Linux VLAN as a true "wire equivalent" connection?

0

This is a complete rewrite of the original question, due mainly to the great confusion my original ignorance caused. That confusion was so severe, I decided the original question had to go away, so as not to mislead future searchers.

Boxes "OUT1" and "OUT2" want to talk to each other. That's all I know about them, other than the fact they need a GigE Cat5e jack, and that they won't use more than 50Mbps (each way, full-duplex). I don't know what OSes they run (they could be Arduinos or Crays for all I know). I don't know if they will use IPv4 or IPv6 (or both), nor do I know what address range(s) they use, nor do I know what higher-level protocols they may be using. OUT1 and OUT2 may communicate with each other in any way desired.

For all I know, OUT1 and OUT2 may be ports on switches to which dozens of machines are connected, all of whom want to talk to each other in whatever way desired.

The only connections available are to Linux boxes "A" and "B" on my network, to which dedicated interfaces has been added for OUT1 and OUT2 to plug-in to.

I need to route all traffic between OUT1 and OUT2, and by default, neither of my interfaces should have an IP address (just look like a simple switch).

So far, this sounds like a job for a bridge (brctl, without the IP address set) combined with some form of tunneling between A and B, though I'm not sure what tunnel would be the simplest.

Here's a pretty picture:

+------+   +---+    /\/\/\/\/\/\/\/\/\/\    +---+   +------+
| OUT1 |---| A |---<My Internal network >---| B |---| OUT2 |
+------+   +---+    \/\/\/\/\/\/\/\/\/\/    +---+   +------+
             \                                / 
              \_____ Looks like a cable _____/

For future discussion, let's say the inward-facing interfaces on A & B are eth0, and the outward-facing interfaces (to OUT1 and OUT2) are eth1.

But wait, there's more!

The owners of OUT1 and OUT2 would like to tweak the behavior of A and B and the path between them for things like QoS. When requested (via an automatically parsed email), we need to temporarily expose a webserver (running on another machine) at both A and B with an IPv4 IP address OUT1 and OUT2 can both communicate with. The request email will specify the IPv4 address to use. To OUT1 and OUT2, it looks like the webserver is running on the "switch".

Another pretty picture:

+------+   +---+    /\/\/\/\/\/\/\/\/\/\    +---+   +------+
| OUT1 |---| A |---<My Internal network >---| B |---| OUT2 |
+------+   +---+    \/\/\/\/\/\/\/\/\/\/    +---+   +------+
                             |
                           +---+
                           | C | webserver
                           +---+

The webserver and email parsing work fine on their own, but making it appear at A and B when desired then disappear is a problem.

My hunch is that brctl is not up to the task (at least not alone). Searches tell me that we may need to use something like the ip command's macvlan capability either in addition or instead. But that's only a guess from rather ignorant searching.

Two questions:

  1. How should I implement the switch-like capability between the outward-facing interfaces on A & B?

  2. How should I make the webserver appear and disappear on the outward-facing interfaces on A & B?

BobC

Posted 2014-03-28T22:24:30.877

Reputation: 101

More searching indicates that putting a proxy for C on each of A & B may simplify things. – BobC – 2014-04-16T17:59:07.597

Answers

0

You have not described your external connections, but my guess is that you will need to use a VPN rather then a VLAN or MPLS. I have not played with MPLS, but like VLANS I understand they exist below the TCP/IP level and it is unlikely your ISP will carry that that traffic without you paying them.

I'm pretty sure that using OpenVPN with TAP drivers will do what you are looking for (but I've not used this before).

davidgo

Posted 2014-03-28T22:24:30.877

Reputation: 49 152

@BobC - Sorry, I find your description very confusing - I tried to produce a diagram of it but failed. Are you able to provide one. I'm pretty sure that, like I said earlier you want to set up an OpenVPN connection using TAP interfaces. It then appears you want to use brctl to bridge the TAP interfaces with your LAN. I'm not sure if OUT1 and OUT2 are on the same network outside your LAN, but suspect they are (or their OS). If so, you might want to put in another [linux] box to configure as a bridge. Another thing which would be useful is a representative set of IP addresses... – davidgo – 2014-03-31T17:13:00.153

Not necessarily the real IP addresses, but addresses which show the netblocks, and if they are RFC1918 (ie internal, for NAT use) or real world. – davidgo – 2014-03-31T17:13:51.927

Ok, that clarifies it for me (I thought Out1 connected over the net to A and Out2 over the net to B from your description). Am I correct in assuming that "A" and "B" are linux boxes whos role will be to create a virtual ethernet cable so that OUT1 and OUT2 can see each other as if they are on the same LAN, and that while you can modify A and B you cant modify OUT1 and OUT2? If so, then my solution of OpenVPN is probably what you want - here is a howto for your scenario. http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html

– davidgo – 2014-04-01T17:51:38.663

No idea, sorry. I imagine you would want IP addresses on A and B for debugging purposes if nothing else. – davidgo – 2014-04-01T22:21:25.863

I've completely re-written the question. Does that help? – BobC – 2014-04-16T17:55:23.957

Asked: 2014-03-28T22:24:30.877

Viewed: 119 times

Active: 2014-04-16T17:51:14.393