Vlan interface on WAN for IP VPN

  • I am in the midst of planning my configure of pfSense to work with our soon to be installed Integrated LAN service from TW Telecom. The service will route inter-office data between our two offices based on vlan tags (some call it an IP VPN). So data on the WAN port that is not vlan tagged gets routed as Internet traffic, but data on the WAN port that is vlan tagged is routed to the remote office. I picture a pfSense setup that includes a LAN interface, a WAN interface, and a vlan interface on the WAN physical interface (Lets call it 'ILAN'). I can set all three of those up and have them show up under Interfaces, but I am unsure how to set up the ILAN (vlan) interface from there. Do I bridge it to the LAN or Route it? Remember, I need to filter for traffic that is destined for the remote office LAN and pass it to this interface.

    I have scoured the forums to come up with a similar setup but found nothing. Has anyone set up anything similar? Maybe an MPLS connection between offices? I am 3 weeks from actually turning up this service, but want to be prepared beforehand and not posting to the forum at the last minute.

    On a side note, I have been using IPSec tunnels for the past couple of years to do this same interconnection, but I am switching to this hosted VPN service so that I (and the provider) can prioritize VoIP between our two locations. With the IPSec, we often get bad call audio during high bandwidth usage.

  • Once you have your interfaces all setup with the one tagged VLAN interface, just leave it as an independent interface and set it's default gateway to the pfsense on the other side. Then go into NAT and disable the outbound NAT for that interface because it wont be necessary if the routing on the other end is setup the same way. Then go into the firewall rules for your LAN interface and create a rule above the default rule that says traffic from your lan destined to the remote site use the gateway on the iLan interface. To finish it off, create an allow rule on the iLan interface to allow traffic originating from the remote network. Do the exact same thing on the other side.
    Bridging is a possible method too, but you probably don't want to waste your bandwidth with the unnecessary broadcast traffic that would flow between the sites.

  • Thanks for the reply. My test setup was pretty much what you have detailed here, although you made a great call on disabling Outbound NAT for that interface. My biggest sticking point so far is what IP address and default gateway I assign to the ILAN (vlan) interface. I didn't quite understand what you meant by "set it's default gateway to the pfsense on the other side". Would you elaborate more on that point to make sure that I am not mis-interpreting? Do you mean the same gateway as the WAN interface that is dished out by my service provider? If that is the case, would I need to assign an IP address to the ILAN interface that is different than the WAN ip address. This is where it gets a bit confusing for me.

    As a point of interest, the CPE that will plug into the WAN side of pfSense will be an Outburst SB IAD that will also handle my phone service (Dynamic PRI). If anyone has had any experience connecting this hardware, please chime in.

  • I meant to set the gateway IP address of the Ilan interface to whatever device you have on the other side of the vlan tagged network so pfSense knows where to send data directed to that interface by the firewall rule.

  • Well I finally got my routing configuration information for this service. I tried setting up the interfaces and realized, much to my chegrin, that I would have two WAN interfaces (WAN (physical) and ILAN (vlan)) that would point to the same gateway ip. I need to route particular LAN traffic to these interfaces, but I notice that when setting the rules, the gateway ip is what is used to differentiate what interface the traffic is routed to. I also read this forum thread which doesn't seem to bode well for my situation:


    Does anyone have any suggestions on how to point specific outgoing LAN traffic (from network X.X.X.X/24 to network Y.Y.Y.Y/24) to the vlan interface if it doesn't have a gateway assigned, or if it has the same gateway as it's parent interface?

  • Doesn't the VLAN WAN use a different gateway? If they are the same, what's the difference between the traffic on the VLAN and the untagged traffic?

Log in to reply