Can we use the Wiregard tunnel/connection/ to transport eoip/s/ on it?
Strange request as with wireguard, EOIP is not required from my understanding.
Further, in fear of incurring the wrath of Mozerd LOL, why not use Zerotier?
What is the use case you wish to solve… My clients need to ???
Yes, why not. EoIP is literally Ethernet over IP, and Wireguard is an IP VPN, so no reason why it should not work.
Thanks Sindy ! EoIP over Wireguard works, I tested it. But I want to replace some ppp connections that carry some eoips / vlans / with something more secure, but also with more performance and throughput .Is it a problem that I can’t send full vlan mtu1500 as in PPP connections, because now it’s 1378 ?
@anav Let’s hope he doesn’t see this thread.
But a EoIP over Wireguard is seems a pretty clean, point-to-point L2 tunnel. Since it’s riding inside an encrypted Wireguard tunnel, one thing to watch is you WON’T need IPSec enable it (and that would reduce your MTU further with EoIP if enabled)
ZeroTier might help with the MTU issue – it’s “VL1” has a 2800 MTU, so AFAIK it should preserve MTU… But haven’t test that.
That mostly depends on how the ISPs between your two endpoints handle packet fragments. Wireguard most likely doesn’t do anything about fragmentation, so once the Wireguard transport packet exceeds the MTU of the underlying interface, it gets fragmented. So if the fragments get to the destination and the transport packets get reassembled successfully, everything is fine; if not (which unfortunately happens quite often), you’ll have to revert to L2TP in BCP mode with MLPPP. And L2TP doesn’t support vlan-filtering directly on the bridges it links, so if you need that, you have to use bridge stacking using /interface vlan with use-service-tag=yes. Or maybe L2TPv3 in L2 mode is more flexible in this regard, but I was unable to make it work so far, and I have no idea whether it supports MLPPP too.
Good point Sindy, as in my wireguard setting I had to change the MTU to 1500 for the OPs needs to work, and there was fragmentation but it didnt seem to effect outcomes.
If zerotier avoids wireguard and its MTU settings potential issues perhaps that is a good reason to use it.
On my desk at home… Sits an hAP AC2. It’s powered on port 1 from the CRS328 in my basement. All ports are bridged and I have VLAN filtering on. Ports 1,2,3,4 are all PVID VLAN1. Port 5 VLAN 254.
If I move the jack from my laptop to port 5 on that switch. I am EOIP to the office.
Not only does that give me full layer 2. But it also sends all my traffic over there to match our ACLs. Many of the remote sites we manage allow connections from our office only.
I took that out of the PPtP tunnel years ago when I could add IPSEC to the EoIP tunnel. I had to write a pick on the DHCP client to write the local IP to the EoIP tunnel on each DHCP request… But it has worked without a hit for a while.
Using Wireguard as the connector and sticking the EoIP tunnel to the IP addresses seems interesting.
However…
Maybe I need to rethink Zerotier.
I am using it to bridge into a network. So an external client can see the broadcasts on Remote LAN. This solved a connectivity problem I have been stuck with for years.
But if I used Zeroteir as to points and added the routes for each side using the assigned IPs… That would make Zerotier the transport. It kills my broadcasts as it’s back to routing rather than bridging… Hmm…
And L2TP doesn’t support > vlan-filtering > directly on the bridges it links, so if you need that, you have to use bridge stacking using > /interface vlan > with > use-service-tag=yes> .
Does it mean that l2tp has to be in the bridge port (BCP) than on the bridge interface we can create vlans, is that what you saying?
It’s interesting, L2TP doesn’t support vlan-filtering, but WDS does.
And for vlan-filtering both are dynamic interfaces.
Well gotsprings sounds like something in your zerotier approach may be wrong as it supposed to act like a virtual switch connection, just what you need!
Umm it does…
When I am on a computer running zerotier.
That is connected to a network where I have Zerotier running as a BRIDGE (REMOTELY).
I get my broadcasts.
Now if I was to run zerotier on 2 routers and make them part of the same network… that is what I was “typing out loud” about.
Regardless but yes that is the scenario I am thinking about… subnet to subnet via zerotier (via router instance to router instance) a virtual switch…
Does that mean for example I could have a vlan on router1 and a different vlan on router2 but link them as if they were on the same subnet via zerotier ???
I did not understand your rephrasing of what I am saying 
What I am saying is that is that if vlan-filtering was set to yes on the bridges indicated on the /ppp profile row used by the /interface l2tp-client row and by the corresponding /ppp secret row at server side, VLAN-tagged packets did not pass between the bridges.
So my workaround is to link two auxiliary bridges with vlan-filtering=no and ether-type=0x88a8, make them carrier interfaces for /interface vlan with use-service-tag=yes vlan-id=999, and make these /interface vlan member ports of another pair of bridges with vlan-filtering=yes. It takes 4 more bytes per frame but it is still worth it compared to the overhead of EoIP and given that no fragmentation of the transport packets takes place thanks to MLPPP.
However , you need to use BCP it you willing to play with l2tp, or if you play with eoip, that everything you say will fit.(don’t need separate bridge, EoIP will work with bridge-filtering)
I’m not so sure whether i understand this part:
/interface vlan member ports of another pair of bridges with vlan-filtering=yes
can i get more info pls
is that recommendation related to this
/interface vlan
add interface=eoip-vl50 name=s-vlan50 use-service-tag=yes vlan-id=50
/interface bridge
add name=bridge-x vlan-filtering=yes
/interface bridge port
add bridge=bridge-x interface=s-vlan50
add bridge=bridge-x interface=ether1 pvid=10
add bridge=bridge-x interface=ether2 pvid=20
add bridge=bridge-x interface=ether3 pvid=30
Yes, except that if the L2 tunnel is an EoIP one, this workaround is not necessary at all. It is specifically required only if you want to use BCP instead of EoIP in order to avoid IP-level fragmentation of the transport packets of the tunnel, and at the same time you need vlan filtering on the bridges.
just one note here, for someone who want to use this. Frame Tyme should be admin all
Corrected for clarity
quote: “just one note here, for someone who wants to use this. Frame Type should be admit all”
(note to nichky, dont type after consuming 2 bottles of vodka)
I do my best work after a bottle of tequila.
(note to nichky,
dont type after consuming 2 bottles of vodka)
can you can check all my comments and correct me? lol