Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF)
-
Hi,
as I said, the subnet addresses can be different. All the traffic of all site B Vlans must be pass/fileter through the PfSense of Site A. Another important thing, as I said, PC on Vlan 10 (Site B) must receive via DHCP, the correct ip address (for example 192.168.50.0/24) and the same thing for clients on vlan 30 (for example 192.158.60.0/24).Thank you
-
And to be clear you need to use the Cisco router at site B, you cannot replace it?
Because that would seem to rule out a L2 link anyway.
Can it do DHCP relay?
Steve
-
@stephenw10 said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):
Can it do DHCP relay?
Cisco IoS , can do local DHCP server , or DHCP relay (ip helper)
-
Since the subnets don't have to be the same at each end, just route from each subnet/VLAN at one end to the corresponding subnet/VLAN at the other. There is no need to try to pass the VLAN tags between the sites. As for DHCP, you can either run DHCP servers at each site or use a relay agent to get DHCP from one site to the other.
-
@stephenw10
Stephen
Just for my info ...Not that i need it ... yet.
Can we create a "Non interface" assigned DHCP scope on a pfSense. Aka get it to serve a scope that has no interface relation ? ... Ie. in relation with a remote site that can "DHCP forward"
/Bingo
-
Wouldn't it be easier to just run a DHCP server at the other end? I could understand the need for relays back in the dark ages, when sites were connected with low bandwidth connections and you wanted to keep management local, but those days are long gone.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
-
@derelict said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):
@jknott @bingo600 Or use a DHCP server other than the one in pfSense if it doesn't meet your needs.
The question was just a "nice to know"
I do not use pfsense dhcp at home.
I use isc-dhcp & bind9 (Debian).Has a few advantages, at the cost of complexity & "vi"
But i love the dynamic registration , and the occational mac matching.I use pfSense dhcp at work, on all the sites.
-
@jknott said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):
I could understand the need for relays back in the dark ages,
Actually my home pfsense relays requests to my linux dhcp.
But hey are "same site".For doing remote relay, you have to take "line outage" , and thereby - Site outage (no dhcp) into account.
I have had users complaining during a line outage, that they couldn't print their local word doc , to their local printer (dhcp outage) . They kind of accepted that they couldn't "see the server" , now that the line was down. But their PC & printer was in the same room .... That was hard to understand.
All was because the IT Dept was "saving" , and wasn't interested in having a Win BDC at every site anymore.
And no $$ for redundant lines.Well you get what you pay for, but local dhcp & dns can be essential.
That's where pfSense is a super "One box fits it all"
-
Circling back I think the answer here is that if you have to use that Cisco router at site B you will need to just route the traffic and have different subnets at each end.
If you can replace it with pfSense there are more options but we would still recommend routing it with different subnets at each end.
Steve
-
Hi,
at site B I have to use Cisco router, and following you advice, we will try to configure a tunnel GRE or IPSec.
I'll keep you postedThank you very much to all
-
Remember gre alone is unencrypted , it's just tunneling
-
Hi,
I am doing some tests using 2 pfsense (remeber that in production on site B I must use a Cisco Router). I created 2 GRE Tunnels and I can ping GRE Interfaces (from pfsense at site A to pfsense at site B and viceversa).
The GRE interfaces are /30 subnets:
GRE Tunnel 1 (for vlan 10)- 192.168.33.1/30 (Site A)
- 192.168.34.2/30 (Site B)
GRE Tunnel 2 (for vlan 30)
- 192.168.34.1/30 (Site A)
- 192.168.34.2/30 (Site B)
Now the question is: how can I "bind" GRE Tunnel 1 (Site B) to vlan 10 and GRE Tunnel 2 (Site B) to Vlan 30? I ask it because all the traffic on vlan 10 at Site B must be forward at vlan 10 at site A (DHCP and all kind of traffic), and the same thing for vlan 30.
Another question: At Site A, in addition to the GRE interfaces, do I need to create any particular interfaces?Thank you
-
Ok,
in my tests now I have the following interfaces (in addition to the GRE):
Site A:- Test 1 (Vlan 10): 192.168.55.1/24
- Test 2 (Vlan 30): 192.168.56.1/24
Site B:
- Test 1 (Vlan 10): 192.168.45.1/24
- Test 2 (Vlan 30): 192.168.46.1/24
Now the goal is to forward all the traffic of clients in Vlan A at Site B to the interface Test 1 (Vlan 10) at Site A, and, if it is possible, the clients at site B should receive their ip via a dhcp server enabled on the pfsense at site A.
The same thing for vlan 30...
Then for internet navigation of the clients at Site B is it enough to nat the subnets? Do I have to configure static routes?Thank you
-
Ok,
I went ahead with my tests and now i can surf the internet via the GRE Tunnel from the clients on vlan 10 at Site B. The only thing left to do is the implementation of the DHCP Server on PfSense at Site A, so the clients at Site B receive the right IPs:
- Vlan 10: 192.168.45.0/24
- Vlan 30: 192.168.46.0/24
How can I achieve this goal?
-
Are you sure you want to send company traffic over an unencrypted link?
-
Mmm, I always assume GRE over IPSec but....
You will need to setup a dhcp relay at site B pointing to a dhcp server at site A. However that probably can't be pfSense since there is no way to add a dhcp server for a subnet it does not have an interface in.
Steve
-
at this time I am doing only some tests. So, if I understood well, I can't use PfSense as DHCP Server at Site A...and if I will use IPSec VTI instead of GRE Tunnel?
Thank you
-
It wouldn't make any difference in terms of the dhcp server.
I would use routed IPSec there if the other router supports it if only because there are issues with GRE/IPSec in pfSense which it's better to avoid. And you definitely want to use encryption.
Steve
