Thursday, January 05, 2012

Bridging networks with OpenWrt (r29611) using L2TPv3

As OpenWrt Wiki lacks this particular example (there's other L2TPv3 examples) I guess better I document it somewhere.



First of all there's few bugs to be aware. Start by removing 'prepare_interface "$link" "$cfg"' line from /lib/network/l2tp.sh. Without doing this change your L2TPv3 link will come up but it won't be added to bridge.

Secondly l2tp.sh contains infinite loop that can prevent network initialization from completing. Using non-existing address for local IP in L2TP configuration will trigger this problem. Therefore use static WAN IP and make sure it's same as your L2TP local IP.

Example setup uses two routers running x86 version of OpenWrt under VMware Workstation. This is only for creating Layer-2 bridge between two OpenWrt devices. It requires static IP addresses from Internet on both end of connection and DOES NOT encrypt your traffic. Performance difference when compared to for example OpenVPN with 'crypto null' which disables encryption is quite significant. 15MB/s with L2TPv3 and 5MB/s with OpenVPN. Well we all know that while OpenVPN is nice it's not suitable if you need high performance.


OpenWrt-1


  • eth0, static, 80.80.80.203, wan (Internet)

  • eth1, static, 192.168.1.1, lan

  • eth2, static, 192.168.2.11, remotelan (Bridged from OpenWrt-2 lan)


OpenWrt-2


  • eth0, static, 80.80.80.204, wan (Internet)

  • eth1, static, 192.168.2.1, lan

  • eth2, static, 192.168.1.12, remotelan (Bridged from OpenWrt-1 lan)

Configuration for OpenWrt-1
/etc/config/network:  
config 'interface' 'loopback'
 option 'ifname' 'lo'
 option 'proto' 'static'
 option 'ipaddr' '127.0.0.1'
 option 'netmask' '255.0.0.0'

config 'interface' 'wan'
 option 'ifname' 'eth0'
 option 'proto' 'static'
 option 'ipaddr' '80.80.80.203'
 option 'netmask' '255.255.255.0'
 option 'gateway' '80.80.80.1'
 option 'dns' '8.8.8.8 8.8.4.4'

config 'interface' 'lan'
 option 'type' 'bridge'
 option 'proto' 'static'
 option 'ipaddr' '192.168.1.1'
 option 'netmask' '255.255.255.0'
 option 'ifname' 'eth1 l2tp-qwerty'

config 'interface' 'qwerty'
 option 'proto' 'l2tp'
 option 'encap' 'ip'
 #option 'encap' 'udp'
 #option 'sport' '1702'
 #option 'dport' '1701'
 option 'localaddr' '80.80.80.203'
 option 'peeraddr' '80.80.80.204'
 option 'tunnel_id' '1'
 option 'peer_tunnel_id' '1'
 option 'session_id' '1'
 option 'peer_session_id' '1'

config 'interface' 'remotelan'
 option 'type' 'bridge'
 option 'proto' 'static'
 option 'ipaddr' '192.168.2.11'
 option 'netmask' '255.255.255.0'
 option 'ifname' 'eth2 l2tp-xyzzy'

config 'interface' 'xyzzy'
 option 'proto' 'l2tp'
 option 'encap' 'ip'
 #option 'encap' 'udp'
 #option 'sport' '1702'
 #option 'dport' '1701'
 option 'localaddr' '80.80.80.203'
 option 'peeraddr' '80.80.80.204'
 option 'tunnel_id' '1'
 option 'peer_tunnel_id' '1'
 option 'session_id' '2'
 option 'peer_session_id' '2'


/etc/config/firewall:

ADD:
config 'rule'
 option 'target' 'ACCEPT'
 option 'src' 'lan'
 option 'dest' 'lan'
 option 'name' 'Intra allow'
 option 'proto' 'all'

EDIT:
config 'zone'
 option 'name' 'lan'
 option 'input' 'ACCEPT'
 option 'output' 'ACCEPT'
 option 'forward' 'REJECT'
 option 'network' 'lan remotelan'


Configuration for OpenWrt-2
/etc/config/network:
config 'interface' 'loopback'
 option 'ifname' 'lo'
 option 'proto' 'static'
 option 'ipaddr' '127.0.0.1'
 option 'netmask' '255.0.0.0'

config 'interface' 'wan'
 option 'ifname' 'eth0'
 option 'proto' 'static'
 option 'ipaddr' '80.80.80.204'
 option 'netmask' '255.255.255.0'
 option 'gateway' '80.80.80.1'
 option 'dns' '8.8.8.8 8.8.4.4'

config 'interface' 'lan'
 option 'type' 'bridge'
 option 'proto' 'static'
 option 'ipaddr' '192.168.2.1'
 option 'netmask' '255.255.255.0'
 option 'ifname' 'eth1 l2tp-xyzzy'

config 'interface' 'xyzzy'
 option 'proto' 'l2tp'
 option encap ip
 #option 'encap' 'udp'
 #option 'sport' '1702'
 #option 'dport' '1701'
 option 'localaddr' '80.80.80.204'
 option 'peeraddr' '80.80.80.203'
 option 'tunnel_id' '1'
 option 'peer_tunnel_id' '1'
 option 'session_id' '2'
 option 'peer_session_id' '2'

config 'interface' 'remotelan'
 option 'type' 'bridge'
 option 'proto' 'static'
 option 'ipaddr' '192.168.1.12'
 option 'netmask' '255.255.255.0'
 option 'ifname' 'eth2 l2tp-qwerty'

config 'interface' 'qwerty'
 option 'proto' 'l2tp'
 option encap ip
 #option 'encap' 'udp'
 #option 'sport' '1702'
 #option 'dport' '1701'
 option 'localaddr' '80.80.80.204'
 option 'peeraddr' '80.80.80.203'
 option 'tunnel_id' '1'
 option 'peer_tunnel_id' '1'
 option 'session_id' '1'
 option 'peer_session_id' '1'


/etc/config/firewall:

ADD:
config 'rule'
 option 'target' 'ACCEPT'
 option 'src' 'lan'
 option 'dest' 'lan'
 option 'name' 'Intra allow'
 option 'proto' 'all'

EDIT:
config 'zone'
 option 'name' 'lan'
 option 'input' 'ACCEPT'
 option 'output' 'ACCEPT'
 option 'forward' 'REJECT'
 option 'network' 'lan remotelan'

No comments:

Post a Comment

Got something to say?!