Can one run purely layer 2 devices across higher layer, and if so best approach?

Started by solaric, February 18, 2026, 09:09:26 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 18, 2026, 09:09:26 PM
So I'm feeling kinda stupid here, and before I continue experiments was hoping to get a gut check from those with more experience. For local security cameras and other physical security infra I've tended to just use normal cameras with Frigate or BlueIris on a VM or dedicated hadware, and of course none of that has any issue just being told directly what IPs to use. But I have a client who had already gone ahead and gotten a bunch of Ubiquiti's UniFi Protect/Access stuff and a UNVR, and hopes to run it across a few sites. Haven't used UniFi gear in a few years after moving to Omada instead, but this didn't initially strike me as a problem because I remembered that for WAPs/switches there was usage of DHCP options for layer 3 adoption or SSH manual control as a fallback and everything would work. But that wasn't the case here, and after searching through their weird new forum I came across from the horses' mouth that apparently and surprisingly they're pure L2, devices have to be on the same subnet as the NVR. I can't find documentation on exactly how local discovery works, though probably some sort of broadcast. But here in 2026 apparently it's not possible to just tell a device "hey your server is at <ip address>", everything has to be automagic.

I've been running OPNsense for about 7 years very happily but it's been a very long time since I needed to deal with something like this, and I'm not really sure what the best approach is if any. Say the UNVR is 10.250.0.2, and a camera or hub is on 172.16.0.1/24. Should I try something with virtual IPs and NAT to setup something where a pointer on the device subnet then forwards all traffic to the UNVR's real IP, via Wireguard gateway if remote, fooling them into acting as if it's on the same subnet? Some sort of bridge setup? GRE? It seems like OPNsense has the pieces to make this possible but I'm having trouble getting going on even the right way to approach the problem.

If the answer is just "really not feasible, wait for Ubiquiti to implement something that should have been 1.0" so be it, but I've advocated a lot for local vs cloud solutions so hoping to make this work for them without any extra hardware expenditure or indefinite waiting. Very very grateful for any advice!
February 18, 2026, 09:25:50 PM #1
The generic approach to layer 2 over layer 3 is a VXLAN:
https://docs.opnsense.org/manual/other-interfaces.html#vxlan

You'll have to evaluate whether that's a good solution for your use case.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
February 18, 2026, 09:56:25 PM #2
Quote from: Maurice on February 18, 2026, 09:25:50 PMThe generic approach to layer 2 over layer 3 is a VXLAN:
https://docs.opnsense.org/manual/other-interfaces.html#vxlan

You'll have to evaluate whether that's a good solution for your use case.

Cheers
Maurice
Thank you so much the reply, and duh of course, that approach slipped my mind entirely. I was thinking this was a pretty simple <device net> --> <static server IP> and thus had gotten tunnel vision so to speak. Will experiment with that approach, hopefully there will be enough leeway to have it not be too brittle for the time being an UI eventually makes it unnecessary.
Print
Go Up Pages1
User actions