Re: Can I bridge the same subnet across a VPN?
On Wed, May 4, 2011 at 4:31 PM, Geoff Roberts ge...@apro.com.au wrote: Was this easy to measure, and how did you measure this - dropped packets on the bridge interface? I don't remember. It's been too long since I last tried it. Dropped packets would be a good measure, though, assuming the bridge interface does that kind of accounting. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can I bridge the same subnet across a VPN?
On 5/5/2011 12:24 AM, David Brodbeck wrote: The problem I've always found with bridged solutions is they don't cope well under heavy traffic loads when the VPN link is slower than the LANs they're bridging between. And the VPN link is usually slower if it's over a WAN. The link tends to get saturated. There is no inbuilt reason why a L2 VPN is more easily saturated than a L3 VPN. After all protocols doing bulk transfers should - and mostly - use TCP which autotunes the rate of sent packets. And TCP should be able to saturate the lower-bandwidth link of the whole path. That's normal and desirable. Some care must be taken with the broadcast and multicast traffic which goes through the L2 VPN. Just my 2 cents, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can I bridge the same subnet across a VPN?
On Thu, May 5, 2011 at 10:39 AM, Nikos Vassiliadis nv...@gmx.com wrote: There is no inbuilt reason why a L2 VPN is more easily saturated than a L3 VPN. I disagree slightly. With L2 you have broadcasts and non-routable protocols being sent over the wire. This is fortunately becoming less of an issue than it used to be, but it can (for example) be a problem for certain kinds of Windows networking. I have had severe congestion problems in the past when bridging wired interfaces to wireless. In general I think adding a slow hop that's invisible to clients is asking for trouble, but that's not to say it can't work well in certain environments. The main thing to remember is just because the clients can pretend it's a LAN doesn't mean you can. ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can I bridge the same subnet across a VPN?
On 3 May 2011 20:44, Kevin Wilcox kevin.wil...@gmail.com wrote: On Tue, May 3, 2011 at 15:19, Geoff Roberts ge...@apro.com.au wrote: Is it possible to join two sites with the same subnet across a VPN? Yes. I have two sites that have the same subnet/mask. I need these two separated networks to behave as one across a VPN. That's understandable. You may want to consider breaking the /24 into two /25s, one at each site, and routing the connection instead but that's not necessary and you can indeed use a bridge with few issues. Happy to use either IPSec or OpenVPN to actually encrypt the traffic. We've done it as a demo of what you can do with OpenVPN, it's trivial once you get some configuration issues straight in your head (or that's how it worked for me). To bridge in OpenVPN, take a look at: http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org you can do this with a combination of openvpn (using tap, not tun) and if_bridge both ends. However I have found it to be flakey and not really worth the effort. Better to go with a routed solution. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can I bridge the same subnet across a VPN?
On Wed, May 4, 2011 at 8:19 AM, krad kra...@gmail.com wrote: you can do this with a combination of openvpn (using tap, not tun) and if_bridge both ends. However I have found it to be flakey and not really worth the effort. Better to go with a routed solution. The problem I've always found with bridged solutions is they don't cope well under heavy traffic loads when the VPN link is slower than the LANs they're bridging between. And the VPN link is usually slower if it's over a WAN. The link tends to get saturated. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can I bridge the same subnet across a VPN?
Hi David and others, Thanks for the feedback. On Thu, 5 May 2011 07:24:13 am David Brodbeck wrote: The problem I've always found with bridged solutions is they don't cope well under heavy traffic loads when the VPN link is slower than the LANs they're bridging between. And the VPN link is usually slower if it's over a WAN. The link tends to get saturated. Was this easy to measure, and how did you measure this - dropped packets on the bridge interface? Kind regards, Geoff -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Can I bridge the same subnet across a VPN?
Hi, Is it possible to join two sites with the same subnet across a VPN? I have two sites that have the same subnet/mask. I need these two separated networks to behave as one across a VPN. All configuration examples I've come across so far assume that each site will have a different subnet. Eg, one site with 192.168.1.0/24 the other with 192.168.2.0/24 I control the firewalls at each end. One will be a pfsense firewall, the other an existing FreeBSD 7.4 system. For example I would want to be able to do the following: Site A Site B -- -- Firewall A 10.1.1.3 - Firewall B 10.1.1.4 | | Subnet: 192.168.20.0/24 Subnet: 192.168.20.0/24 Happy to use either IPSec or OpenVPN to actually encrypt the traffic. Kind regards, Geoff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can I bridge the same subnet across a VPN?
On Tue, May 3, 2011 at 15:19, Geoff Roberts ge...@apro.com.au wrote: Is it possible to join two sites with the same subnet across a VPN? Yes. I have two sites that have the same subnet/mask. I need these two separated networks to behave as one across a VPN. That's understandable. You may want to consider breaking the /24 into two /25s, one at each site, and routing the connection instead but that's not necessary and you can indeed use a bridge with few issues. Happy to use either IPSec or OpenVPN to actually encrypt the traffic. We've done it as a demo of what you can do with OpenVPN, it's trivial once you get some configuration issues straight in your head (or that's how it worked for me). To bridge in OpenVPN, take a look at: http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
