Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Layer 2 OpenVPN site-2-site - If on ESX disable all switch security!

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 141 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      snecosnulting
      last edited by snecosnulting

      I have just built a Layer 2 streatched vlan bettween two sites and found a few bumps I thought I would share to help other people.

      Summary:
      If useing ESX turn off all you vSwitch security - not yet test which feature stops the pfSense bring putting traffic back on the network to the VMs.

      I was seeing traffic get to the bridge but not actually leave the pfSense

      When you make the bridge at the head end - i.e. where the default gateway is remove the IP from the original interface and also add the bridge as an interface - put the gateway IP on this interface and move your rules from the original interface to the new one.

      So you have the original layer 2 interface, then add the interface that is available after creating the OpenVPN. Remove the IP from the original interface (hopefully not the interface your connected to the GUI on!!!)
      Create the bridge to 'join' the local layer 2 network to the VPN so it can get to the remote site.
      You will now have the bridge interface as an interface that can be assigned - add that and give it the original IP address, DHCP may need to be fixed also as that will now be bound to the old interface etc. This is the recomended way to do bridges in the pfSense documentation and seemed to make the default gateway work where as it was not working from the remote site prior to these extra steps.

      I think but have not fully tested yet that on the two Layer two only interfaces an any -> any rule makes sense and then one set of actual rules on the bridge interface which is now the layer 3 interface.

      the reset is all fairly staight forward and well documented - create server and client match encrytion algorthithms etc.

      At the remote end you don't need a layer 3 interface however I have still also added the bridge and given it a layer 3 address as I want to look to route via this to other subnets on site B
      a) because it is a shorter path
      b) so I can still access local equipment in a WAN failure situation.
      I am thinking this will end up been some form of source based routing.

      All the equipment I have at site B on the streatched vlan has static IPs in a subset of the main layer 2 network so I might use a site B default gateway - I only need the layer 2 for multicast between things all on the same network.
      Now i want to see if I can get IGMP snooping working accross the link so i don't get all the multicast at all the sites!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.