All posts tagged eoip

If you use EoIP in bridge mode and you have DHCP server on both sides but you want to separate them to serve only the side that it is working on, you need to block DHCP traffic through the tunnel. This is also useful to offload traffic through the tunnel since internet link is usually bottle neck in the network and we don`t want to load it unnecessary.

Linux is equipped with ebtables that can inspect all ethernet traffic, and filter in our case DHCP brodacasts. To enable it go to Administration->Commands, Edit startup script and add following lines.

insmod ebtables
insmod ebtable_filter
insmod ebt_ip.o
ebtables -A INPUT -i oet1 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT -i oet1 -p IPv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD -o oet1 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD -o oet1 -p IPv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

Reboot the router and you will see that machines on both sides will be served with local DHCP and all the DHCP traffic will stay inside.

Recently we have discovered DD-WRT linux distribution that is meant for consumer routers like TP-Link and etc., to get more advanced features. One of the interesting capabilities is Ethernet over IP (EoIP) that creates a tunnel between two points and forward all ethernet packets between. This will bridge two points like there are on the same switch. So you are now wondering why do I need EoIP when I have VPN. VPN is working on IP and it will pass only IP traffic through the tunnel, but if you need some other protocol like (IPX, SCTP, RIP, OSPF etc.), EoIP in bridge mode is the easiest way to do it.

One of the disadvantage in DD-WRT is that you need to have static IP for EoIP tunnels and we have made a solution to make it work with dynamic IPs using any dynamic DNS service. Solution is made up from two scripts. First one checks if the ip of dynamic DNS has changed, and if true it will resolve the ip and change it in the tunnel configuration:

EOIP=`nvram get oet1_en` ;
if [ ${EOIP} -eq 1 ]; then
	NEW_EOIP_IP=`ping -c1 -w1 example.dyndns.org | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' -m 1` ; 
	EOIP_IP=`nvram show | grep oet1_rem= | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' ;` 
	MY_WAN_IP=`nvram show | grep wan_ipaddr= | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' ;`
	if [ ${EOIP_IP} != ${NEW_EOIP_IP} ]; then 
		nvram set oet1_rem=$NEW_EOIP_IP ; 
		ip link set oet1 down ;    
		ip tunnel del oet1 ;
		iptables -I INPUT -p etherip -s $NEW_EOIP_IP -j ACCEPT ;
		ip tunnel add oet1 mode etherip remote $NEW_EOIP_IP local $MY_WAN_IP ;
		brctl addif br0 oet1 ;
		ip link set oet1 up ;

You need to change example.dyndns.org to dynamic DNS of remote peer for the tunnel and save the script in DD-WRT, and if you are not using tunnel no. 1 then replace oet1 with oetx (where x is the number of EoIP tunnel you are using). You can go to Administration->Commands, Edit custom script and paste the scripte there.

Now that you created script for EoIP, you need to add it to cron job so that the script will be executed periodically. This is second script that will be executed on DD-WRT startup and fixing some problems with cron.

grep -q "^crontabs:" /tmp/etc/passwd || echo 'crontabs:*:0:0:Contab User,,,:/tmp/root:/opt/bin/bash' >> /tmp/etc/passwd 
stopservice cron
sleep 60
startservice cron

Go to Administration->Commands, Edit startup script and paste upper code. Default running script period is 1 minute (60 seconds), you can change it to what ever fit your needs..

Last thing you need to do is to add a cron job. In Administration->Management, make sure that cron is enabled and paste next line to Additional Cron jobs field.

* * * * * root /tmp/custom.sh

Script for EoIP is working only if the tunnel is enabled, so go to Setup->EoIP and enable designated tunnel. You can now reboot your router and everything should work out of the box.