1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Layer 2 VPN Tunnel

Discussion in 'Tomato Firmware' started by Firov, Apr 9, 2010.

  1. Firov

    Firov Addicted to LI Member

    Hello everyone,

    Quick bit of background. I've been using 2 Asus WL-520gU routers with DD-WRT firmware to form a site-to-site layer 2 VPN tunnel between two buildings, each with a symmetrical 30 megabit internet connection. This has worked well for a year or so now, with one exception, the transfer speed over the VPN is quite slow, far far beneath the WAN connection speed. This is almost certainly due to the lack of CPU power available from the little Asus WL-520gU.

    So, with that in mind, I've purchased 2 Asus RT-N16 routers. Now, I could use DD-WRT to reform the VPN tunnel with that hardware, and will if I must, but DD-WRT is, well..., frankly, slow. Very slow, in fact, and its not just the VPN I'm talking about. Even the Web GUI is slow with DD-WRT, and God have mercy on your poor pathetic soul if you choose to enable QoS on DD-WRT.

    Which brings me to Tomato. I've been hearing extremely good things about the Tomato firmware and its speed/responsiveness, and it seems to support both OpenVPN tunnels and the RT-N16 hardware. So, the only point of uncertainy for me, is if it supports ebtables [sourceforge].

    My VPN layout is as follows.
    [​IMG]

    So what I need ebtables for, and what iptables is totally incapable of doing, is preventing DHCP broadcasts from traversing the VPN tunnel. AKA filtering layer 2 traffic.

    Each router should take care of DHCP requests on its side of the VPN tunnel. Under absolutely no circumstances should a VPN reply pass over the VPN tunnel, because if that happens whatever host gets that DHCP reply is going to start sending all traffic destined for the internet over the VPN to its new default-gateway. Inefficient, to say the very least.

    So, the one little question that all of this has been leading up to.....

    1. Is it possible to configure ebtables on the OpenVPN version of Tomato?


    Note - If you've read to this point, go to the kitchen and get a nice cookie. You've earned it. :)
     
  2. rhester72

    rhester72 Network Guru Member

    ebtables was once part of Tomato but removed because it made the router extremely unstable. A _lot_ has changed since (the kernel on unofficial Tomato changed from 2.4 to 2.6, for instance), and it -may- be possible to reintroduce ebtables - I'd leave that decision up to teddy_bear since it represents a pretty big change.

    Rodney
     
  3. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    At one point, Jon (the Tomato author) included ebtables, but it caused enough problems that he removed it in the next release.

    There have been several people looking to do the same thing as you (block cross-TAP DHCP), and I've tried to give suggestions. However, when I give something for them to try, I don't hear back (good sign?).

    In short, I don't know if this works, but rather than blocking the DHCP traffic from crossing the tunnel, maybe you could just make dnsmasq not respond to DHCP request that came over the tunnel:
    Code:
    no-dhcp-interface=tap21
    That would go in the dnsmasq custom configuration section, and would need to be changed to tap11 on the client side.
     
  4. Firov

    Firov Addicted to LI Member

    An interesting solution to the problem, SgtPepper! I didn't realize DNSMasq was capable of doing that. I'll look into that and report back once I get the RT-N16's in the mail.

    Thanks to both of you for your extremely fast replies. If the Tomato firmware is even half as good as the community that uses it, then it should be a formidable firmware indeed.
     
  5. Firov

    Firov Addicted to LI Member

    Well, I bring grim news...

    While the Tomato firmware is working perfectly on my new RT-N16's, and is much, much faster than DD-WRT on my old WL-520gU's, configuring DNSMasq not to listen for DHCP Requests on the tap interface didn't work. I believe I know why, too. The logs show the DHCP requests as coming from the br0 interface, which, if I'm not mistaken, is the 4 port switch integrated into the router. This makes sense, as I believe a tap interface has to be bridged with the switch in order to function properly (it is a layer 2 connection, after all).

    Still, that knowledge doesn't help me much.

    This isn't a massive problem that is going to crush my network or anything, but still, I would like to find some solution, and since Tomato doesn't support ebtables my old method of simply screening VPN traffic won't work.

    So, any other ideas?
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Well, crud. I was hoping it would still know what non-br0 interface it was from.

    Less than ideal, but you could block individual MAC addresses on the other side of the tunnel:
    Code:
    dhcp-host=11:22:33:44:55:66,ignore
    
    I guess that would only be useful, though, if the devices connected remains pretty static.
     
  7. Firov

    Firov Addicted to LI Member

    Well, thats not exactly what I was hoping for. Still, its certainly better than nothing, eh? Anyway, thanks for your help on this SgtPepper, I appreciate it.

    And anyway, this isn't a huge problem as I mentioned in my first post. Really, aside from the lack of ebtables I love this Tomato firmware. I've been playing with it for the last couple of days and I must say its far superior to DD-WRT. Extremely stable, fast, and easy to use while still having a huge number of features to play with.
     
  8. shadow2k6

    shadow2k6 LI Guru Member

    If I understand Firov's configuration correctly, it sounds like he has the same scenario as what I'm trying to do a (site to site VPN) with one of my family members for both support and resource sharing. My question is how can I access resources on their router via DNS names without using local host entries. I'm running the following version on both routers [ Tomato Firmware v1.27vpn3.6.4b6645f6(ND) ] with this configuration:
    Server 1, Basic:
    Interface Type: TAP
    Protocol: TCP
    Port: unique port
    Firewall: Automatic
    Authorization Mode: TLS
    Extra HMAC authorization (tls-auth): Disabled
    Client address pool: DHCP unchecked and specified 192.168.1.200 - 192.168.1.250
    Server 1, Advanced:
    Poll Interval: 0
    Direct clients to redirect Internet traffic: Unchecked
    Respond to DNS: Checked
    Advertise DNS to clients: Checked
    Encryption cipher: BF-CBC
    Compression: Enabled
    TLS Renegotiation Time: -1
    Manage Client-Specific Options: Unchecked
    Custom Configuration: Empty

    Client 1, Basic:
    Interface Type: TAP
    Protocol: TCP
    Server Address/Port: Custom Name and Custom Port
    Firewall: Automatic
    Authorization Mode: TLS
    Extra HMAC authorization (tls-auth): Disabled
    Server is on the same subnet: Unchecked
    Create NAT on tunnel: Checked
    Client 1, Advanced:
    Poll Interval: 0
    Redirect internet traffic: Unchecked
    Accpet DNS configuration: Relaxed (I believe Disabled is default)
    Encryption cipher: BF-CBC
    Compression: Enabled
    TLS Renegotiation Time: -1
    Connection retry: 30
    Custom Configuration: empty

    Any help would be appreciated. I'm open to to any change in configuration if there is a better way to do this. Once again, I can connect to devices on the other side of the VPN, but can't get to it by DNS name. I appologize in advance if this thread is already out there, but I was unable to find anything close to what I was looking for.
     
  9. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Try changing "Accept DNS configuration" to strict or exclusive.
     
  10. rhester72

    rhester72 Network Guru Member

    Windows machines should "just work", they can manage multiple DNS servers per connection and aggregate them (you can set the priority order in case of namespace collisions, or just make sure well-defined domains are used for both sites).

    Linux machines actually follow the DNS spec, but a handy workaround is to place dnsmasq on each of the Linux end stations, and have it forward upstream DNS requests to your own router and use domain forwarding (server=/their.domain/their.dns.IP) for each remote domain. If you make sure each of the remote domains is listed as search entries in resolv.conf, you essentially achieve aggregate DNS.

    Rodney
     
  11. shadow2k6

    shadow2k6 LI Guru Member

    Thanks, I'll give that a try when I'm available later tonight.
     
  12. shadow2k6

    shadow2k6 LI Guru Member

    I tried both strict and exclusive and restarted the client after each save and they still failed to resolve the name. I also manually added the IP addresses on my windows machine with both my router (which normally populates by itself) and the router on the other end of the tunnel and I'm still unable to ping or nslookup a device by name. This led to the idea of the domains. Neither router has a domain name defined in the basic, identification section. This could possibly be the issue since I'm not using a fully qualified name (example: ping computer1 or nslookup computer1). I went and added a domain, but was unable to test this because the I was unable to get the person on the other side of my vpn to check my device(s) with the new domain name (computer1.domainName). I will post some logs as soon as I can when I can coordinate another session with the person at the other side of my tunnel. Is there any other information that I can post that would help identify the issue? Thanks for the suggestions as I really appreciate all the help.
     

Share This Page