I’m looking to get some help with my current EoIP+bridge setup.
Currently, I have two CHRs connected to each other using EoIP. One is in a datacenter, and one is at home.
Despite being connected by EoIP, I am finding that unless I enable IPSEC with EoIP, I don’t get any traffic from the bridge located in the datacenter CHR.
Doing some packet captures, I can see that on the VLAN interface of the datacenter CHR, there are (correct) ARP requests/responses to the requests. However, when sniffing the EoIP Tunnel, I can only see the ARP request, and not the response. As soon as I enable IPSec by entering a secret into the IPSec secrets section of the EoIP configuration, the issue is fixed. However, due to the additional CPU overhead, I want to use EoIP without IPSec.
For intra-LAN traffic, no need to use anything else then EOIP on its own.
When crossing WAN, one should really consider some encryption method.
My personal preference is Wireguard since it’s easier to setup for me. I have plenty of EOIP connections running over Wireguard using all sorts of devices (exclusively for management traffic).
The correct firewall permissions to allow GRE from the remote hosts has already been added.
During testing, I have also tried just allowing all traffic from the remote host (in addition to GRE) with no difference.
Hi,
I’ve been kind of trying to avoid using IPSEC as the traffic inside the tunnel is already encrypted.
I can also confirm this is on X86 HW. Both CHR instances are hosted on separate Proxmox VMs.
Some more info on this setup:
Home CHR - I have direct access to this server, so the Mellanox ConnectX3 is attached to the CHR via PCIE passthrough
Datacenter CHR - I don’t have direct access to this server, so the VIRTIO interface of CHR is connected to a bridge that has the server’s ethernet interface as one of its members. CHR gets its own IP/gateway, and the Proxmox server has an IP set on the bridge.
I’m not entirely sure if it’s possible that the bridge is affecting EOIP, as the datacenter CHR does not control the host network interface. I’m looking for more info on this as well, as I’ve seen some posts where users have had to enable promiscuous mode on their systems before EOIP would work. If I have some time today, I will try seeing if a PCIE passthrough of the datacenter Proxmox’s network card will work.