Confused about bridge/gif/trunk failover
Hi, I have a laptop that is connected via wifi to an OBSD router. The router has seperate subnets for the wired and wireless interfaces (ie, they are not bridged). I'd like to give the laptop an IP from the wired LAN, the goal being to eventually get failover to work with trunk(4). As per the IPSEC BRIDGE section in brconfig(8) I've set up host-to-host ipsec and a gif tunnel between the router and the laptop. Then on the router, I bridge the wired interface and the gif tunnel. tcpdump shows me the laptop is recieving etherip packets from the router, but ofcourse since it isn't a bridge itself it doesn't know what to do with them. How do I get the laptop to process these packets? What interface do I assign an IP address to? I've tried giving the gif tunnel an ipv6 address, but if I then use it to send data it will send protocol 41 (ipv6) encapsulated packets and not 97 (etherip). Bridging the wired and wireless interfaces directly (and then having the router do transparent IPSEC) would only solve part of the problem, since I'd like the laptop to be able to use its local IP address even if it's doing IPSEC to the router over the internet. How does one, in general, bridge only a single host to a LAN with an OpenBSD router? Help!! Please cc, bbee
Re: Confused about bridge/gif/trunk failover
bbee escreveu: Hi, I have a laptop that is connected via wifi to an OBSD router. The router has seperate subnets for the wired and wireless interfaces (ie, they are not bridged). I'd like to give the laptop an IP from the wired LAN, the goal being to eventually get failover to work with trunk(4). As per the IPSEC BRIDGE section in brconfig(8) I've set up host-to-host ipsec and a gif tunnel between the router and the laptop. Then on the router, I bridge the wired interface and the gif tunnel. tcpdump shows me the laptop is recieving etherip packets from the router, but ofcourse since it isn't a bridge itself it doesn't know what to do with them. How do I get the laptop to process these packets? What interface do I assign an IP address to? I've tried giving the gif tunnel an ipv6 address, but if I then use it to send data it will send protocol 41 (ipv6) encapsulated packets and not 97 (etherip). Bridging the wired and wireless interfaces directly (and then having the router do transparent IPSEC) would only solve part of the problem, since I'd like the laptop to be able to use its local IP address even if it's doing IPSEC to the router over the internet. How does one, in general, bridge only a single host to a LAN with an OpenBSD router? Help!! Please cc, bbee I think that, in your case, making the router to bridge with the wired net directly, you would already be able to get an ip directly in the wired net, from the dhcp server of the wired network. My router in my home do this. So no much point in all this ipsec/vpn thing. Now, about this trunk stuff you are wanting, i didn't got it. You are thinking in trunking both a wireless if and a wired if, and make them both to work on the same net? please clarify it for us. My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD Stable Ubuntu 8.04 Hardy Heron 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: Confused about bridge/gif/trunk failover
On Thu, 11 Sep 2008, Giancarlo Razzolini wrote: bbee escreveu: As per the IPSEC BRIDGE section in brconfig(8) I've set up host-to-host ipsec and a gif tunnel between the router and the laptop. Then on the router, I bridge the wired interface and the gif tunnel. tcpdump shows me the laptop is recieving etherip packets from the router, but ofcourse since it isn't a bridge itself it doesn't know what to do with them. How do I get the laptop to process these packets? What interface do I assign an IP address to? I've tried giving the gif tunnel an ipv6 address, but if I then use it to send data it will send protocol 41 (ipv6) encapsulated packets and not 97 (etherip). Bridging the wired and wireless interfaces directly (and then having the router do transparent IPSEC) would only solve part of the problem, since I'd like the laptop to be able to use its local IP address even if it's doing IPSEC to the router over the internet. How does one, in general, bridge only a single host to a LAN with an OpenBSD router? Help!! I think that, in your case, making the router to bridge with the wired net directly, you would already be able to get an ip directly in the wired net, from the dhcp server of the wired network. My router in my home do this. So no much point in all this ipsec/vpn thing. Now, about this trunk stuff you are wanting, i didn't got it. You are thinking in trunking both a wireless if and a wired if, and make them both to work on the same net? please clarify it for us. Yes, as per the last example in trunk(4). If I unplug the LAN cable from my laptop, I want the connections to survive by failover to the wireless connection. The trunk(4) example doesn't describe the router's end of the configuration, but since there's only one IP, I'm assuming the networks have to be bridged at the router end. Similarly, I have a linux laptop with an UMTS card. When it goes out of range of my wlan, I want the IP to fail over to the UMTS connection, which is why I'd need ipsec over the internet to the OBSD router. The ipsec part is not the problem.. Getting OpenBSD to do something with etherip packets when it's not a bridge, that's the problem.. I feel like I'm missing something extremely obvious.. Thanks and please cc, bbee
Re: Confused about bridge/gif/trunk failover
bbee escreveu: On Thu, 11 Sep 2008, Giancarlo Razzolini wrote: Yes, as per the last example in trunk(4). If I unplug the LAN cable from my laptop, I want the connections to survive by failover to the wireless connection. The trunk(4) example doesn't describe the router's end of the configuration, but since there's only one IP, I'm assuming the networks have to be bridged at the router end. No problem here. The trunk(4) man page would never possibly describe this because it changes from router to router and also, some routers don't have this capability or they have but, through some obscure setting (as my own, which isn't through obscure setting at all but, instead, need to me NOT configuring some things to work as a bridge). Once you have your router working as a bridge, the man page's example fit's perfectly to what you want to accomplish. Similarly, I have a linux laptop with an UMTS card. When it goes out of range of my wlan, I want the IP to fail over to the UMTS connection, which is why I'd need ipsec over the internet to the OBSD router. The ipsec part is not the problem.. I think ipsec part IS the problem. Don't know about your setup but, it would be much easier to you to use OpenVPN + tun with layer 2 tunneling + bridge. Getting OpenBSD to do something with etherip packets when it's not a bridge, that's the problem.. I feel like I'm missing something extremely obvious.. Thanks and please cc, bbee As i said, the first case is simple, the second not so, but i think you can manage them to work. I just don't know if, in the second case, it will work with trunk. Never tested it. But the first case works perfectly for me. My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD Stable Ubuntu 8.04 Hardy Heron 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: Confused about bridge/gif/trunk failover
On Thu, 11 Sep 2008, Johan Torin wrote: On Thursday 11 September 2008, bbee wrote: tcpdump shows me the laptop is recieving etherip packets from the router, but ofcourse since it isn't a bridge itself it doesn't know what to do with them. How do I get the laptop to process these packets? What interface do I assign an IP address to? I've tried giving the gif tunnel an ipv6 address, but if I then use it to send data it will send protocol 41 (ipv6) encapsulated packets and not 97 (etherip). I don't know where you going with this, if your tunnel is working you should be able to pass trafic on it. Bridging does not (usually|necessarily) involve any specific support in the other end of a bridged interface. It's working in the sense that I'm seeing packets that are being broadcast on the lan coming in as etherip on the gif interface. If the laptop had a bridge set up, it would forward them to it, but since it doesn't nothing happens to them. How does one, in general, bridge only a single host to a LAN with an OpenBSD router? Help!! You would probably like to trunk the wired and the wireless interfaces on the laptop, and since you're encapsulating the wireless trafic over a gif-tunnel you fail since you can't trunk gif-interfaces. Sorry. Well, there goes that idea.. Tun-interfaces are trunkable (or atleast I have read so) so that would be a way to accomplish this. However, it's a bit ironic that OpenBSDs fancy ipsec.conf and friends (and I say this with quite a lot of admiration for them) falls short in this sitation. One way to work-around this slight short-coming is setup OpenVPN, which (IIRC) binds to tun-interfaces. I have however not tested this. Even forgetting the trunk failover, there is no way to give an IP from my wired LAN to a remote device that doesn't actually have a connected ethernet-like connection avaiable to receive etherip traffic for bridging? That is, there is no way to use IPSEC on OpenBSD to get the traditional Remote VPN Access thing where your mobile device is assigned a LAN IP? And if someone knows how to setup a tun-tunnel in stock OpenBSD which does not involve PPP or something like that, I would like to hear about it. Seconded. Maybe tun can be modified to actually accept packets (if it's in layer 2 mode, it's being bridged, and tunX was created via ifconfig) instead of always returning EHOSTDOWN? Then I could simply bridge the gif and tun interface on my laptop, assign tun an IP (or trunk it) and have it behave as if it was physically on the remote LAN. Thanks, bbee