Bridging lagg0 wth tap0 (OpenVPN)

J

jmj75

I am having a problem trying to bridge a lagg0 interface with a tap0 interface (for OpenVPN). The primary issue is that traffic on the server (and the LAN) can't see any of the openvpn hosts, e.g., I can't ping or connect to vpn clients. However, clients can connect to the server and I can reach the server/LAN side from the client side.

On the other hand if I don't use link aggregation then the server works as expected. Bridging a NIC (vr0) interface with tap0 results in traffic correctly routed to the bridge to clients from the LAN.

Any comments on what I may be missing in order to have a working lagg0 and tap0 bridge under FreeBSD?

FYI, there are no pf rules on the server and in both cases I have:

net.link.tap.debug=0
net.link.tap.devfs_cloning=1
net.link.tap.up_on_open=1
net.link.tap.user_open=1

Here is my non-working bridged lagg0 rc.conf:

Code: 
### NETWORK
########################################
gateway_enable="YES"
ipv6_activate_all_interfaces=YES
ipv6_gateway_enable=YES

### LAGG
########################################
ifconfig_vr0="up"
ifconfig_vr1="up"
ifconfig_lagg0="laggproto lacp laggport vr0 laggport vr1 10.0.1.250/24"
defaultrouter="10.0.1.254"

### OPENVPN
########################################
openvpn_if="tap bridge"
openvpn_enable="YES"
openvpn_dir="/etc/openvpn"
openvpn_configfile="/etc/openvpn/server.conf"
openvpn_flags="--script-security 2"


### BRIDGE
########################################
cloned_interfaces="lagg0 bridge0 tap0"
ifconfig_bridge0="addm lagg0 addm tap0"

Along with,
# netstat -rn
Code: 
Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            10.0.1.254         UGS         0     1215  lagg0
10.0.1.0/24        link#10            U           0      732  lagg0
10.0.1.250         link#10            UHS         0        0    lo0
127.0.0.1          link#9             UH          0        0    lo0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               ::1                           UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%vr0/64                     link#1                        U           vr0
fe80::20d:b9ff:fe21:54e0%vr0      link#1                        UHS         lo0
fe80::%vr1/64                     link#2                        U           vr1
fe80::20d:b9ff:fe21:54e1%vr1      link#2                        UHS         lo0
fe80::%lo0/64                     link#9                        U           lo0
fe80::1%lo0                       link#9                        UHS         lo0
fe80::%lagg0/64                   link#10                       U         lagg0
fe80::20d:b9ff:fe21:54e0%lagg0    link#10                       UHS         lo0
ff01::%vr0/32                     fe80::20d:b9ff:fe21:54e0%vr0  U           vr0
ff01::%vr1/32                     fe80::20d:b9ff:fe21:54e1%vr1  U           vr1
ff01::%lo0/32                     ::1                           U           lo0
ff01::%lagg0/32                   fe80::20d:b9ff:fe21:54e0%lagg0 U         lagg0
ff02::/16                         ::1                           UGRS        lo0
ff02::%vr0/32                     fe80::20d:b9ff:fe21:54e0%vr0  U           vr0
ff02::%vr1/32                     fe80::20d:b9ff:fe21:54e1%vr1  U           vr1
ff02::%lo0/32                     ::1                           U           lo0
ff02::%lagg0/32                   fe80::20d:b9ff:fe21:54e0%lagg0 U         lagg0
Here is the working rc.conf:
Code: 
### NETWORK
########################################
hostname=vpn
gateway_enable="YES"
ipv6_activate_all_interfaces=YES
ipv6_gateway_enable=YES

### LAGG 
########################################
ifconfig_vr0="inet 10.0.1.250 netmask 255.255.255.0 up"
defaultrouter="10.0.1.254"

### OPENVPN
########################################
openvpn_if="tap bridge"
openvpn_enable="YES"
openvpn_dir="/etc/openvpn"
openvpn_configfile="/etc/openvpn/server.conf"
openvpn_flags="--script-security 2" 


### BRIDGE
########################################
cloned_interfaces="bridge0 tap0"
ifconfig_bridge0="addm vr0 addm tap0"

# netstat -rn:

Code: 
Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            10.0.1.254         UGS         0     2647    vr0
10.0.1.0/24        link#1             U           0      737    vr0
10.0.1.250         link#1             UHS         0        0    lo0
10.0.1.251         link#2             UHS         0        0    lo0
127.0.0.1          link#9             UH          0        0    lo0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               ::1                           UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%vr0/64                     link#1                        U           vr0
fe80::20d:b9ff:fe21:54e0%vr0      link#1                        UHS         lo0
fe80::%vr1/64                     link#2                        U           vr1
fe80::20d:b9ff:fe21:54e1%vr1      link#2                        UHS         lo0
fe80::%lo0/64                     link#9                        U           lo0
fe80::1%lo0                       link#9                        UHS         lo0
ff01::%vr0/32                     fe80::20d:b9ff:fe21:54e0%vr0  U           vr0
ff01::%vr1/32                     fe80::20d:b9ff:fe21:54e1%vr1  U           vr1
ff01::%lo0/32                     ::1                           U           lo0
ff02::/16                         ::1                           UGRS        lo0
ff02::%vr0/32                     fe80::20d:b9ff:fe21:54e0%vr0  U           vr0
ff02::%vr1/32                     fe80::20d:b9ff:fe21:54e1%vr1  U           vr1
ff02::%lo0/32                     ::1                           U           lo0
 
check this

You should use NAT over tap so response from other PCs reach you local network (if tap have different subnet) .

I have running OpenVPN over tun0 with bridge of two interfaces, Please try this script after Login(unless you have same sub net for tap device) :-


Code: 
#!/bin/sh
natd -interface tap0
ipfw -f flush
ipfw add divert natd ip from any to any via tun0
ipfw add pass all from any to any
sysctl -w net.inet.ip.forwarding=1

*don't use nat on rc.conf, since it seem that NAT loaded before OpenVPN runs
 
Hi,

this thread is quite old, but I decided to ask for help here instead of starting a new one.
The OS version is FreeBSD 11-RELEASE. The machine is a HP Microserver G8 with 2 Broadcom NICs -> bge0 and bge1, the switch is TP-LINK TL-SG108E
I want to have a failover lagg interface bridged with tap0 for OpenVPN.

The config I tested unsuccessfully is, only showing the relevant part from the files:
/boot/loader.conf
Code: 
if_bridge_load="YES"
bridgestp_load="YES"
if_tap_load="YES"
if_lagg_load="YES"
/etc/rc.conf
Code: 
# Network Configuration
ifconfig_bge0="up"
ifconfig_bge1="up"
ifconfig_lagg0="laggproto failover laggport bge0 laggport bge1 192.168.200.250/24"
defaultrouter="192.168.200.1"
cloned_interfaces="lagg0 bridge0 tap0"
ifconfig_bridge0="addm lagg0 addm tap0"
# OpenVPN
openvpn_enable="YES"
/etc/sysctl.conf
Code: 
net.link.tap.up_on_open=1
I cannot ping anything but the IP address of the lagg0 (192.168.200.250) interface and lo0...

When I remove the tap0 and bridge0, lagg0 works perfectly.

Any suggestions please?

P.S. OpenVPN works ok when configured to use tap0 bridged with one of the cards, e.g. bge0.
 
You must log in or register to reply here.
Back
Top