Specific VLAN over VPN only



  • I have been using pfSense for around a year now and have a decent understanding of the basics. I am trying to move my configuration to something more complex, and seem to be hitting a wall, most likely due to lack of knowledge. My goal is to have a vlan dedicated to VPN traffic. This traffic should be able to reach other devices on the other vlans, and gain internet access through the VPN group, but never the WAN, even in the event that the VPN group is completely down.

    Current config, right or wrong:

    Gateways
    Wan
    VPN1
    VPN4
    VPN5
    Gateway Group: VPN 1,4,5

    Interfaces
    WAN (physical)
    LAN (physical)
    General (physical)
    VPN (physical)
    VPN1 (virtual? created with VPN client addition)
    VPN4 (virtual? created with VPN client addition)
    VPN5 (virtual? created with VPN client addition)

    VLANS
    10 General (parent interface General)
    20 VPN (parent interface VPN)

    DHCP Server
    192.168.10.1 for vlan 10
    DNS is set to public IPs via the WAN GW on the General settings
    192.168.20.1 for Vlan 20
    DNS 1 and 2 are set to the VPN required address on the DHCP server settings page for vlan 20.
    **I have done this since i cannot assign DNS addresses to my VPN gateway group.

    Open VPN Clients
    VPN1
    VPN4
    VPN5

    Firewall
    VLAN 10: Allow IPV4*/LAN Net/Any/Any/Any/Any
    VPN Vlan (20): Allow IPV4*/Any/Any/Any/Any/VPN Group
    VPN1: Allow IPV4*/VPN1/Any/Any/Any/VPN Group
    VPN2: Allow IPV4*/VPN2/Any/Any/Any/VPN Group
    VPN3: Allow IPV4*/VPN3/Any/Any/Any/VPN Group

    Currently with any/all VPN clients on
    VLAN 10 can ping internal vlans, WAN, external IPs, but cannot resolve external names
    VLAN 20 can ping internal vlans, WAN, external IPs, and resolve external names. Devices also show public IP from VPN provider

    Currently with no VPN clients on
    VLAN 10 can ping internal vlans, WAN, external IPs, and resolve external names, as well as pull a public IP from my local ISP
    VLAN 20 can ping internal vlans, WAN, external IPs, and resolve external names, as well as pull a public IP from my local ISP

    I am speculating the issue/s exist in my configuration of the Firewall NAT/Rules, but after messing with different combos for weeks now, i have given up on getting this resolved without external help. I ripped out most of my rules and NAT configs to keep it basic to hopefully assist in making it easier to get working.

    I will post up configs from any areas that are needed as requested.



  • @Frosty81

    You can't send VLANs over a VPN. However, you can route from each VLAN as appropriate.



  • Bear with me as i may ask some dumb questions, but i am just seeking to better understand the inner workings and concepts. If VLANs can't be routed over a VPN, how does traffic flow over the VPN vlan when i have the VPN connections established?

    In case it matters, this is just routing over a VPN for general internet access, not a site to site where i need the vlan tag to properly direct traffic on the other side of the connection.



  • @Frosty81

    You have to go back to the basics of the protocol stack. Ethernet is layer 2, IP is 3. A VPN emulates an IP connection and as such carries only IP traffic. VLANs are Ethernet and can't be carried over an IP connection, without being encapuslated in an IP packet. Regardless, if you have mulitple VLANs, they'd each have their own subnet. pfSense can route all of them over the same VPN and sort them out at the other end, just as if it was over an ordinary IP connection.

    There may be a method to support VLANs over a VPN, but it requires a TAP VPN, rather than the usual TUN VPN. While pfSense supports TAP, I don't know if it supports VLAN over TAP.



  • @JKnott I definitely need to go study up on the OSI model again. Networking class was so long ago! Thanks for offering some schooling. I will focus my efforts on trying to get a particular subnet to route over the VPN group i have set up then.


Log in to reply