Span Layer 2 between Data Centers

joshv · Oct 26, 2017, 6:01 PM

Does pfsense have any built-in way to span or extend a L2 segment, over an IPSEC tunnel, between two different pfsense firewalls (in separate data centers)? AKA, Software Defined Data Center Interconnect for Layer 2. AKA, VXLAN.

The use case would be for automating failover or for expanding compute capacity - the same network can exist in both locations avoiding a change of IP address or involving layer 3 devices.

If not with pfsense, can anyone recommend an open source (or fairly inexpensive) solution that runs in software (such as a virtual machine) that accomplishes this goal? I know Cisco has solutions in the Nexus product line - but I am trying to avoid dedicated hardware solutions.

TIA!
-Josh

johnpoz · Oct 27, 2017, 9:32 AM

I see this request for vxlan driver
https://redmine.pfsense.org/issues/6240

But no update on it.. Since freebsd seems to have supported since https://svnweb.freebsd.org/base?view=revision&revision=273331

I would think it could be added to pfsense. Until such time that it is, you should be able to do it with any OS that can route and do ipsec and vxlan I would think.. Linux, Freebsd, shoot seems even windows supports it

https://blogs.technet.microsoft.com/networking/2016/10/26/network-virtualization-with-ws2016-sdn/
Consequently, in Windows Server 2016 (WS2016), we support both NVGRE and VXLAN encapsulation protocols, with the default being VXLAN

joshv · Oct 27, 2017, 1:52 PM

Thank you johnpoz.

I found that VyOS router supports VXLAN - I have implemented it as a VM before. I was planning on doing some testing using VyOS as the VXLAN provider and pfsense doing IPSEC, etc. I'll post my results when I can.

A tightly integrated solution with pfsense would be really cool and, I think, fairly feasible technically.

johnpoz · Oct 27, 2017, 3:08 PM

I would for sure add your +1 to that feature request.

joshv · Oct 29, 2017, 9:54 PM

+1 added….. All 3 of us REALLY want this :)

Ruddimaster · Sep 19, 2018, 5:34 PM

Yes, this would be nice.... one step forward from SOHO to Enterise solution.

coreybrett · Sep 27, 2018, 12:35 PM

OpenVPN TAP combined with bridging?

Ruddimaster · Nov 17, 2018, 1:50 PM

I don't think that is the same.
I have opened a project to migrate the Backup DC to the same IP-Range as the productive DC with VXLAN. I think its easier to bring the backup data center online (less steps in the emergency plan)...
But I'm fearing the developers here do not see the need to integrate that. But 4x +1 on 6240 seems not the mega demand.
What a pity

johnpoz · Nov 17, 2018, 2:01 PM

openvpn tap would not be the same no.. I personally have never had to deal vxlan drivers on a device since our DCs that we need to do extended vlans across are all connected via dark fiber ;)

Clearly some advantages of working with enterprise networks and real budgets - hehehe