Vlan routing with ipsec, enforcing through HQ for a specific vlan.
-
I got two sites HQ & BranchOffice
They are connected by pfsense ipsec, this works great, HQ uses static ip from the ISP
The other has a dynamic 4G ip assigned, for which i'm using DDNS and it works fine with ipsec. The mobile 4G branch office has its public IP changed once in a while randomly.Internally we have multiple VLAN's, and vlan based communications between HQ and BranchOffice are working fine. Branch Office can communicate with HQ servers etc.
We're making use of an externally hosted ip-telephony service.
The BranchOffice should direct the Voip vlan through the HQ, so it shouldnt use its own 4g to get on the internet (the ip phone provider cannot handle changing IP's), but tunnel it through ipsec and go trough the static HQ gateway. Is there a way to enforce that ?.I tried things here but none were successful so far
Any ideas are welcome. -
Does IPSec even support VLANs? OpenVPN does only in TAP mode. What you do is route each subnet individually and recreate the VLANs at the other end.
-
@jknott Well i believe it does our offices are connected, firewall rules set access, certain remote vlan's can access HQ, but the Branch office goes straight to the internet bypassing ipsec for any ip traffic not on our network. ,ea now each office behaves as if they have their own internet GW, and only for company internal traffic the ipsec connection is used.
I'd like to overide it for only the VOIP vlan to use some kinda static route using to use the ipsec tunnel as well for outside traffic, and for traffic back.
-
That the offices are connected does not mean the VPN supports VLANs. It only means the various subnets are connected, which can be accomplished with appropriate routing. The issue is VLANs are layer 2, but routers work at L3, so the VLANs will not be carried. OpenVPN TAP mode is essentially a bridge, which can pass L2, including VLANs. This would also mean the subnets have the same addresses at both end. If the subnets have different addresses at the other end, then routing is used and VLANs cannot be passed.
-
Well each vlan lives in its own subnet as well, we currently dont use open-VPN for site-site traffic
The vlan's offer rather isolation towards unifi switch ports.
Its not doing inter-vlan-routing,
But the PF's firewall can make use of vlan's, (besides subnets), to allow/disallow certain traffic. -
Yes, pfsense can use VLANs for local isolation for things like multiple WiFi SSIDs, VoIP phones and more However, to connect sites via VPN, without TAP mode, means routing of the subnets. When you use a VPN, the traffic through the VPN is accomplished by routing through it. There is nothing to stop routing as many subnets through a VPN as you wish.
-
@jknott
Yes okay though is it then possible to still say to the mobile branche office (vlan)subnet, if only this specific subnet wants to go to the outside world (to contact the extern hosted ip-phone-provider), it needs to make use of the ipsec ?. (while the other subnet traffic who want to surf the internet go straight from 4G to its 4G-internet service provider).Meanwhile i'm testing out also :
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-route-internet-traffic.html
Though its just my guts feeling saying it seams overkill for what i want to achieve here, as there already is an ipsec tunnel. It make me more woried to alter the main HQ office to such an extend.