Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF)

    Scheduled Pinned Locked Moved General pfSense Questions
    31 Posts 5 Posters 6.7k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      prx @JKnott
      last edited by

      @jknott

      Hi,
      as I said, the subnet addresses can be different. All the traffic of all site B Vlans must be pass/fileter through the PfSense of Site A. Another important thing, as I said, PC on Vlan 10 (Site B) must receive via DHCP, the correct ip address (for example 192.168.50.0/24) and the same thing for clients on vlan 30 (for example 192.158.60.0/24).

      Thank you

      JKnottJ 1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        And to be clear you need to use the Cisco router at site B, you cannot replace it?

        Because that would seem to rule out a L2 link anyway.

        Can it do DHCP relay?

        Steve

        bingo600B 2 Replies Last reply Reply Quote 0
        • bingo600B Offline
          bingo600 @stephenw10
          last edited by

          @stephenw10 said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):

          Can it do DHCP relay?

          Cisco IoS , can do local DHCP server , or DHCP relay (ip helper)

          If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

          pfSense+ 23.05.1 (ZFS)

          QOTOM-Q355G4 Quad Lan.
          CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
          LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

          1 Reply Last reply Reply Quote 0
          • JKnottJ Offline
            JKnott @prx
            last edited by

            @prx

            Since the subnets don't have to be the same at each end, just route from each subnet/VLAN at one end to the corresponding subnet/VLAN at the other. There is no need to try to pass the VLAN tags between the sites. As for DHCP, you can either run DHCP servers at each site or use a relay agent to get DHCP from one site to the other.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • bingo600B Offline
              bingo600 @stephenw10
              last edited by

              @stephenw10
              Stephen
              Just for my info ...

              Not that i need it ... yet.

              Can we create a "Non interface" assigned DHCP scope on a pfSense. Aka get it to serve a scope that has no interface relation ? ... Ie. in relation with a remote site that can "DHCP forward"

              /Bingo

              If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

              pfSense+ 23.05.1 (ZFS)

              QOTOM-Q355G4 Quad Lan.
              CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
              LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

              JKnottJ 1 Reply Last reply Reply Quote 0
              • JKnottJ Offline
                JKnott @bingo600
                last edited by

                @bingo600

                Wouldn't it be easier to just run a DHCP server at the other end? I could understand the need for relays back in the dark ages, when sites were connected with low bandwidth connections and you wanted to keep management local, but those days are long gone.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                DerelictD bingo600B 2 Replies Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate @JKnott
                  last edited by

                  @jknott @bingo600 Or use a DHCP server other than the one in pfSense if it doesn't meet your needs.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  bingo600B 1 Reply Last reply Reply Quote 0
                  • bingo600B Offline
                    bingo600 @Derelict
                    last edited by bingo600

                    @derelict said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):

                    @jknott @bingo600 Or use a DHCP server other than the one in pfSense if it doesn't meet your needs.

                    The question was just a "nice to know"

                    I do not use pfsense dhcp at home.
                    I use isc-dhcp & bind9 (Debian).

                    Has a few advantages, at the cost of complexity & "vi" 😊
                    But i love the dynamic registration , and the occational mac matching.

                    I use pfSense dhcp at work, on all the sites.

                    If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                    pfSense+ 23.05.1 (ZFS)

                    QOTOM-Q355G4 Quad Lan.
                    CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                    LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                    1 Reply Last reply Reply Quote 0
                    • bingo600B Offline
                      bingo600 @JKnott
                      last edited by

                      @jknott said in Layer 2 Tunnel over Layer 3 (IPSec/GRE/GIF):

                      @bingo600

                      I could understand the need for relays back in the dark ages,

                      Actually my home pfsense relays requests to my linux dhcp.
                      But hey are "same site".

                      For doing remote relay, you have to take "line outage" , and thereby - Site outage (no dhcp) into account.

                      I have had users complaining during a line outage, that they couldn't print their local word doc , to their local printer (dhcp outage) . They kind of accepted that they couldn't "see the server" , now that the line was down. But their PC & printer was in the same room .... That was hard to understand.

                      All was because the IT Dept was "saving" , and wasn't interested in having a Win BDC at every site anymore.
                      And no $$ for redundant lines.

                      Well you get what you pay for, but local dhcp & dns can be essential.

                      That's where pfSense is a super "One box fits it all"

                      If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                      pfSense+ 23.05.1 (ZFS)

                      QOTOM-Q355G4 Quad Lan.
                      CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                      LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        Circling back I think the answer here is that if you have to use that Cisco router at site B you will need to just route the traffic and have different subnets at each end.

                        If you can replace it with pfSense there are more options but we would still recommend routing it with different subnets at each end.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • P Offline
                          prx
                          last edited by

                          Hi,

                          at site B I have to use Cisco router, and following you advice, we will try to configure a tunnel GRE or IPSec.
                          I'll keep you posted

                          Thank you very much to all

                          bingo600B 1 Reply Last reply Reply Quote 0
                          • bingo600B Offline
                            bingo600 @prx
                            last edited by

                            @prx

                            Remember gre alone is unencrypted , it's just tunneling

                            If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                            pfSense+ 23.05.1 (ZFS)

                            QOTOM-Q355G4 Quad Lan.
                            CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                            LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                            1 Reply Last reply Reply Quote 0
                            • P Offline
                              prx
                              last edited by

                              Hi,

                              I am doing some tests using 2 pfsense (remeber that in production on site B I must use a Cisco Router). I created 2 GRE Tunnels and I can ping GRE Interfaces (from pfsense at site A to pfsense at site B and viceversa).
                              The GRE interfaces are /30 subnets:
                              GRE Tunnel 1 (for vlan 10)

                              • 192.168.33.1/30 (Site A)
                              • 192.168.34.2/30 (Site B)

                              GRE Tunnel 2 (for vlan 30)

                              • 192.168.34.1/30 (Site A)
                              • 192.168.34.2/30 (Site B)

                              Now the question is: how can I "bind" GRE Tunnel 1 (Site B) to vlan 10 and GRE Tunnel 2 (Site B) to Vlan 30? I ask it because all the traffic on vlan 10 at Site B must be forward at vlan 10 at site A (DHCP and all kind of traffic), and the same thing for vlan 30.
                              Another question: At Site A, in addition to the GRE interfaces, do I need to create any particular interfaces?

                              Thank you

                              1 Reply Last reply Reply Quote 0
                              • P Offline
                                prx
                                last edited by prx

                                Ok,

                                in my tests now I have the following interfaces (in addition to the GRE):
                                Site A:

                                • Test 1 (Vlan 10): 192.168.55.1/24
                                • Test 2 (Vlan 30): 192.168.56.1/24

                                Site B:

                                • Test 1 (Vlan 10): 192.168.45.1/24
                                • Test 2 (Vlan 30): 192.168.46.1/24

                                Now the goal is to forward all the traffic of clients in Vlan A at Site B to the interface Test 1 (Vlan 10) at Site A, and, if it is possible, the clients at site B should receive their ip via a dhcp server enabled on the pfsense at site A.
                                The same thing for vlan 30...
                                Then for internet navigation of the clients at Site B is it enough to nat the subnets? Do I have to configure static routes?

                                Thank you

                                1 Reply Last reply Reply Quote 0
                                • P Offline
                                  prx
                                  last edited by

                                  Ok,

                                  I went ahead with my tests and now i can surf the internet via the GRE Tunnel from the clients on vlan 10 at Site B. The only thing left to do is the implementation of the DHCP Server on PfSense at Site A, so the clients at Site B receive the right IPs:

                                  • Vlan 10: 192.168.45.0/24
                                  • Vlan 30: 192.168.46.0/24

                                  How can I achieve this goal?

                                  JKnottJ 1 Reply Last reply Reply Quote 0
                                  • JKnottJ Offline
                                    JKnott @prx
                                    last edited by JKnott

                                    @prx

                                    Are you sure you want to send company traffic over an unencrypted link?

                                    PfSense running on Qotom mini PC
                                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                    UniFi AC-Lite access point

                                    I haven't lost my mind. It's around here...somewhere...

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S Offline
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      Mmm, I always assume GRE over IPSec but....

                                      You will need to setup a dhcp relay at site B pointing to a dhcp server at site A. However that probably can't be pfSense since there is no way to add a dhcp server for a subnet it does not have an interface in.

                                      Steve

                                      P 1 Reply Last reply Reply Quote 0
                                      • P Offline
                                        prx @stephenw10
                                        last edited by

                                        @stephenw10

                                        at this time I am doing only some tests. So, if I understood well, I can't use PfSense as DHCP Server at Site A...and if I will use IPSec VTI instead of GRE Tunnel?

                                        Thank you

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S Offline
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          It wouldn't make any difference in terms of the dhcp server.

                                          I would use routed IPSec there if the other router supports it if only because there are issues with GRE/IPSec in pfSense which it's better to avoid. And you definitely want to use encryption.

                                          Steve

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.