EdgeRouter - Layer-2 bridge over GRE tunnel

Overview


Readers will learn how to configure a layer-2 GRE (generic routing encapsulation) tunnel between two separate routers.

 

Sample LANs bridged over GRE tunnel using two EdgeRouters.

 

The diagram above shows the GRE tunnel through Internet, but GRE provides no encryption so if you were going over a public network you likely want to protect your GRE tunnel with an IPsec tunnel. For illustration purposes we'll assume the following:

 

R1's WAN interface is eth1 and the address is 15.0.0.1/24 and the LAN interfaces is eth0 subnet being bridged is 100.0.0.0/24.
R2's WAN interface is eth1 and the address is 15.0.0.2/24 and the LAN interface is eth0

First we'll create the GRE tunnel:

 

ubnt@R1:~$ configure 
[edit]
ubnt@R1# set interfaces tunnel tun0 encapsulation gre-bridge 
[edit]
ubnt@R1# set interfaces tunnel tun0 local-ip 15.0.0.1        
[edit]
ubnt@R1# set interfaces tunnel tun0 remote-ip 15.0.0.2
[edit]
ubnt@R1# commit
[edit]

Note: the tunnel encapsulation is gre-bridge not gre.

Then we'll create a bridge interfaces and add eth0 and tun0 to the bridge-group.

 

ubnt@R1:~$ configure 
[edit]
ubnt@R1# set interfaces bridge br0 
[edit]
ubnt@R1# set interfaces ethernet eth0 bridge-group bridge br0
[edit]
ubnt@R1# set interfaces tunnel tun0 bridge-group bridge br0
[edit]
ubnt@R1# commit
[ interfaces ethernet eth0 bridge-group ]  
Adding interface eth0 to bridge br0
[edit]
ubnt@R1# exit; save 
Warning: configuration changes have not been saved.
exit

Now if we ping from a workstation on R1's LAN 100.0.0.100 to a workstation on R2's LAN 100.0.0.100, lets look at what the packet looks like as it leaves R2:

At a high level the packet has the following encaps - eth:ip:gre:eth:ip:icmp:data.

Ethernet II, Src: dc:9f:db:17:12:35 (dc:9f:db:17:12:35), Dst: dc:9f:db:29:05:f6 (dc:9f:db:29:05:f6)
   Destination: dc:9f:db:29:05:f6 (dc:9f:db:29:05:f6)
       Address: dc:9f:db:29:05:f6 (dc:9f:db:29:05:f6)
   Source: dc:9f:db:17:12:35 (dc:9f:db:17:12:35)
   Type: IP (0x0800)
Internet Protocol, Src: 15.0.0.2 (15.0.0.2), Dst: 15.0.0.1 (15.0.0.1)
   Version: 4
   Header length: 20 bytes
   Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
   Total Length: 1500
   Identification: 0x0000 (0)
   Flags: 0x02 (Don't Fragment)
   Fragment offset: 0
   Time to live: 64
   Protocol: GRE (0x2f)
   Header checksum: 0x16f1 [correct]
   Source: 15.0.0.2 (15.0.0.2)
   Destination: 15.0.0.1 (15.0.0.1)
Generic Routing Encapsulation (Transparent Ethernet bridging)
   Flags and version: 0000
   Protocol Type: Transparent Ethernet bridging (0x6558)
Ethernet II, Src: Ubiquiti_07:07:21 (00:15:6d:07:07:21), Dst: dc:9f:db:17:13:8e (dc:9f:db:17:13:8e)
   Destination: dc:9f:db:17:13:8e (dc:9f:db:17:13:8e)
       Address: dc:9f:db:17:13:8e (dc:9f:db:17:13:8e)
   Source: Ubiquiti_07:07:21 (00:15:6d:07:07:21)
       Address: Ubiquiti_07:07:21 (00:15:6d:07:07:21)
   Type: IP (0x0800)
Internet Protocol, Src: 100.0.0.101 (100.0.0.101), Dst: 100.0.0.100 (100.0.0.100)
   Version: 4
   Header length: 20 bytes
   Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
   Total Length: 1462
   Identification: 0x0000 (0)
   Flags: 0x02 (Don't Fragment)
   Fragment offset: 0
   Time to live: 64
   Protocol: ICMP (0x01)
   Header checksum: 0x6c7e [correct]
   Source: 100.0.0.101 (100.0.0.101)
   Destination: 100.0.0.100 (100.0.0.100)
Internet Control Message Protocol
   Type: 8 (Echo (ping) request)
   Code: 0 ()
   Checksum: 0xe7da [correct]
   Identifier: 0x0e90
   Sequence number: 1 (0x0001)
   Data (1434 bytes)

The gre-bridge interface knows that its going to be adding 38 bytes of headers (gre 4, eth 14, ip 20), so the tunnel interface has automatically reduced it's mtu from 1500 to 1462:

ubnt@R1:~$ show interfaces tunnel tun0   
tun0@NONE: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1462 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 12:5b:3a:c1:4a:f1 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::105b:3aff:fec1:4af1/64 scope link 
       valid_lft forever preferred_lft forever

    RX:  bytes    packets     errors    dropped    overrun      mcast
          3186         34          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
          3166         34          0          0          0          0

L2 Bridge over Openvpn

The same concept can be used to bridge over an openvpn site-to-site tunnel.

ubnt@R1:~$ configure 
[edit]
ubnt@R1# delete interfaces tunnel 
[edit]
ubnt@R1# commit
[edit]
ubnt@R1# set interfaces openvpn vtun0 mode site-to-site 
[edit]
ubnt@R1# set interfaces openvpn vtun0 remote-host 15.0.0.2
[edit]
ubnt@R1# set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret
[edit]
ubnt@R1# set interfaces openvpn vtun0 bridge-group bridge br0  
[edit]
ubnt@R1# commit
[edit]
ubnt@R1# save  
Saving configuration to '/config/config.boot'...
Done
[edit]
ubnt@R1# exit
exit

With openvpn mtu reduction depends on whether using openvpn with UDP (8 bytes) or TCP (20 bytes) plus ether 14 and ip 20.