Vyos 1.3 gretap

Serg87 · May 10, 2023, 6:17pm

Hello. I’m trying to create l2 tunnel to connect two remote network segments. wireguard is used as l3 transport for tun0 interface.

Problem: I am not receiving arp packets inside vm

Schematic:
R1 vyos wireguard (br1 tun0+eth0) ===(tun0) ===> R2 vyos wireguard === (br1 tun0, eth2) ===> VM (virtual nic e1000e).

Config R2

br1

aging 200
hello-time 2
ip {
}
max-age 20
member {
interface eth2 {
}
interface tun0 {
}
}
priority 0
stp

tun0

encapsulation gretap
remote 10.3.3.1
source-address 10.3.3.3

Config R1

br1

bridge br1 {
member {
interface eth0 {
}
interface tun0 {
}
}
}

tun0

encapsulation gretap
remote 10.3.3.3
source-address 10.3.3.1

According to tcpdump ARP packets works fine between R1 and R2

a.srividya · May 10, 2023, 7:05pm

Can you share your wireguard configuration and the status of the wireguard interface.

$ show interfaces wireguard

Serg87 · May 10, 2023, 7:21pm

Wireguard config and status R2

show interfaces wireguard

vyos@R1:~$ show interfaces wireguard
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
wg0 10.3.3.3/24 u/u VPN-GW-GRM

show interfaces wireguard wg0

vyos@R1:~$ show interfaces wireguard wg0
wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.3.3.3/24 brd 10.3.3.255 scope global wg0
valid_lft forever preferred_lft forever
inet6 fe80::f50d:24ff:fe84:3e68/64 scope link
valid_lft forever preferred_lft forever
Description: VPN-GW-GRM

RX:     bytes  packets  errors  dropped  overrun       mcast
     84991424   637452       0        0        0           0
TX:     bytes  packets  errors  dropped  carrier  collisions
       850936     6680       0        0        0           0

conf

show interfaces wireguard wg0

vyos@R1# show interfaces wireguard wg0
address 10.3.3.3/24
description VPN-GW-GRM
mtu 1420
peer VPN-GW-GRM {
address xxxxxxxxxxxxx
allowed-ips 0.0.0.0/0
allowed-ips 172.16.250.0/24
allowed-ips 172.16.100.0/24
persistent-keepalive 15
port 51820
pubkey xxxxxxxxxxxxxx
}
private-key default

Wireguard config and status R1

show interfaces wireguard

vyos@GW-MAIN:~$ show interfaces wireguard
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
wg0 10.3.3.1/24 u/u

show interfaces wireguard wg0

yos@GW-MAIN:~$ show interfaces wireguard wg0
wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.3.3.1/24 brd 10.3.3.255 scope global wg0
valid_lft forever preferred_lft forever
inet6 fe80::f85c:68ff:fedc:27f5/64 scope link
valid_lft forever preferred_lft forever

RX:   bytes  packets  errors  dropped  overrun       mcast
     650000     4840       0        0        0           0
TX:   bytes  packets  errors  dropped  carrier  collisions
     776600     3708       0       65        0           0

conf

show interfaces wireguard wg0

vyos@GW-MAIN# show interfaces wireguard wg0
address 10.3.3.1/24
peer R02 {
allowed-ips 10.3.3.3/32
allowed-ips 172.16.250.0/24
allowed-ips 172.16.100.0/24
persistent-keepalive 15
pubkey xxxxxxxxxxxxxxxxxxx
}

port 51820

acosgrove · May 10, 2023, 7:38pm

VMware? Or what hypervisor/solution are you using? Can you confirm those ARP packets are making it from R2 to the next upstream switch or vSwitch?

If it is VMware just for giggles go into the vswitch port for the VM and turn on promiscuous mode. I had problems in the past trying to run GNS3/EVE-NG through a VM because it required promiscuous mode.I wasn’t able to bridge the simulated devices on to the network proper. Sounds almost like the same thing here

Serg87 · May 10, 2023, 7:58pm

I use Ovirt/KVM. ARP packets works fine between R1 and R2.
However, tcpdump result on the network interface of the virtualization host that is used to communicate with R2 to the VM does not detect the same ARP messages. I also think that the problem is at the virtualization level

Serg87 · May 10, 2023, 8:47pm

Solved.

The problem was on the virtualization level in default vNIC profiles.

Solution:
https://www.mail-archive.com/users@ovirt.org/msg70631.html

system · May 12, 2023, 8:47pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.