pfSense Same NIC port has DHCP if configured as LAN but no DHCP if configured as VLAN on same NIC port

[pwm80211]

@louie1961 @sic0048 I think I need some more help. I don't think I can pass VLAN tags through the VPN tunnel. What would be the best approach to having the same VLANs present at both sites?

 

[louie1961]

@louie1961 @sic0048 I think I need some more help. I don't think I can pass VLAN tags through the VPN tunnel. What would be the best approach to having the same VLANs present at both sites?

I stopped messing with VPNs per se a long time ago. I think there is a better way. I use tailscale, but you can use netbird, twingate or others. I have Tailscale installed on my pfSense, and I used the "advertised routes" feature to make individual VLANs available over my tailnet. I don't advertise all of them, as things like my IoT network do not need to be accessed outside of my house. But I could advertise everything. Then when I am away from home, I turn on tail scale and I can connect to anything in my home lab as if I was sitting at home. Tailscale is built on the wireguard protocol, but its more than a VPN. It is an overlay network that is encrypted the same way as a VPN. There are lots of good videos out there how to set up Tailscale and how to use it as a point to point VPN to connect two pfSense instances in two different locations. I use my pfsense as an exit node, so all my traffic goes our through my normal home IP address, and receives full DNS filtering and adblocking as if I was home.

 

[louie1961]

Here's another overview

 

[sic0048]

It's been a while since I set up a self hosted VPN service on my network. (Because it has simply worked reliably since I set it up initially). I do know that you have to specify which subnets you want to be able to access over the VPN connection. Many online guides just use the LAN subnet (and don't explain that you need to add any other subnets) when they set it up because they are assuming most people have a flat network without VLANs. It's not so much that you have to enter VLAN tags when you set the connection up, but you do have to add the IP subnet for every VLAN you want to access over the VPN. I fact, I don't recall having to enter any VLAN tags in my setup at all (but it's been a few years since I looked at those settings).

Let me also clarify - all of these "extra" subnets need to be added to the VPN setup regardless of any firewall rules you have set up to control local access. For example, if your LAN has an "Allow All" rule that lets devices on that subnet to access device on all of the other VLANs, simply entering the LAN subnet in the VPN setup will not carryover and allow external devices connecting to the local network access to anything other than the LAN network. You do still need to add all of the other VLAN subnets that you want to be able to access from the VPN connection while outside of your local network. I initially thought that because I had access to all of my VLANs while on the LAN while on my local network, that it would work the same way when I connected through the VPN. I realized quickly that while I had access to the LAN network over VPN, I didn't have access to the VLANs until I added their subnet's to the VPN setup.

 

[anakronox]

@louie1961 @sic0048 I think I need some more help. I don't think I can pass VLAN tags through the VPN tunnel. What would be the best approach to having the same VLANs present at both sites?

That's because your dot1q tags are at layer 2 and the VPN operates at layer 3 or higher, depending on which type you use. You could do L2TP tunnels, one for each VLAN you need bridged across the routers. This could get weird as you'll only want to route through one connection at a time, but if you need failover, you'll have to leverage HSRP or VRRP.