing for vlan 30.
Another question: At Site A, in addition to the GRE interfaces, do I need to create any particular interfaces?Thank you
-
Ok,
in my tests now I have the following interfaces (in addition to the GRE):
Site A:- Test 1 (Vlan 10): 192.168.55.1/24
- Test 2 (Vlan 30): 192.168.56.1/24
Site B:
- Test 1 (Vlan 10): 192.168.45.1/24
- Test 2 (Vlan 30): 192.168.46.1/24
Now the goal is to forward all the traffic of clients in Vlan A at Site B to the interface Test 1 (Vlan 10) at Site A, and, if it is possible, the clients at site B should receive their ip via a dhcp server enabled on the pfsense at site A.
The same thing for vlan 30...
Then for internet navigation of the clients at Site B is it enough to nat the subnets? Do I have to configure static routes?Thank you
-
Ok,
I went ahead with my tests and now i can surf the internet via the GRE Tunnel from the clients on vlan 10 at Site B. The only thing left to do is the implementation of the DHCP Server on PfSense at Site A, so the clients at Site B receive the right IPs:
- Vlan 10: 192.168.45.0/24
- Vlan 30: 192.168.46.0/24
How can I achieve this goal?
-
Are you sure you want to send company traffic over an unencrypted link?
-
Mmm, I always assume GRE over IPSec but....
You will need to setup a dhcp relay at site B pointing to a dhcp server at site A. However that probably can't be pfSense since there is no way to add a dhcp server for a subnet it does not have an interface in.
Steve
-
at this time I am doing only some tests. So, if I understood well, I can't use PfSense as DHCP Server at Site A...and if I will use IPSec VTI instead of GRE Tunnel?
Thank you
-
It wouldn't make any difference in terms of the dhcp server.
I would use routed IPSec there if the other router supports it if only because there are issues with GRE/IPSec in pfSense which it's better to avoid. And you definitely want to use encryption.
Steve