Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to tunnel VLANs over VPN

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    4 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mmarco
      last edited by

      Hi,

      I need to setup VPN tunnel to a remote office where main office has public static IP address while the branch (remote) office has dynamic address. Both offices have pfsense routers.

      Through VPN I need to tunnel (currently) at least two different VLANs and keep them separated in the remote office. For one of those VLANs (i.e. VLAN 200)I don't have any control over and the only thing I can do is to tunnel it as layer 2 VLAN. At least one of the other VLANs (i.e. VLAN 150) can be normally routed through VPN tunnel (e.g. layer-3 tunnel).

      And yes, I know that tunneling layer 2 is not the best idea, but I do need to do it anyway.

      Here is a sketch:
      vpn-tunnel.png

      I could really get some help with directions .

      • Is this possible with IPSEC?
        • how do I bridge layer 2 VLAN traffic on server and on client side?
        • how to tunnel VLANs separately?
        • should I use GRE, GIF or l2tp for layer-2 traffic? Any hint is much appreciated.
      • If I try to use OpenVPN I guess I need to establish one tunnel per one VLAN.
        • Same question regarding bridging of layer 2 traffic - how to bridge it on server and on client side?

      Sorry for a ton of questions, but I am still trying to grasp the optimal approach.

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @mmarco
        last edited by

        @mmarco

        You can't pass VLANs through a L3 (tun) tunnel. That requires a L2 (TAP) tunnel. However, you can't use L2 if the 2 ends are in different subnets. The way to do what you want is to route the various subnets to the other end and create the appropriate VLANs. You can route as many as you want and they'll all go through the same tunnel.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        M 1 Reply Last reply Reply Quote 0
        • M
          mmarco @JKnott
          last edited by

          @jknott

          Thanks for the comment. I am aware that I need to use L2 tunnel (like tap on openvpn).

          I just managed to create OpenVPN tunnel successfully by creating server and client side tap interfaces, and then bridging interfaces on the both sides with the appropriate VLAN interface.

          I don't know if there is a similar approach for ipsec (with l2tp or gre)?

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @mmarco
            last edited by

            @mmarco

            Again, you don't have to pass VLANs through the tunnel. Just create the VLANs at each end and route the subnets appropriately.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.