Site-to-Site VPN with VLANs
-
Hey everyone, been playing around with pfSense's at 2 locations. Currently at both locations, the network routing setup is mirrored. And within each location, it has been set up so that devices on each VLAN can access resources on another VLAN (i.e. Device 1 on VLAN 1 can talk to other devices on VLAN 1 as well as access other resources like printers and file servers on VLAN 2) as well as the internet on the WAN.
Is it possible to use VPN or IPsec to bridge the 2 locations so that VLANs can talk to each other as well as access resources on other VLANs at the other location? For example, is it possible for Device 1 on VLAN 1 at location 1 to talk to other devices on VLAN 1 at both locations as well as access printers and file servers on VLAN 2 at both locations?
Just wanted to know if this is currently possible before I start going down the rabbit hole of researching how to actually set this up.
Thanks
-
If the pfSense boxes are the default gateways at both locations and the subnets are not overlapping its possible with both, OpenVPN or IPSec. Connecting multiple networks with IPSec will be more involved.
-
If the pfSense boxes are the default gateways at both locations and the subnets are not overlapping its possible with both, OpenVPN or IPSec.
Thanks for the reply. I currently run a 10.0.X.X topology on both networks, so if I change 1 of the networks to say, 11.0.X.X, then it becomes possible? Or can I keep 10.0.X.X on both networks and just have all the VLANS on both networks not have the same subnet? This is what I'm interpreting:
VLAN Setup on both networks (VLAN1 and VLAN 2 can access resources on each other):
VLAN1 - Servers/printers/resources
VLAN2 - Clients
VLAN3 - GuestsCurrent setup:
Switch1: –---trunk-----pfSense1 pfSense2-----trunk----- Switch2:
VLAN1 10.0.1.0/24 VLAN1 10.0.1.0/24
VLAN2 10.0.2.0/24 VLAN2 10.0.2.0/24
VLAN3 10.0.3.0/24 VLAN3 10.0.3.0/24Option1:
Switch1: -----trunk-----pfSense1-----OpenVPN-----pfSense2-----trunk----- Switch2:
VLAN1 10.0.1.0/24 VLAN1 11.0.1.0/24
VLAN2 10.0.2.0/24 VLAN2 11.0.2.0/24
VLAN3 10.0.3.0/24 VLAN3 11.0.3.0/24Option2:
Switch1: -----trunk-----pfSense1-----OpenVPN-----pfSense2-----trunk----- Switch2:
VLAN1 10.0.1.0/24 VLAN1 10.0.4.0/24
VLAN2 10.0.2.0/24 VLAN2 10.0.5.0/24
VLAN3 10.0.3.0/24 VLAN3 10.0.6.0/24Connecting multiple networks with IPSec will be more involved.
So it seems like from your response and some reading I did that OpenVPN seems to be the go to.
-
You just have to care that you have different subnets on both sites, otherwise the routes won't work.
So I'd prefer option 2, since 11.0.X.X are public addresses.Using OpenVPN set up a Peer-to-Peer with a /30 vpn tunnel network, one pfSense as server, the other as client.
In the "IPv4 Remote networks" field enter the remote networks you want to reach. E.g. relating to option 2 on pfSense 1 enter "10.0.4.0/24,10.0.5.0/24,10.0.6.0/24", on pfSense 2 enter "10.0.1.0/24,10.0.2.0/24,10.0.3.0/24".
This sets the routes for these networks using the remote vpn endpoint as gateway. -
Thanks for the answer! I'll give it a shot.