VLAN over openvpn



  • I think I saw something similar to my question, but I tried to follow the workflow and it was different then what I need to do. We are using pfSense at 11 sites, on one site we are installing a new WiFi setup. We are using the pfsense to do the DHCP for the vlans which since it is a school we are making each classroom a seperate VLAN. EG. Main building vlan is vlan 10. This all works internally and using firewall rules the vlans can talk to each other and the main lan network which is 10.200.x.x. VLAN 10 is 192.168.0.0/20. I am also connecting these routers through openvpn shared key to each other so I have 11 vpns on each router. My question is as follows, I need the main VLAN 10 to be able to communicate with the servers on the physical lan(which it does) and also over the vpn at each site. I tried static route but it didnt work, possibly didnt do it right. I have many interfaces 3 ethernet and 2 fiber, and also one virtual interface for each vlan. I dont have any interfaces for the openvpn however my computers on the physical lan can all communicate over the vpn no problems.
    I hope I gave enough background information. Any help with this would be appreciated!



  • It's hard to determine what exactly you're trying to do. However, forget about a VLAN over a VPN. VLANs work at layer 2 and VPNs carry layer 3 traffic. Also, what else are those VPNs carrying? BTW, having all those VPNs seems a bit much. It's be easier to have the different rooms connect to a common point and route from there.



  • Ok so I have 11 different vpns because we have a full mesh so each building can talk to each other independently of each other building. Its more for redundancy then anything else. What I need is for only one of my vlans which will be carrying the main building WiFi to be able to talk to servers across the VPNs. For instance we will say that building A is the building with the vlan, I need to be on the vlan at building A and talk to a physical server at building B over the VPN. I dont want all traffic from the vlan to go over the vpn only what needs to for the computer, ipads, chrome books, etc that need to communicate with various servers around the different buildings.



  • Are you using ipsec tunnels?
    I think you have to add multiple phase 2 entries for each subnet/vlan. Static route do not go over ipsec tunnels on pfsense.


  • LAYER 8 Netgate

    @johnsed said in VLAN over openvpn:

    so I have 11 vpns on each router

    Certainly not how I would do it. I'd have a central site feeding all of those. I would have redundancy at the central site so no one failure took everything down. That site would route between the "spokes." Everything necessary to all of the "spokes" would be accessible via the central site.

    They way you have done it is take the number of sites you have and the number of problems that might ring your phone is sites^2 instead of sites/2.


Log in to reply