Span Layer 2 between Data Centers



  • Does pfsense have any built-in way to span or extend a L2 segment, over an IPSEC tunnel, between two different pfsense firewalls (in separate data centers)?  AKA, Software Defined Data Center Interconnect for Layer 2. AKA, VXLAN.

    The use case would be for automating failover or for expanding compute capacity - the same network can exist in both locations avoiding a change of IP address or involving layer 3 devices.

    If not with pfsense, can anyone recommend an open source (or fairly inexpensive) solution that runs in software (such as a virtual machine) that accomplishes this goal?  I know Cisco has solutions in the Nexus product line - but I am trying to avoid dedicated hardware solutions.

    TIA!
    -Josh


  • LAYER 8 Global Moderator

    I see this request for vxlan driver
    https://redmine.pfsense.org/issues/6240

    But no update on it.. Since freebsd seems to have supported since https://svnweb.freebsd.org/base?view=revision&revision=273331

    I would think it could be added to pfsense.  Until such time that it is, you should be able to do it with any OS that can route and do ipsec and vxlan I would think.. Linux, Freebsd, shoot seems even windows supports it

    https://blogs.technet.microsoft.com/networking/2016/10/26/network-virtualization-with-ws2016-sdn/
    Consequently, in Windows Server 2016 (WS2016), we support both NVGRE and VXLAN encapsulation protocols, with the default being VXLAN



  • Thank you johnpoz.

    I found that VyOS router supports VXLAN - I have implemented it as a VM before.  I was planning on doing some testing using VyOS as the VXLAN provider and pfsense doing IPSEC, etc.  I'll post my results when I can.

    A tightly integrated solution with pfsense would be really cool and, I think, fairly feasible technically.


  • LAYER 8 Global Moderator

    I would for sure add your +1 to that feature request.



  • +1 added…..  All 3 of us REALLY want this :)



  • Yes, this would be nice.... one step forward from SOHO to Enterise solution.



  • OpenVPN TAP combined with bridging?



  • I don't think that is the same.
    I have opened a project to migrate the Backup DC to the same IP-Range as the productive DC with VXLAN. I think its easier to bring the backup data center online (less steps in the emergency plan)...
    But I'm fearing the developers here do not see the need to integrate that. But 4x +1 on 6240 seems not the mega demand.
    What a pity


  • LAYER 8 Global Moderator

    openvpn tap would not be the same no.. I personally have never had to deal vxlan drivers on a device since our DCs that we need to do extended vlans across are all connected via dark fiber ;)

    Clearly some advantages of working with enterprise networks and real budgets - hehehe