Migrate VMs via vMotion between different sites using the same subnet (L2) with vSS on VMware vSphere 6.7
- VMware
- VMware vCenter Server (VCSA), VMware vSphere
- 24 September 2025 at 13:51 UTC
-
- 2/3
2.3. Configure the L2 VPN tunnel via OpenVPN on pfSense
To configure the L2 VPN tunnel via OpenVPN on pfSense, refer to our tutorial "pfSense 2.6 - Create a site-to-site (S2S) VPN tunnel via OpenVPN secured with SSL/TLS (L2 mode)".
Warning : the network used by your virtual machines is the "VMS_LAN" network on pfSense. It is therefore this "VMS_LAN" interface that you will need to use instead of the "LAN" interface mentioned in the tutorial above for creating your L2 VPN tunnel via OpenVPN.
Once the L2 VPN tunnel via OpenVPN is created between your pfSense machines, you will have this.
On the Brussels site:
- WAN: the pfSense interface connected to the Internet.
- LAN: the Brussels network where our ESXi hosts are connected.
- VMS_LAN: the network that will be used by your VMs. The same subnetwork is therefore used on the 2 sites given that the "VMS_LAN" network communicates transparently with the "VMS_LAN" network of the remote site.
- OPENVPN_L2: logical interface assigned to the virtual network interface (ovpns1) corresponding to the OpenVPN server configured on pfSense in "tap" mode (L2).
On the remote site (Paris in our case), you will find the same thing.
The only difference is that the "OPENVPN_L2" interface this time corresponds to the logical interface assigned to the virtual network interface (ovpnc1) corresponding to the OpenVPN client configured on pfSense in "tap" mode (L2).
2.4. Allow network traffic on the network used by your VMs
By default, the pfSense firewall is configured to allow network traffic coming from the LAN network.
This allows your computers connected to the LAN network to access the network and the Internet (in IPv4 and IPv6).
But, since you added a 2nd network interface (VMS_LAN) for your future virtual machines' network, network traffic will be blocked by default.
To resolve the problem, go to "VMS_LAN" and click: Add.
Allow IPv4 network traffic (regardless of the protocol) on the "VMS_LAN" interface (which corresponds to the network of your future VMs).
- Action: Pass.
- Interface: VMS_LAN.
- Address Family: IPv4.
- Protocol: Any.
- Source: VMS_LAN net (corresponds to the pfSense "VMS_LAN" network).
- Destination: Any.
- Description: a description for information purposes only.
For example: Default allow VMS_LAN to any rule.
Click Save.
Click: Apply Changes.
The rule was created for IPv4.
Click "Add" again.
Create a similar rule for IPv6:
- Action: Pass.
- Interface: VMS_LAN.
- Address Family: IPv6.
- Protocol: Any.
- Source: VMS_LAN net.
- Destination: Any.
- Description: Default allow VMS_LAN IPv6 to any rule.
Click Save.
The rule for IPv6 has been created.
Create the same rules on the remote site for IPv4 and IPv6 for the "VMS_LAN" interface.
Note: the firewall rule to allow DHCP traffic is only present on the remote site (see OpenVPN L2 tutorial on pfSense cited previously).
Share this tutorial
To see also
-
VMware 5/19/2023
VMware ESXi 6.7 - Create an iSCSI datastore
-
VMware 11/16/2022
VMware ESXi 6.7 - Virtualize VMware ESXi 6.7.0
-
VMware 8/24/2022
VMware ESXi 7.0 / 6.7 - Export and import VMs via VMware OVF Tool
-
VMware 7/10/2024
VMware vSphere 6.7 - Consoles to manage VMs
No comment