Netgate SG-1000 microFirewall

Author Topic: Site-to-Site VPN with VLANs  (Read 139 times)

0 Members and 1 Guest are viewing this topic.

Offline linw0724

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Site-to-Site VPN with VLANs
« on: February 06, 2018, 01:55:05 am »
Hey everyone, been playing around with pfSense's at 2 locations. Currently at both locations, the network routing setup is mirrored. And within each location, it has been set up so that devices on each VLAN can access resources on another VLAN (i.e. Device 1 on VLAN 1 can talk to other devices on VLAN 1 as well as access other resources like printers and file servers on VLAN 2) as well as the internet on the WAN.

Is it possible to use VPN or IPsec to bridge the 2 locations so that VLANs can talk to each other as well as access resources on other VLANs at the other location? For example, is it possible for Device 1 on VLAN 1 at location 1 to talk to other devices on VLAN 1 at both locations as well as access printers and file servers on VLAN 2 at both locations?

Just wanted to know if this is currently possible before I start going down the rabbit hole of researching how to actually set this up.

Thanks

Offline viragomann

  • Hero Member
  • *****
  • Posts: 2697
  • Karma: +284/-1
    • View Profile
Re: Site-to-Site VPN with VLANs
« Reply #1 on: February 06, 2018, 02:22:41 pm »
If the pfSense boxes are the default gateways at both locations and the subnets are not overlapping its possible with both, OpenVPN or IPSec. Connecting multiple networks with IPSec will be more involved.

Offline linw0724

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Site-to-Site VPN with VLANs
« Reply #2 on: February 06, 2018, 06:43:07 pm »
If the pfSense boxes are the default gateways at both locations and the subnets are not overlapping its possible with both, OpenVPN or IPSec.

Thanks for the reply. I currently run a 10.0.X.X topology on both networks, so if I change 1 of the networks to say, 11.0.X.X, then it becomes possible? Or can I keep 10.0.X.X on both networks and just have all the VLANS on both networks not have the same subnet? This is what I'm interpreting:

VLAN Setup on both networks (VLAN1 and VLAN 2 can access resources on each other):
VLAN1 - Servers/printers/resources
VLAN2 - Clients
VLAN3 - Guests


Current setup:

Switch1:                  -----trunk-----pfSense1         pfSense2-----trunk-----   Switch2:
VLAN1  10.0.1.0/24                                                                                 VLAN1  10.0.1.0/24
VLAN2  10.0.2.0/24                                                                                 VLAN2  10.0.2.0/24
VLAN3  10.0.3.0/24                                                                                 VLAN3  10.0.3.0/24


Option1:

Switch1:                  -----trunk-----pfSense1-----OpenVPN-----pfSense2-----trunk-----   Switch2:
VLAN1  10.0.1.0/24                                                                                                  VLAN1  11.0.1.0/24
VLAN2  10.0.2.0/24                                                                                                  VLAN2  11.0.2.0/24
VLAN3  10.0.3.0/24                                                                                                  VLAN3  11.0.3.0/24


Option2:

Switch1:                  -----trunk-----pfSense1-----OpenVPN-----pfSense2-----trunk-----   Switch2:
VLAN1  10.0.1.0/24                                                                                                  VLAN1  10.0.4.0/24
VLAN2  10.0.2.0/24                                                                                                  VLAN2  10.0.5.0/24
VLAN3  10.0.3.0/24                                                                                                  VLAN3  10.0.6.0/24

Connecting multiple networks with IPSec will be more involved.

So it seems like from your response and some reading I did that OpenVPN seems to be the go to.

Offline viragomann

  • Hero Member
  • *****
  • Posts: 2697
  • Karma: +284/-1
    • View Profile
Re: Site-to-Site VPN with VLANs
« Reply #3 on: February 07, 2018, 03:33:08 am »
You just have to care that you have different subnets on both sites, otherwise the routes won't work.
So I'd prefer option 2, since 11.0.X.X are public addresses.

Using OpenVPN set up a Peer-to-Peer with a /30 vpn tunnel network, one pfSense as server, the other as client.
In the "IPv4 Remote networks" field enter the remote networks you want to reach. E.g. relating to option 2 on pfSense 1 enter "10.0.4.0/24,10.0.5.0/24,10.0.6.0/24", on pfSense 2 enter "10.0.1.0/24,10.0.2.0/24,10.0.3.0/24".
This sets the routes for these networks using the remote vpn endpoint as gateway.

Offline linw0724

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Site-to-Site VPN with VLANs
« Reply #4 on: February 07, 2018, 03:50:54 am »
Thanks for the answer! I'll give it a shot.