Use 802.1q vlans over adsl?



  • Out of interest, how would you go about routing vlans over an adsl interface.

    Example:
    Site A has vlan 100, 200, 300

    Site B has vlan 100, 200, 300

    Obviously this would go over a vpn (ipsec or openvpn) as it's adsl and each vlan would have it's own subnet.
    Can vpn endpoints have multiple subnets from the same connection?



  • first off: i'm not sure what exactly you wish to accomplish.

    VLANs "run" on layer2 of the OSI model (the data link layer)
    routing generally happens on layer3 of the OSI model (the network layer)

    what this implies is that you can not route VLANS. You can however route the subnets within those VLAN's

    So if you just wish to be able to route siteA-subnet100 to siteB-subnet200, then this is possible.
    Easiest would be to run a site-to-site vpn and push the routes for the various subnets.

    If SiteA subnets are identical to SiteB subnets then your setup becomes somewhat more complicated.
    I'm fairly confident you could create vpn bridges for each vlan seperately. This way you would sort of create one (v)LAN across the vpn.
    but if you have 10 VLANS, you'd need to run 10 site-to-site vpn's.

    Perhaps the developers or other people smarter then me have a better solution for this last scenario

    kind regards
    jeroen



  • sort of what i was thinking.

    although both sites will have the same vlan naming convention, the private subnets on them are totally different which allows the vpn's to work.

    SITE A = 1.1.1.1
    vlan 101 = 10.0.101.0/24
    vlan 102 = 10.0.102.0/24
    vlan 103 = 10.0.103.0/24

    SITE B = 2.2.2.2
    vlan 104 = 10.0.104.0/24
    vlan 105 = 10.0.105.0/24
    vlan 106 = 10.0.106.0/24

    i guess the question is….. is it possible to create 3 vpn tunnels between the same 2 vpn endpoints so that the vlans on each side are segregated?
    is openvpn a better option for this than ipsec if supported?



  • With openVPN you wouldn't need 3 separate tunnels.
    You would simply create firewall rules that just allow the subnets to their respective counterpart on the other side.

    Actually, with an openVPN tap in bridged mode you could even directly transfer the tagged frames.
    But a routed setup is better (less traffic on the link).


Log in to reply