Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bridge VTI with ether interface

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    3 Posts 2 Posters 501 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sgabor
      last edited by

      Hello Everyone,

      Is it supported in pfSense (2.4.4-RELEASE-p3) to create a bridge, which members would be an IPSec VTI tunnel interface and an Ethernet interface?

      I tried it without success. Everything seems to be OK, but I cannot reach (ping) the VTI IP addresses through the Ethernet interface.

      Many thanks,
      Gábor

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        No, that won't work because IPsec VTI interfaces only operate at L3 and above, they don't carry L2 information.

        You could setup a VTI link between two hosts then run a GIF tunnel from firewall to firewall over IPsec and that can carry L2. Or OpenVPN in tap mode without encryption set (carried over by IPsec). Or run OpenVPN in tap mode instead of IPsec.

        None of those are terribly enticing options, since bridging across a VPN is usually a horrible idea.

        What problem is it you're trying to solve? There may be a better way.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 1
        • S
          sgabor
          last edited by

          Hello jimp,

          Thank you for your useful answer.

          My original problem was described in another topic, here:
          https://forum.netgate.com/topic/146476/issue-with-failover-gateway-group-over-vti-tunnels/2

          Since Gateway Groups is not working properly on VTI interface, then I decided to do the automatic failover switching on the Mikrotik router (with a script). That is why I wanted to extend the VTI tunnels from pfSense to Mikrotik router by briding them with an ether interface on pfSense.

          Some sort of (GIF) tunnel over VTI tunnel could have solved the problem, but to use these solutions are very limited at "Site B".

          I chose a different solution: I installed a second (virtual) instance of pfSense, in this case 2 VTI tunnels were enough instead of three. And because one pfSense had only one VTI tunnel, layer3 connection was enough between Mikrotik and the pfSense routers to do the automatic failover switching on the Mikrotik.

          So I already solved this problem... but if you have any idea/hint, I'm open to receive it for the future.

          Thanks,
          SGábor

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.