Netgate SG-1000 microFirewall

Author Topic: Span Layer 2 between Data Centers  (Read 261 times)

0 Members and 1 Guest are viewing this topic.

Offline joshv

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Span Layer 2 between Data Centers
« on: October 26, 2017, 12:28:46 pm »
Does pfsense have any built-in way to span or extend a L2 segment, over an IPSEC tunnel, between two different pfsense firewalls (in separate data centers)?  AKA, Software Defined Data Center Interconnect for Layer 2. AKA, VXLAN.

The use case would be for automating failover or for expanding compute capacity - the same network can exist in both locations avoiding a change of IP address or involving layer 3 devices.

If not with pfsense, can anyone recommend an open source (or fairly inexpensive) solution that runs in software (such as a virtual machine) that accomplishes this goal?  I know Cisco has solutions in the Nexus product line - but I am trying to avoid dedicated hardware solutions.

TIA!
-Josh
« Last Edit: October 26, 2017, 01:01:38 pm by joshv »

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14438
  • Karma: +1336/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Span Layer 2 between Data Centers
« Reply #1 on: October 27, 2017, 04:32:57 am »
I see this request for vxlan driver
https://redmine.pfsense.org/issues/6240

But no update on it.. Since freebsd seems to have supported since https://svnweb.freebsd.org/base?view=revision&revision=273331

I would think it could be added to pfsense.  Until such time that it is, you should be able to do it with any OS that can route and do ipsec and vxlan I would think.. Linux, Freebsd, shoot seems even windows supports it

https://blogs.technet.microsoft.com/networking/2016/10/26/network-virtualization-with-ws2016-sdn/
Consequently, in Windows Server 2016 (WS2016), we support both NVGRE and VXLAN encapsulation protocols, with the default being VXLAN
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)

Offline joshv

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Span Layer 2 between Data Centers
« Reply #2 on: October 27, 2017, 08:52:24 am »
Thank you johnpoz.

I found that VyOS router supports VXLAN - I have implemented it as a VM before.  I was planning on doing some testing using VyOS as the VXLAN provider and pfsense doing IPSEC, etc.  I'll post my results when I can.

A tightly integrated solution with pfsense would be really cool and, I think, fairly feasible technically.

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14438
  • Karma: +1336/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Span Layer 2 between Data Centers
« Reply #3 on: October 27, 2017, 10:08:39 am »
I would for sure add your +1 to that feature request.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)

Offline joshv

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Span Layer 2 between Data Centers
« Reply #4 on: October 29, 2017, 04:54:52 pm »
+1 added.....  All 3 of us REALLY want this :)