• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Vlan routing with ipsec, enforcing through HQ for a specific vlan.

Scheduled Pinned Locked Moved L2/Switching/VLANs
7 Posts 2 Posters 604 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    PGTART
    last edited by May 19, 2021, 12:00 PM

    I got two sites HQ & BranchOffice
    They are connected by pfsense ipsec, this works great, HQ uses static ip from the ISP
    The other has a dynamic 4G ip assigned, for which i'm using DDNS and it works fine with ipsec. The mobile 4G branch office has its public IP changed once in a while randomly.

    Internally we have multiple VLAN's, and vlan based communications between HQ and BranchOffice are working fine. Branch Office can communicate with HQ servers etc.

    We're making use of an externally hosted ip-telephony service.
    The BranchOffice should direct the Voip vlan through the HQ, so it shouldnt use its own 4g to get on the internet (the ip phone provider cannot handle changing IP's), but tunnel it through ipsec and go trough the static HQ gateway. Is there a way to enforce that ?.

    I tried things here but none were successful so far
    Any ideas are welcome.

    J 1 Reply Last reply May 19, 2021, 12:40 PM Reply Quote 0
    • J
      JKnott @PGTART
      last edited by May 19, 2021, 12:40 PM

      @pgtart

      Does IPSec even support VLANs? OpenVPN does only in TAP mode. What you do is route each subnet individually and recreate the VLANs at the other end.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      P 1 Reply Last reply May 19, 2021, 12:55 PM Reply Quote 0
      • P
        PGTART @JKnott
        last edited by PGTART May 19, 2021, 12:59 PM May 19, 2021, 12:55 PM

        @jknott Well i believe it does our offices are connected, firewall rules set access, certain remote vlan's can access HQ, but the Branch office goes straight to the internet bypassing ipsec for any ip traffic not on our network. ,ea now each office behaves as if they have their own internet GW, and only for company internal traffic the ipsec connection is used.

        I'd like to overide it for only the VOIP vlan to use some kinda static route using to use the ipsec tunnel as well for outside traffic, and for traffic back.

        J 1 Reply Last reply May 19, 2021, 1:10 PM Reply Quote 0
        • J
          JKnott @PGTART
          last edited by May 19, 2021, 1:10 PM

          @pgtart

          That the offices are connected does not mean the VPN supports VLANs. It only means the various subnets are connected, which can be accomplished with appropriate routing. The issue is VLANs are layer 2, but routers work at L3, so the VLANs will not be carried. OpenVPN TAP mode is essentially a bridge, which can pass L2, including VLANs. This would also mean the subnets have the same addresses at both end. If the subnets have different addresses at the other end, then routing is used and VLANs cannot be passed.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          P 1 Reply Last reply May 19, 2021, 1:44 PM Reply Quote 0
          • P
            PGTART @JKnott
            last edited by PGTART May 19, 2021, 1:45 PM May 19, 2021, 1:44 PM

            @jknott

            Well each vlan lives in its own subnet as well, we currently dont use open-VPN for site-site traffic
            The vlan's offer rather isolation towards unifi switch ports.
            Its not doing inter-vlan-routing,
            But the PF's firewall can make use of vlan's, (besides subnets), to allow/disallow certain traffic.

            J 1 Reply Last reply May 19, 2021, 1:57 PM Reply Quote 0
            • J
              JKnott @PGTART
              last edited by May 19, 2021, 1:57 PM

              @pgtart

              Yes, pfsense can use VLANs for local isolation for things like multiple WiFi SSIDs, VoIP phones and more However, to connect sites via VPN, without TAP mode, means routing of the subnets. When you use a VPN, the traffic through the VPN is accomplished by routing through it. There is nothing to stop routing as many subnets through a VPN as you wish.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              P 1 Reply Last reply May 19, 2021, 3:17 PM Reply Quote 0
              • P
                PGTART @JKnott
                last edited by May 19, 2021, 3:17 PM

                @jknott
                Yes okay though is it then possible to still say to the mobile branche office (vlan)subnet, if only this specific subnet wants to go to the outside world (to contact the extern hosted ip-phone-provider), it needs to make use of the ipsec ?. (while the other subnet traffic who want to surf the internet go straight from 4G to its 4G-internet service provider).

                Meanwhile i'm testing out also :
                https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-route-internet-traffic.html
                Though its just my guts feeling saying it seams overkill for what i want to achieve here, as there already is an ipsec tunnel. It make me more woried to alter the main HQ office to such an extend.

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received