Site to site



  • Dear All,
    We have Pfsense hardware installed with two esxi servers.
    the ISP provides a 802.1Q VLAN tag on the WAN side,
    means the WAN would have class C network 192.168.0.0/24
    Before we agree with the ISP and 1 Gb network, I need to ask you guys .
    if our WAN is 802.1Q VLAN tag with Class C can we still configure site to site VPN between two locations over the internet ?

    thank you


  • LAYER 8 Netgate

    What kind of VPN? Are both sides behind NAT like that?



  • @Derelict:

    What kind of VPN? Are both sides behind NAT like that?

    Thank you for your answer
    on the other side of the there is WAN IP 74.98…... and on the Data Center Side we will have the 802.1Q VLAN tag on the WAN side with the next IP 192.168.80.0/30
    We are trying to configure IPSEC on both side.

    Thank you


  • LAYER 8 Netgate

    I would get another data center. One that can spare (at least) a public /30.

    They will need to forward UDP/500 and UDP/4500 to you and, if possible, ESP.

    The other end will need to be configured to connect to whatever the actual public IP address that gets forwarded to you is but to use something else for the identifier.

    The data center end will need to use the same identifier to identify itself.



  • @Derelict:

    I would get another data center. One that can spare (at least) a public /30.

    They will need to forward UDP/500 and UDP/4500 to you and, if possible, ESP.

    The other end will need to be configured to connect to whatever the actual public IP address that gets forwarded to you is but to use something else for the identifier.

    The data center end will need to use the same identifier to identify itself.

    Thank you for your answer,
    after some discussion with the ISP, we need a Layer 3 switch in order to get this up and running.
    the switch will be between the ISP Switch and Pfsense firewall so we could use the public IP .


  • LAYER 8 Netgate

    A layer 3 switch is just a router.

    pfSense is a router with a firewall.

    Not sure why the layer 3 switch is necessary unless they are saying they need a router/L3switch on their side to give you a proper subnet, which I could understand.

    Doesn't sound like anything you should be responsible for obtaining.



  • @Derelict:

    A layer 3 switch is just a router.

    pfSense is a router with a firewall.

    Not sure why the layer 3 switch is necessary unless they are saying they need a router/L3switch on their side to give you a proper subnet, which I could understand.

    Doesn't sound like anything you should be responsible for obtaining.

    Thank you for your answer,
    I was surprised too when I had to take care of the switch, as for the Datacenter need to take care of that part.
    so the switch is going to provide me the proper subnet in order to let the pfsense communicate with the internet.
    the pfsense will be using the internet IP 98.66.5….. on the WAN.

    Thank you guys for your support.


  • LAYER 8 Netgate

    There is nothing a layer 3 switch can do that pfSense can't do by itself. Sounds like you are getting a bit of an ISP run around.

    Is there another data center in town or another provider in that data center you can use. Vote with your checkbook.



  • @Derelict:

    There is nothing a layer 3 switch can do that pfSense can't do by itself. Sounds like you are getting a bit of an ISP run around.

    Is there another data center in town or another provider in that data center you can use. Vote with your checkbook.

    Thank you for your answer,
    yes this the feeling we are getting, however there are other Datacenter but they asks the monthly twice as the currently one.
    we agree to pay the switch price. otherwise we will go to different datacenter and pay like 350$more a month.

    also we managed to have the site to site open vpn up and running, i've read in the forum that its faster than the ipsec .
    do you suggest to keep using openvpn with shared key for site to site vpn between multiple offices ?


  • LAYER 8 Netgate

    OpenVPN is pretty much never faster than IPsec. Not sure where you would have read otherwise.

    It can, however, be more flexible.

    If raw performance was not the #1 requirement, I would lean toward OpenVPN SSL/TLS so I could centrally-manage things.


Log in to reply