Vyos 1.3 gretap

General questions
,
1

Hello. I’m trying to create l2 tunnel to connect two remote network segments. wireguard is used as l3 transport for tun0 interface.

Problem: I am not receiving arp packets inside vm

Schematic:
R1 vyos wireguard (br1 tun0+eth0) ===(tun0) ===> R2 vyos wireguard === (br1 tun0, eth2) ===> VM (virtual nic e1000e).

Config R2
br1

aging 200
hello-time 2
ip {
}
max-age 20
member {
interface eth2 {
}
interface tun0 {
}
}
priority 0
stp

tun0

encapsulation gretap
remote 10.3.3.1
source-address 10.3.3.3

Config R1
br1

bridge br1 {
member {
interface eth0 {
}
interface tun0 {
}
}
}

tun0

encapsulation gretap
remote 10.3.3.3
source-address 10.3.3.1

According to tcpdump ARP packets works fine between R1 and R2

2

Can you share your wireguard configuration and the status of the wireguard interface.

$ show interfaces wireguard

3
Wireguard config and status R2
show interfaces wireguard

vyos@R1:~$ show interfaces wireguard
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
wg0 10.3.3.3/24 u/u VPN-GW-GRM

show interfaces wireguard wg0

vyos@R1:~$ show interfaces wireguard wg0
wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.3.3.3/24 brd 10.3.3.255 scope global wg0
valid_lft forever preferred_lft forever
inet6 fe80::f50d:24ff:fe84:3e68/64 scope link
valid_lft forever preferred_lft forever
Description: VPN-GW-GRM

RX:     bytes  packets  errors  dropped  overrun       mcast
     84991424   637452       0        0        0           0
TX:     bytes  packets  errors  dropped  carrier  collisions
       850936     6680       0        0        0           0

conf

show interfaces wireguard wg0

vyos@R1# show interfaces wireguard wg0
address 10.3.3.3/24
description VPN-GW-GRM
mtu 1420
peer VPN-GW-GRM {
address xxxxxxxxxxxxx
allowed-ips 0.0.0.0/0
allowed-ips 172.16.250.0/24
allowed-ips 172.16.100.0/24
persistent-keepalive 15
port 51820
pubkey xxxxxxxxxxxxxx
}
private-key default

Wireguard config and status R1
show interfaces wireguard

vyos@GW-MAIN:~$ show interfaces wireguard
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
wg0 10.3.3.1/24 u/u

show interfaces wireguard wg0

yos@GW-MAIN:~$ show interfaces wireguard wg0
wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.3.3.1/24 brd 10.3.3.255 scope global wg0
valid_lft forever preferred_lft forever
inet6 fe80::f85c:68ff:fedc:27f5/64 scope link
valid_lft forever preferred_lft forever

RX:   bytes  packets  errors  dropped  overrun       mcast
     650000     4840       0        0        0           0
TX:   bytes  packets  errors  dropped  carrier  collisions
     776600     3708       0       65        0           0

conf

show interfaces wireguard wg0

vyos@GW-MAIN# show interfaces wireguard wg0
address 10.3.3.1/24
peer R02 {
allowed-ips 10.3.3.3/32
allowed-ips 172.16.250.0/24
allowed-ips 172.16.100.0/24
persistent-keepalive 15
pubkey xxxxxxxxxxxxxxxxxxx
}

port 51820

4

VMware? Or what hypervisor/solution are you using? Can you confirm those ARP packets are making it from R2 to the next upstream switch or vSwitch?

If it is VMware just for giggles go into the vswitch port for the VM and turn on promiscuous mode. I had problems in the past trying to run GNS3/EVE-NG through a VM because it required promiscuous mode.I wasn’t able to bridge the simulated devices on to the network proper. Sounds almost like the same thing here

5

I use Ovirt/KVM. ARP packets works fine between R1 and R2.
However, tcpdump result on the network interface of the virtualization host that is used to communicate with R2 to the VM does not detect the same ARP messages. I also think that the problem is at the virtualization level

6

Solved.

The problem was on the virtualization level in default vNIC profiles.

Solution:
https://www.mail-archive.com/users@ovirt.org/msg70631.html