Bridge VTI with ether interface



  • Hello Everyone,

    Is it supported in pfSense (2.4.4-RELEASE-p3) to create a bridge, which members would be an IPSec VTI tunnel interface and an Ethernet interface?

    I tried it without success. Everything seems to be OK, but I cannot reach (ping) the VTI IP addresses through the Ethernet interface.

    Many thanks,
    Gábor


  • Rebel Alliance Developer Netgate

    No, that won't work because IPsec VTI interfaces only operate at L3 and above, they don't carry L2 information.

    You could setup a VTI link between two hosts then run a GIF tunnel from firewall to firewall over IPsec and that can carry L2. Or OpenVPN in tap mode without encryption set (carried over by IPsec). Or run OpenVPN in tap mode instead of IPsec.

    None of those are terribly enticing options, since bridging across a VPN is usually a horrible idea.

    What problem is it you're trying to solve? There may be a better way.



  • Hello jimp,

    Thank you for your useful answer.

    My original problem was described in another topic, here:
    https://forum.netgate.com/topic/146476/issue-with-failover-gateway-group-over-vti-tunnels/2

    Since Gateway Groups is not working properly on VTI interface, then I decided to do the automatic failover switching on the Mikrotik router (with a script). That is why I wanted to extend the VTI tunnels from pfSense to Mikrotik router by briding them with an ether interface on pfSense.

    Some sort of (GIF) tunnel over VTI tunnel could have solved the problem, but to use these solutions are very limited at "Site B".

    I chose a different solution: I installed a second (virtual) instance of pfSense, in this case 2 VTI tunnels were enough instead of three. And because one pfSense had only one VTI tunnel, layer3 connection was enough between Mikrotik and the pfSense routers to do the automatic failover switching on the Mikrotik.

    So I already solved this problem... but if you have any idea/hint, I'm open to receive it for the future.

    Thanks,
    SGábor


Log in to reply