Gretap Tunneling not working

dsinghra12 · November 28, 2018, 5:35pm

Hi,

Could someone help me, please? I'm having a problem with TP-Link C7 router with OpenWrt version 18.06.1.

I am trying to setup a gretap tunnel to forward all traffic from a spcefic interface wlan0 through this tunnel to remote endpoint.I configured it based on

https://forum.openwrt.org/t/solved-busybox-doesnt-support-gretap/12032

and bridged it with wlan0 interface. There is routing in place to forward bridged traffic to wan interface. gretap interface comes up and the client connected to wlan0 interface, able to reach internet. The problem is, I do not see any GRE encapsulation header in any of the messages for e.g. ICMP. So I do not think tunnel is being used at all.

Below are the config on my router:

Network:

config interface 'lan2'
        option type 'bridge'
        option ifname 'wlan0 @grt1'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config interface grt1
        option proto 'gretap'
        option ipaddr '192.168.230.25'
        option peeraddr '192.168.230.91'
        option force_link '1'

here "192.168.230.25" is wan0 IP of my router and "192.168.230.91" is remote end IP.

firewall:

config zone
        option name             lan2
        list   network             'lan2'
        option input               ACCEPT
        option output             ACCEPT
        option forward           ACCEPT

Routing:

root@OpenWrt:/etc/config# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.231.254 0.0.0.0         UG    0      0        0 eth0.2
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.2.0      0.0.0.0        255.255.255.0   U     0      0        0 br-lan2
192.168.230.0   0.0.0.0         255.255.254.0   U     0      0        0 eth0.2

I would really appreciate if someone can help me understand what I am missing here or doing anything wrong.
Thanks.

jeff · November 28, 2018, 6:46pm

Explicitly adding a wireless interface to a bridge, without naming that interface uniquely in /etc/config/wireless and creating it in /etc/config/network may not work as expected. Typically one specifies the bridge in /etc/config/network without the wireless component(s), then refers to that interface in /etc/config/wireless.

What is the output of brctl show ?

dsinghra12 · November 28, 2018, 8:44pm

Thanks for your reply Jeff.

root@OpenWrt:/etc/config# brctl show
bridge name     bridge id               STP enabled     interfaces
br-lan          7fff.f4f26d95267b       no              eth1.1
                                                        wlan1
                                                        gre4t-grt1

I tried to follow the same now but still I do not see any GRE Encapsulation header on ICMP packets.
Below is updatyed configuration:

ifconfig:

root@OpenWrt:/etc/config# ifconfig
br-lan    Link encap:Ethernet  HWaddr F4:F2:6D:95:26:7B
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::f6f2:6dff:fe95:267b/64 Scope:Link
          inet6 addr: fda0:f252:2352::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4646 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8017 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:337737 (329.8 KiB)  TX bytes:2236101 (2.1 MiB)

eth0      Link encap:Ethernet  HWaddr F4:F2:6D:95:26:7C
          inet6 addr: fe80::f6f2:6dff:fe95:267c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:148472 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3751 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:21287970 (20.3 MiB)  TX bytes:766902 (748.9 KiB)
          Interrupt:4

eth0.2    Link encap:Ethernet  HWaddr F4:F2:6D:95:26:7C
          inet addr:192.168.230.25  Bcast:192.168.231.255  Mask:255.255.254.0
          inet6 addr: 2600:2300:400::f6f2:6dff:fe95:267c/64 Scope:Global
          inet6 addr: fe80::f6f2:6dff:fe95:267c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:32537 errors:0 dropped:4 overruns:0 frame:0
          TX packets:554 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5244449 (5.0 MiB)  TX bytes:75454 (73.6 KiB)

eth1      Link encap:Ethernet  HWaddr F4:F2:6D:95:26:7B
          inet6 addr: fe80::f6f2:6dff:fe95:267b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14007 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19811 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1698439 (1.6 MiB)  TX bytes:7897193 (7.5 MiB)
          Interrupt:5

eth1.1    Link encap:Ethernet  HWaddr F4:F2:6D:95:26:7B
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4233 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7738 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:277229 (270.7 KiB)  TX bytes:2131855 (2.0 MiB)

gre4t-grt1 Link encap:Ethernet  HWaddr 0E:AE:29:D4:00:61
          inet6 addr: fe80::cae:29ff:fed4:61/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:104 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:10308 (10.0 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2216 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2216 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:229173 (223.8 KiB)  TX bytes:229173 (223.8 KiB)

wlan1     Link encap:Ethernet  HWaddr F4:F2:6D:95:26:7A
          inet6 addr: fe80::f6f2:6dff:fe95:267a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:412 errors:0 dropped:0 overruns:0 frame:0
          TX packets:459 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:66270 (64.7 KiB)  TX bytes:131388 (128.3 KiB)

Network:

config interface grt1
        option proto 'gretap'
        option ipaddr '192.168.230.25'
        option peeraddr '192.168.230.91'
        option force_link '1'
        option mtu 1500

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1 @grt1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

/etc/config/wireless:

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/qca955x_wmac'
        option htmode 'HT20'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none''

firewall:

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

route:

root@OpenWrt:/etc/config# ip route show
default via 192.168.231.254 dev eth0.2 proto static src 192.168.230.25
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.230.0/23 dev eth0.2 proto kernel scope link src 192.168.230.25

I do not get what I am missing.

jeff · November 28, 2018, 8:54pm

I'm not understanding your topology as I don't seen any reason for any packet to be tunneled, at least from what I see above.

dsinghra12 · November 28, 2018, 9:06pm

Hello Jeff,

My end goal is to send IoT device's traffic through tunnel. I am able to assign devices to different VLANs with help of Radius server. But again, I am not able to forward that traffic through gretap tunnel. That is why, I am trying to test above mentioned simple configuration.

Can you please let me know what configuration changes I should do so that traffic from wlan1 will use gretap tunnel.

-Thanks

jeff · November 28, 2018, 9:36pm

To where? Via where? Right now it looks like you've got either on-link addresses or a default route.

Typically one uses a Layer 2 tunnel to connect two network segments (which may be a single host) via a third. Something like:

Some hosts on 
192.168.0.0/24 <---> tunnel portal 10.0.0.101
                           |
                           |
More hosts on              |
192.168.0.0/24 <---> tunnel portal 10.0.0.102

dsinghra12 · November 28, 2018, 9:59pm

Below is my configuration:

                                All Traffic                                   Tunnel
Clients (Wlan1) <-----------------> Router 1<------------------------------------------------------>IoT server
192.168.3.1                          192.168.230.25  (traffic sourced wlan1 uses tunnel)     192.168.230.91

So there is an IoT server as mentioned above, which can be reached without tunnel via underlined network. I need all traffic sourced from wlan1 to use Tunnel route. Traffic sourced other than wlan1, should not use tunnel.

I tried using GRE layer 3 tunnel, but I could define route based on destination (like if traffic is meant for x.x.x.x then use dev gre route) and that works fine. But I could not create any route based on it's source (like if traffic source is wlan1, then use gre tunnel route).

So I turned to gretap (layer 2 tunnel) as we can bridge interface with gretap interface and can use tunnel to send traffic. But again, I am missing something or may be not understanding the clear picture at all.

dlakelan · November 29, 2018, 3:53am

I'm not understanding the full picture either but perhaps what you want is policy routing and a layer 3 tunnel?

dsinghra12 · November 29, 2018, 4:09am

Thank you dlakelan. Thats what I used now and GRE layer 3 Tunnel is working fine with Source Based Routing(Policy Routing).

But if I want to use layer 2 Tunnel, how shall I configure above scenario.

arjuniet · November 29, 2018, 4:49am

I have running a very similar setup since january this year

Your mistake is you are bridging wlan0 interface and gretap interface making a bridge that can entertain great frames as well as frames from wlan

Do one thing make a bridge having wlan0 first than create a gretap out of that bridge

I will send you my working config if it didn't work in an hour

dsinghra12 · November 29, 2018, 5:23am

Thanks arjuniet. I do not have my setup with me now. But I will try the same tomorrow. If you can let me know your config meanwhile, that will be great.

Thanks

arjuniet · November 29, 2018, 5:26am

For sure , I ll post them

arjuniet · November 29, 2018, 5:32am

Instead I have created multiple gretap , one per each ssid

dlakelan · November 29, 2018, 5:51am

So it's not clear to me why you want to layer 2 tunnel. A layer 2 tunnel extends a broadcast network, so it's useful if you're sending multicast stream or other lan protocols to multiple devices. But it seems you are just sending packets to a single device, I don't get the use case. Why not just route?

dsinghra12 · November 29, 2018, 7:42pm

@dlakelan Thanks for the explanation. I was confused about gretap layer 2 tunnel working. I understood now the purpose of gretap. Thanks

dsinghra12 · November 29, 2018, 7:45pm

@arjuniet Can you post your config to help me uinderstand your scenario and gretap working.

-Thanks

arjuniet · November 29, 2018, 7:51pm

Yes you will get it ..today I was too busy couldn't respond anyone, sorry

I will post in morning

arjuniet · November 30, 2018, 3:17pm

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fdf0:6cd0:ae3a::/48'

config interface 'lan'
option ifname 'eth0.1'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'

config interface 'wan'
option ifname 'eth0.408'
option force_link '1'
option proto 'static'
option ipaddr '10.1.163.133'
option gateway '10.1.163.129'
option netmask '255.255.255.128'
option dns '164.100.3.1'

config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan 'vlan_lan'
option device 'switch0'
option vid '1'
option vlan '0'
option ports '0t 1 2 3 4'

config switch_vlan 'vlan_wan'
option vid '408'
option vlan '15'
option ports '0t 1t'
option device 'switch0'

config interface 'trunk'
option ifname 'trunk'
option proto 'gretap'
option ipaddr '10.1.163.133'
option peeraddr '10.40.125.84'
option mtu '1500'
option force_link '1'

config switch_vlan 'vlan_vlan298'
option vid '298'
option vlan '1'
option ports '0t 1t'
option device 'switch0'

config interface 'vlan298'
option type 'bridge'
option ifname '@trunk.298'

arjuniet · December 1, 2018, 9:04pm

Hey problem solved ?

dsinghra12 · December 2, 2018, 10:11pm

Thanks @arjuniet for the config. I did not get the chance to run your config yet. Will update once I use it.

-Thanks