Data link layer tunneling

I need to know if it is possible to tunnel MAC (medium access control) traffic from devices attached to an Openwrt router.

Specifically I am interested in these protocol but in theory that should not matter.
Ethertype
0x8892 Profinet
0x88A4 EtherCat
0x88CC Link Layer Discovery
0x8204 QNX Qnet

I have looked at L2TP and GRE but I am not sure if they would work.

P.S. As a side note, for anyone saying this is impossible. I am doing it already with USB over IP. I am just wondering if there is a more elegant solution.

Sure. Setup a Layer 2 tunnel.

Do you need options of which?

least overhead choice is gretap (gre but L2), most vpns can work in tap l2 mode in place of more default l3 tun mode, but you lose on latency if your router is not a full-fledged PC

1 Like

I'd say "some," not necessarily most.

An important consideration is the other side of the equation, though. For example:

  • PPTP is an L2 (tap) VPN protocol, but is considered unsafe for use now because the encryption is trivally hacked. As such, PPTP has been removed from many modern OS's including Mac OS and iOS -- so you may not be able to even use the protocol.
  • OpenVPN has a tap mode (unless it has been deprecated; I haven't checked), but that is not supported on iOS and Android. You'd need a full fledged desktop OS or something like another OpenWrt router as the remote endpoint to get TAP working.
  • L2TP based VPNs are often considerably more complex to configure than other VPNs, and support can be spotty with respect to the client availability since these are becoming less common.

I can't speak to the latency on L2 vs L3 with respect to the processor in the endpoint. But, latency is a relevant issue on L2 connections that are tunneled over the internet. The added latency can become an issue with respect to broadcast/multicast traffic over the network since that will also traverse the tunnel. This can degrade the overall network performance because of the signfiicantly higher latency over the tunnel for such traffic. Just something to keep in mind.

1 Like

IPsec/ IKEv2 (strongswan) can also be configured for tap.

2 Likes

Thanks brada4, I am using a wireguard tunnel. I installed luci-proto-gre and that looks like it will do what I want. Any possible limitations/gotchas with this approach? I enjoy doing the research; I just hate dead ends. Latency and throughput are not a concern. Other than a windows programming workstation, no other computers are involved. The connection will either be openwrt to openwrt or openwrt to windows behind an openwrt router (the latter being my current config)

Latency of long range wan is measured milliseconds vs lan microseconds. May reorder normally in-order packets.

gretap did not pass non-ip traffic. It does tunnel broadcast. I tested it using DHCP and that worked. Which linux distro man pages would best describe the functionality of gretap?

It's working. Initially, I focused on the Profinet protocol but along the way I was only looking at the LLDP protocol. Well, that's the one protocol that is not forwarded by bridges.

The Ethernet frame used in LLDP typically has its destination MAC address set to a special multicast address that 802.1D-compliant bridges do not forward. - wikipedia

Not that complicated a setup actually.

man ip-link

1 Like

"man ip-link" does make more sense after installing ip-full. I used the Debian man pages here https://manpages.debian.org/bookworm/iproute2

After a lot of testing, the benefit of using gretap over l2tp with encap = ip is 4 bytes.

Here are two frames for reference.

l2tp with encap=ip
0000 94 83 c4 1c 0c 56 94 83 c4 1c 04 86 08 00 45 00
0010 00 58 16 a7 00 00 40 73 bd d4 0a d8 c8 04 0a d8
0020 c8 03 00 00 00 01 00 00 00 00 01 0e cf 00 00 00
0030 20 7b d2 e5 a6 42 88 92 fe fe 05 00 0b 01 00 0f
0040 00 80 00 04 ff ff 00 00 00 00 00 00 00 00 00 00
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060 00 00 00 00 00 00

gretap
0000 94 83 c4 1c 0c 56 94 83 c4 1c 04 86 08 00 45 00
0010 00 54 ea a7 40 00 40 2f aa 1b 0a d8 c8 04 0a d8
0020 c8 03 00 00 65 58 01 0e cf 00 00 00 20 7b d2 e5
0030 a6 42 88 92 fe fe 05 00 0b 01 00 10 00 80 00 04
0040 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060 00 00

Yes, busybox ip is rather limited.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.