Stretched LAN cannot 'route' to other VLANS

  • 0_1551804275576_RMS.png

    My EXISTING and FULLY FUNCTIONING 2 site setup. The Internet is GIG up and down to both sites (Symmetrical) so no worries about BW. The title is my ask. I would like to stretch across the sites AND successfully route to the other VLANS on the other site.

    I did 'part' of this already once.

    • I setup em1 as on one pfSense (2.4.4), and em1 to on the other (also pfSense 2.4.4).
    • I setup a IPSec TAP - Shared Key Server and Client and brought them up successfully
    • Bridged each em1 to IPSEC (on each respective pfSense)
    • I added to necessary rules (to IPSec, and BRIEGE0 etc)

    Everything worked FINE if i was pinging on that LAN (ping from site 1@ to 2 worked perfectly as expected) [and YES, I know ping is L3, not L2, which is what A BRIDGE 'stiches together'). However, I could NOT get to any of the devices (or 'router interfaces' - ..*.1/24) on the VLANS from their respective other side and I could not figure out how to add a route for them, which i am confident is the issue, but i am not sure what would have been the right answer and/or place to do this. I did NOT add the bridge as an Interface, as even if i did that (and i did, and yes, enabled it), i did not know what IP to give it. But my inkling is: should that have been the router address ( on site 1 and on site 2)?

    Is this possible to do? Have i come up with a 'logically' possible idea, but physically/realistically it cannot be done? My other thought was i watched many of the monthly pfSense hangouts and i recall a 'throwaway' comment was that one cannot do this with Shared Keys? I need to setup a SSL Cert for this? Some guidance and suggestions would be most welcome. I am not easily able to look at getting a SG7100 or other devices as I already bought the Protectli that are in use (and I LOVE!). So my budget has mostly been spent already so while I can appreciate an suggestions like that, it will more than likely not be within my reach for a quick solution.

Log in to reply