Setup fastest Pseudowire-Protocol

riodoro · May 1, 2019, 4:30pm

I want to connect some devices via L2 tunneling in our company IP network.
The setup with OpenVPN TAP interface works so far.
Tests with two OpenWRT instances in an ESXi 6.7 (Intel NUC I3) get roughly 300 MBit IPerf TCP performance.
Not bad, but can that be improved?
Encryption doesn't matter. Authentication would be fine. At least the VPN client hat a dynamic IP-adress. So the tunnel config should work with DNS-names.
Please push me in the right direction.

jeff · May 1, 2019, 4:38pm

GRE tunnel, layer 2 ("gretap") is perhaps the lightest weight from both CPU and bits -- but be careful with MTU as with any L2 tunnel that isn't actively fragmented by the endpoints. This is sort of a problem in general, as it is the encapsulated packets that get fragmented, so that the fragmentation-required messages go to the tunnel endpoint, not the sender of the encapsulated packet, as I remember the conundrum.

One article on various flavors of tunnels under OpenWrt that I found helpful was

https://justus.berlin/2016/02/performance-of-tunneling-methods-in-openwrt/

Edit: Here's some earlier notes of mine on the MTU problem

riodoro · May 1, 2019, 5:36pm

Thanks so far.
Does GRETAP works with DNS names for the remote peer?
Then I will give it a try.

jeff · May 1, 2019, 5:38pm

I haven't tried DNS names in the UCI configuration, only hard-coded IP addresses.

If not, one approach you could use uci commands to set the IP addresses after resolution of your choice.

riodoro · May 1, 2019, 5:52pm

As a start I copied a config from here:
https://forum.archive.openwrt.org/viewtopic.php?id=68885

config interface 'gretap_if'
        option ipaddr '10.3.3.11'
        option peeraddr '10.3.3.12'
        option network 'br0'
        option mtu      '1500'
        option df       '1'  #Note: Commenting this out or using 'true' have the same effect.
        option proto 'gretap'

This gives me
Unsupported protocol type.
Install protocol extensions...
in the gui (network/interfaces)
But no luci-proto-gre available
Any hints for installing and configuring gretap?

mikma · May 1, 2019, 5:53pm

You should be able to use DNS names when configuring GRETAP in UCI/luci, but I don't think it will do anything if the DNS record is changed.

You could use IPsec in transport mode with AH if you want to authenticate the GRETAP packets but don't want to use encryption. I think it's supported by strongswan.

jeff · May 1, 2019, 5:54pm

You probably need the gre package installed if the tunnel isn't up through "manual" testing.

Yes, LuCI doesn't understand how to render a GRE tunnel, at least last I checked.

Edit: From my config from late last year over a wireless link (so more than 1500 MTU available):

config interface 'gt99'
        option proto 'gretap'
        option mtu 1558
        option ipaddr 'x.x.x.95'
        option peeraddr 'x.x.x.99'
        option delegate '0'

Be careful with interface-name lengths. There is a 15-character limit in the kernel and OpenWrt prepends gre4t- as I recall.

gre4t-gt99.1234 is 15 characters (I was tunneling multiple VLANs over a single GRE tunnel)

I recall it not working properly if I didn't specify "my" address.

riodoro · May 1, 2019, 6:10pm

Sorry, I forgot to mention that
gre
kmod-gre
kmod-gre6
is installed.

Ok, then I'll try it on cli.

Does strongswan supports l2-tunnels?

mikma · May 1, 2019, 8:29pm

Not unless you use it together with for example VXLAN or GRETAP (or L2TP?).

riodoro · May 2, 2019, 11:57am

I've got GRETAP up and running with credits to

My config is

Router1
ip link add gretap1 type gretap local 10.0.1.11 remote 10.0.1.12
ip link set gretap1 up
brctl addif br-lan2 gretap1

Router2
ip link add gretap1 type gretap local 10.0.1.12 remote 10.0.1.11
ip link set gretap1 up
brctl addif br-lan2 gretap1

I tried a similar configuration in /etc/config/network without success.
Is there a way to make this config persistent?

jeff · May 2, 2019, 12:28pm

See my notes on config above -- worked quite well on master of last year with multiple tunnels between multiple routers carrying VLANs on the sub-interfaces of the GRE interfaces. For Ethernet or similar links, you probably need to remove the mtu line.

Interface names that are too long after the prefix was added will fail silently.

riodoro · May 2, 2019, 1:53pm

Thanks @jeff,
just fixed my problems when trying to bridge eth2 to gretap:

config interface 'lan2'
	option type 'bridge'  ; only for testing
	option proto 'dhcp'
	option ifname 'eth2 gre4t-gt'

config interface 'gt'
    option type 'bridge'
    option proto 'gretap'
    option ipaddr '10.0.1.11'
    option peeraddr '10.0.1.12'
    option delegate '0'

IPerf speed is about 4 GBit/s (inside the ESXi host).

system · May 12, 2019, 1:53pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.