Hi,
I have 2 sites and VyOS router running on VMware ESXi on each side.The task was to connect local networks on both sides. I connected 2 sites with GRE-Bridge over IPsec tunnel. Tunnel working fine. When I bridge tunnel and eth1 through which goes untagged traffic, adjust-mss working fine and sites loading fine. But when I connect to eth1 trunk port with dozen vlans inside adjust-mss not working.
Is this the correct behavior?
@Serj1988 Can you provide a network map with ip addressing and configurations of each router.
show configuration commands
Of course you can replace addresses and other private information.
To be able to reproduce this in a test lab.
@Viacheslav
Config almost the same on both sides (only public IPs are different). Routemap is very simple:
S>* Y.Y.Y.Y/32 [1/0] via GW of , eth0, 1d05h20m
C>* Z.Z.Z.Z/28 is directly connected, eth0, 1d05h20m
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
options {
interface br0 {
adjust-mss 1356
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
bridge br0 {
member {
interface eth1 {
}
interface tun0 {
}
}
}
ethernet eth0 {
address dhcp
hw-id 00:0c:29:fc:15:21
}
ethernet eth1 {
hw-id 00:0c:29:fc:15:7a
}
loopback lo {
}
tunnel tun0 {
encapsulation gre-bridge
local-ip X.X.X.X
remote-ip Y.Y.Y.Y
}
}
protocols {
static {
}
}
service {
ssh {
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
}
}
ntp {
server server1 {
}
server server2 {
}
server server3 {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}
vpn {
ipsec {
esp-group remoteTest {
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha256
}
}
ike-group remoteTest {
close-action none
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
dh-group 2
encryption aes256
hash sha256
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer Y.Y.Y.Y {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
default-esp-group remoteTest
ike-group remoteTest
ikev2-reauth inherit
local-address X.X.X.X
tunnel 0 {
allow-nat-networks disable
allow-public-networks disable
protocol gre
}
}
}
}
}
In my understanding iptables by default working with untagged packets thus it wont filter anything I or vyos scripts put there .
Enabled 802.1Q tag support for iptables:
echo 1 > /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged
now all working fine.
Added to /config/scripts/vyos-postconfig-boot.script
/usr/bin/echo 1 > /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged
1 Like
tjh
August 5, 2020, 9:19pm
5
You could also add
set system sysctl custom net.bridge.bridge-nf-filter-vlan-tagged value 1
If you want to keep that setting readable in your config (And more portable for the future)
1 Like
system
Closed
August 7, 2020, 9:19pm
6
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.