Configuring GRETAP over Wireguard and bridging to switch ports on ER-X

Installing and Using OpenWrt
1

Hi guys,

I need some assistance setting up a GRETAP tunnel over Wireguard and bridging it to physical switch ports on either end. My setup is below:

[Album] OpenWRT Help

Specifically, I would like to bridge eth3+4 on ER-X (A) with the GRETAP tunnel and eth4 on the ER-X (B) with the other endpoint of the tunnel. I am not sure how to configure the bridge and switch ports - the OpenWRT documentation for the ER-X switch is a little confusing. (The Wireguard tunnel is already functional).

For now, I am simply trying to bridge eth4 to GRETAP, but am not getting any packets transferred. Did I overlook something in the configs?

Config on ER-X (A):

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'REDACTED::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'REDACTED'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'REDACTED'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 1 2 3'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 0'
        option vid '2'

config interface 'wg0'
        option proto 'wireguard'
        option listen_port '1234'
        option private_key 'REDACTED'
        list addresses '10.10.13.1/24'

config wireguard_wg0
        option public_key 'REDACTED'
        option persistent_keepalive '25'
        option endpoint_port '1234'
        option description 'Server'
        option endpoint_host 'REDACTED'
        option route_allowed_ips '1'
        list allowed_ips '10.10.13.2/24'

config interface 'gt'
        option proto 'gretap'
		option type 'bridge'
        option ipaddr '10.10.13.1'
        option peeraddr '10.10.13.2'

config switch_vlan
        option device 'switch0 @gt'
        option vlan '3'
        option ports '4'
        option vid '3'

And here is the config on ER-X (B):

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'REDACTED::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'REDACTED'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'REDACTED'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 1 2 3'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 0'
        option vid '2'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'REDACTED'
        option listen_port '1234'
        list addresses '10.10.13.2/24'

config wireguard_wg0
        option public_key 'REDACTED'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        option endpoint_port '1234'
        option endpoint_host 'REDACTED'
        list allowed_ips '10.10.13.1/24'

config interface 'gt'
        option proto 'gretap'
        option type 'bridge'
        option ipaddr '10.10.13.2'
        option peeraddr '10.10.13.1'
        option delegate '0'

config switch_vlan
        option device 'switch0 @gt'
        option vlan '3'
        option ports '4'
        option vid '3'

Thanks!

3

The vlan switch is a hardware device. I don't think you can use the gt interface in that way. The traffic between the vlan switch and the gt needs to be handled by the CPU, i.e. sent via the CPU port (6t on your hardware?).

I think you need to add a separate interface with proto none, type bridge and ifname "eth0.3 @gt".

1 Like
4

I thought I tried that initally, but it didnt work. I'll try again - I may be misremembering things (it's been a week since I last messed with it).

5

Hmm. After adding a separate interface and splitting eth3 and eth4 to VLAN 3:

config interface 'br0'
        option ifname 'eth0.3 @gt'
        option proto 'none'

config switch vlan
        option device 'switch0'
        option vlan '3'
        option ports '6t 3 4'
        option vid '3'

When I restart the network service, the console spits out

Failed to connect to the switch. Use the "list" command to see which switches are available.

Adding a device section does not help:

config device 'wan_eth0_3_dev'
        option name 'eth0.3'
        option macaddr 'ab:cd:ef:01:23:45'

I'm going to try to configure from within Luci instead - hopefully it will generate correct configuration.

6

So the good news is, that worked! However since I am now dealing with MTU issues that I can't easily solve because Wireguard is UDP, I am back to square one and trying to use two /25 subnets and route between them.

Thanks for your help.