Layer 2 bridge between two GL-A1300

jdub · 2022-12-14T15:17:00.007Z

Someone who actually does need TAP! It’s a miracle!

You’re probably going to need to edit the config file yourself manually (or create one manually). You’ll also probably want to manually set things up to use CHACHA20-POLY1305 as a cipher on the A1300 instead of AES, as it’ll buy you about 15mbps using OpenVPN.

kaufmg · 2022-12-14T15:23:46.404Z

We could make a fortune if we could create an easy solution for this use case. Most universities no longer offer TV service in the dorms and why should we pay for service twice anyway. They expect everyone to buy 10 different streaming services to get the equivalent. Verizon etc only let you use their streaming TV service inside the house without restrictions. You can use it outside the house but reduced channels and or you have to cast from iphone etc to tv. Not a very elegant solution and quality suffers.

elorimer · 2022-12-14T17:01:37.610Z

Or, more likely, watch on a tablet, said to be legal, rather than this with a TV which…

alzhao · 2022-12-15T04:41:10.091Z

You can try TAP if you do have some skills to configure openvpn in TAP mode.

It is just too complicated when it is related to routing and I don’t know if could solve your issue.

We do have a client who is doing Layer2 SD-WAN. But the price is very costly and cannot solve the price issue you mentioned.

kaufmg · 2022-12-15T12:04:38.306Z

I am a network engineer and could easily do this with a pair multi thousand dollar Cisco routers. At that point I might as well just pay for the service though. I was looking for a less expensive alternative. I would like to give TAP mode a try but the option is not available in the current firmware of the GL-A1300. Is that something that can you can provide an update for or do I have to manually configure it. If it is manual I do not think I want to spend the holidays messing with it.

jdub · 2022-12-15T14:37:17.528Z

The easiest way to do that is probably going to be installing stock versions of OpenWRT for both of the routers, then configuring as you normally would with OpenVPN. The A1300 is supported in snapshot now.

(I would note that the standard versions don’t always compile openssl with speed optimizations, which you’re going to want on that router. So the best thing to do would be to actually build your own… I have a build env set up, so I don’t mind shooting you a build either, though lots of people have trust issues there, and rightfully so).

https://firmware-selector.openwrt.org/?version=SNAPSHOT&target=ipq40xx%2Fgeneric&id=glinet_gl-a1300

elorimer · 2022-12-15T15:56:18.843Z

What about just luci-app-openvpn? Never used it, so curious.

jdub · 2022-12-15T16:02:56.017Z

It’s… not great, imo.

Sautry718 · 2024-08-07T18:57:40.200Z

Has any one got this to work yet?

xize11 · 2024-08-09T09:37:02.187Z

I know openvpn is layer 2, but why the difficult path?

Wireguard is not layer 2 by default, but you have also protocols to encapsulate layer 2 through a tunnel inside wireguard.

Currently i run a setup like this and it works flawless, and much easier to configurate than openvpn.

My main headaces with it, is knowing the deprecated config nodes which has to match with a newer server config nodes or vice versa the other way around once the config is complicated.

Wireguard is very simple, and using luci-proto-vxlan works also very nice, you only need some knowledge how to configurate it with DSA but if you get it, its much easier.

Heres some screenshots:

click to expand

the vxlan interface:

Screenshot_2024-08-09-11-39-18-505_com.brave.browser1220×2712 164 KB

I point the tunnel addresses to each other.

And here i vlan tag it on br-lan see vlan 50:

Screenshot_2024-08-09-11-39-59-508_com.brave.browser1220×2712 128 KB

and here the bridge device itself:

IMG_20240809_1150371220×2265 240 KB

Also if you like the terminal, there is also a new tool which combines wireguard with vxlan called unetd.

Sautry718 · 2025-02-25T21:50:12.417Z

xize11:

uard is not layer 2 by default, but you have also protocols to encapsulate layer 2 through a tunnel inside wireguard.

Currently i run a setup like this and it works flawless, and much easier to configurate than

Need help setting my routers

xize11 · 2025-02-25T22:13:40.576Z

Can you explain a little more what you want?

I assume you want also wireguard with vxlan?

Can you show me what you already have done so i can help

I need the contents of:

ubus call system board

cat /etc/config/network

Please mask all mac addresses and private information like vpn keys.

You can paste it like this markup:

[details="i.e ubus output, or network config"]
```
//insert code here
```
[/details]

Sautry718 · 2025-02-26T05:54:34.465Z

The same setup up as the 1st post by kaufmg
GL-SFT1200 is in site A GL-axt1800 is in site B I have a fios mini on site B and it can not communicate with site A. GL-SFT1200 firmware is at 4.7.2 and have a option with TAP mode.

Sautry718 · 2025-02-26T05:58:08.463Z

Can you tell me step by step with pictures on how you setup with wire gaurd and or open vpn

xize11 · 2025-02-26T08:52:06.170Z

I think this video is straight forwarded:

The part of the qr code has also a tab to copy the configuration, this is the configuration you want to add to your other router

Wether you need vxlan here depends if you need layer2 capabilities such as vlans, in many cases you don't need it.

If you want to reach a device on lan, you can allow that by the settings here:

IMG_20250226_0927341220×2712 275 KB

Screenshot_2025-02-26-09-33-38-651_com.brave.browser-edit1220×2712 205 KB

Screenshot_2025-02-26-09-34-26-088_com.brave.browser-edit1220×2712 164 KB

optional:

You can also portforward to your wireguard peers from the server and to lan.

If you for example use a server or application, and want to hide the ports for being open under a layer of encryption this is possible, also the open port the wireguard server hosts on appears to be closed from port scanners due to it is using udp, and wireguard does not respond to unsolicitated connections.

You can do that like this:

Screenshot_2025-02-26-09-45-54-752_com.brave.browser-edit1220×2712 188 KB

Screenshot_2025-02-26-09-54-22-825_com.brave.browser-edit1220×2712 244 KB

Screenshot_2025-02-26-09-49-47-017_com.brave.browser1220×2712 161 KB

Sautry718 · 2025-02-26T09:15:46.385Z

I have setup up vpn server on site A and vpn client on site B there are able to connect.
Now on site B i have a Fios TV mini connected to the ethernet port on the GL net router to connect to site A where the Verizon FIOS Tv is. Fios TV mini on Site B not Able to connect to Site A

Sautry718 · 2025-02-26T09:39:37.768Z

I will try this method to open DMZ on fios router and port forward on Fios router as well

xize11 · 2025-02-26T12:19:22.551Z

Sautry718:

I will try this method to open DMZ on fios router and port forward on Fios router as wel

this might not be the best idea, that means you open all ports to one device, since you want accessibility through the vpn server, DMZ only targets wan, and wan has nothing to do with this in this case.

first you need to look to your wireguard peers on the server on site A router, by default it shows as:

image1636×778 51.3 KB

Do you see the /24 this needs to be set to /32. unless you want peer to communicate to each other, in your case you probably have only 1 peer (site B), this is fine but the clients need to have some configuration changed.

please do so on site B router by editing the vpn client:

image967×1329 46.4 KB

I have been looking if this feature already exists in this firmware as I have requested this a while ago, unfortunately it still isn't there even on the Flint 2 OP24.

if you navigate to here please for site A (the server with tv):

image2082×1596 327 KB

login with root user and password same as ui.

you will see this or similar:

image1767×855 60.1 KB

click on the navigation here:

image766×139 10.5 KB

then here:

image390×316 18.9 KB

then you click on traffic rules tab.

image1033×187 19.8 KB

now create a rule as following:

image1413×936 62.7 KB

make sure that your tv device is running on this 192.168.8.3 ip this is very important you need to have to set this to static, you can do that via the router but you can probably also do that on the device it self via manual network configuration.

if you know the ports for the destination you could theoretically set this in your rule this will lock it down more which is securer although the vpn layer makes it very secure compared if you would do it via wan so not a big issue can always be used to improve later on.

-- Tl;dr
now a little lesson about firewalll because I think this is very important to have a understandment how this works.

a classic firewall always works from source to destination, everytime you connect to a site, it goes from src to dest, that way on the same line the destination is allowed to talk back on the same line, when you was not the initiator of the packet and this type of handshaking never happened the packet gets dropped.

in this case you open the port for interface wgserver so that the peers site B is allowed to initiate first to your tv box and therefor the tvbox gets the green card to talk back.

in only extreme rare cases the tvbox searches for the other connection as first initiator, it does that through broadcasting or multicast these are layer 2 on the routing level and wireguard does not support layer 2 but you can use a layer 2 tunnel called vxlan or the very difficult approach adding a multicast route manually, often than not especially most tv boxes nowdays use Android TV it often now doesn't use igmp or multicast at all

--

make sure on site B you have this option checked:

image2196×1584 196 KB

bpwl1 · 2025-02-26T14:06:21.471Z

It does not have to be OpenVPN. I am open to any solution that would make this work.

Have a look at Zerotier. ZeroTier - GL.iNet Router Docs 4

Sautry718 · 2025-02-27T04:22:49.797Z

Thanks!!
My router in site A went down so i had some do a hard reset and not able to do any thing right now
as soon as it goes back up i will let you know