Which tunnel to use?

  • Hi,

    I have 2 locations with both pfSense running on it:

    location 1 (home) = - pfSense1 on - DHCP for clients .100 to .199
    location 2 (vacation home) = - pfSense2 on - DHCP for clients .100 to .199

    I have a working IPSec tunnel between both sites. So everything fine so far, I can reach all devices from both sites.

    Now, I would like to have one interface on pfSense at location 2 that behaves like it's on a switch on network 1. So it should get an IP from pfsense1 - but not just that, it should route "all" protocols, VLANs, etc.

    I think I need a GRE tunnel for that? If that correct?

    The purpose is this: I have an TV decoder installed at location 1, connected to a separate DSL line and modem, and I want to be able to take my TV decoder to location 2 to watch TV there, occasionally. This does not simply work with routing IP, I think they use VLANs or maybe some other protocols.

    So would a GRE tunnel be good for this purpose? If yes, then I need a bit of help, because I already tried setting up the GRE tunnel (both pfSense's have a free NIC for this purpose) but so far I failed...

    Can I use both an IPsec tunnel AND a GRE tunnel between the same endpoints?
    Or better to tunnel the GRE over this IPsec tunnel probably... but how?

    Thanks a lot!

  • Rebel Alliance Developer Netgate

    GRE would not help since GRE can only carry layer 3 information. GIF would be what you want for L2, but that would be a problem here. If you add a bridged interface that will break your existing tunnel since it can't have the same network both "locally" (even bridged) as well as connected over IPsec. There is no way for it to determine which path it should take.

    Also, neither GIF nor GRE are encrypted so you'd have to run that over something else (e.g. transport IPsec).

    You'd be better off using an OpenVPN tap bridge, to be honest. Though you'd still have the same routing issue.

    If the decoder is on its own separate DSL line and modem, you could use a separate pfSense firewall to handle that traffic in an isolated way to remove the potential conflict.

  • Thanks for your reply, it's appreciated.

    I'm willing to remove the IPsec link then, if there is no other way.

    Basically I just want an RJ45 port on pfSense2 that connects to an RJ45 of pfSense1, like it was just a simple switch inbetween them.

    So I have to use GIF then. I don't mind that the traffic is not encrypted (it's just an IPTV stream), but would that also mean that my pfSense could be entered more easily by hackers?

    Can you point me a bit in the right direction? So on both sides I create a new GIF interface. What would I use as the "GIF tunnel local address" and "GIF tunnel remote address"? Can I use something random (like and or does it needs to be in the IP range that the TV decoder uses?


Log in to reply