Software Defined WAN

dafyre

@adam.ierymenko said:

@dafyre Bridging works much better than I thought it would when I developed that feature. At first I was like "well, technically this is possible but I'm going to call it experimental until we see how it works in practice." I've heard of people using it with whole big LANs behind it, so I'm a bit stunned.

Curious. I'd have to figure out how to do that. Got any docs handy I'll definitely give that a go as my network is expanding. (I have a XenServer in France now, lol).

adam.ierymenko

@dafyre Big gotchas are (1) designating the node as a bridge on your network at the ZT level, and (2) getting the IP routing issues correct so that hosts on either side of the bridge can actually see each other. Remember that Ethernet is not IP so if a host doesn't know another host's IP range is on the same net it won't route to it that way. Instead it will try to go via default gateway.

There's also a few weird Linux options such as one that selects whether or not Ethernet bridge packets also traverse iptables. Usually you want this off (forget the actual setting but it's sysctl) but sometimes it can be useful... though it's a bit perverse. There's also Linux ebtables (Ethernet bridge tables) which are also useful for advanced stuff.

One more tidbit: If you allow all Ethernet frame types on a ZT network, spanning tree protocol will work and your bridges and switches will handle routing loops. It will treat ZT like another switch or LAN segment and work normally. (ZT itself knows nothing about STP but Linux bridging does.)

adam.ierymenko

@dafyre We've considered making a little appliance for this, or a ready-to-run Raspberry Pi image.

dafyre

@adam.ierymenko said:

@dafyre We've considered making a little appliance for this, or a ready-to-run Raspberry Pi image.

Appliance isn't a bad idea.

In regards to your other posts, yeah. I ran into the same issues, kinda. I was able to get it to work by adding routes on the devices that needed to talk across networks. A curious thought, though... Why not install a few ZT "routers" on each end of my network... Then I can let the local DHCP server hand out static routes to the ZeroTier subnets?

I think you and I are thinking at different levels of the stack, in some regards, aren't we? You're thinking down at the ethernet level, and I am thinking one notch up at the IP level?

Also when thinking about a bridge set up... what I envision when you say that is something like this:

192.168.100.1-128/24 --> ZT BRIDGE --> (other site) --> 192.168.100.129 - 254 / 24 ?

travisdh1

@adam.ierymenko said:

@dafyre We've considered making a little appliance for this, or a ready-to-run Raspberry Pi image.

Hrm, I might just pull my pi out of storage to make one weather you do an "official" one or not.

JaredBusch

@dafyre said:

@adam.ierymenko said:

@dafyre We've considered making a little appliance for this, or a ready-to-run Raspberry Pi image.

Appliance isn't a bad idea.

In regards to your other posts, yeah. I ran into the same issues, kinda. I was able to get it to work by adding routes on the devices that needed to talk across networks. A curious thought, though... Why not install a few ZT "routers" on each end of my network... Then I can let the local DHCP server hand out static routes to the ZeroTier subnets?

I think you and I are thinking at different levels of the stack, in some regards, aren't we? You're thinking down at the ethernet level, and I am thinking one notch up at the IP level?

Also when thinking about a bridge set up... what I envision when you say that is something like this:

192.168.100.1-128/24 --> ZT BRIDGE --> (other site) --> 192.168.100.129 - 254 / 24 ?

That description is a nightmare waiting to happen. You described a pair of /25 networks setup as a single /25 and want it all to be magic across a VPN.

It is an extremely bad idea.

Dashrender

@JaredBusch said:

@dafyre said:

@adam.ierymenko said:

@dafyre We've considered making a little appliance for this, or a ready-to-run Raspberry Pi image.

Appliance isn't a bad idea.

In regards to your other posts, yeah. I ran into the same issues, kinda. I was able to get it to work by adding routes on the devices that needed to talk across networks. A curious thought, though... Why not install a few ZT "routers" on each end of my network... Then I can let the local DHCP server hand out static routes to the ZeroTier subnets?

I think you and I are thinking at different levels of the stack, in some regards, aren't we? You're thinking down at the ethernet level, and I am thinking one notch up at the IP level?

Also when thinking about a bridge set up... what I envision when you say that is something like this:

192.168.100.1-128/24 --> ZT BRIDGE --> (other site) --> 192.168.100.129 - 254 / 24 ?

That description is a nightmare waiting to happen. You described a pair of /25 networks setup as a single /25 and want it all to be magic across a VPN.

It is an extremely bad idea.

Considering ZT - why is this any worse? Sure, if you are going to be that separate, then just make the separate networks, but there is no requirement to, just like there is no requirement to make separate networks in ZT.

scottalanmiller

@adam.ierymenko said:

@dafyre We've considered making a little appliance for this, or a ready-to-run Raspberry Pi image.

You need to get it into some vendor devices like Ubiquiti.

scottalanmiller

@JaredBusch said:

192.168.100.1-128/24 --> ZT BRIDGE --> (other site) --> 192.168.100.129 - 254 / 24 ?

That description is a nightmare waiting to happen. You described a pair of /25 networks setup as a single /25 and want it all to be magic across a VPN.

I keep rereading this trying to figure out the goal. But I think he just wants a /24 with roughly half the IPs used on one side and half on the other with bridging in between rather than ZT installed to each device.

Deleted74295

@scottalanmiller said:

@adam.ierymenko said:

@dafyre We've considered making a little appliance for this, or a ready-to-run Raspberry Pi image.

You need to get it into some vendor devices like Ubiquiti.

Oh grief no. Ubiquiti take ages to do anything, feature requests people have been begging for take ages.

Let us white box our own hardware Or setup a VM to do it.

scottalanmiller

@Breffni-Potter said:

@scottalanmiller said:

@adam.ierymenko said:

@dafyre We've considered making a little appliance for this, or a ready-to-run Raspberry Pi image.

You need to get it into some vendor devices like Ubiquiti.

Oh grief no. Ubiquiti take ages to do anything, feature requests people have been begging for take ages.

Let us white box our own hardware Or setup a VM to do it.

I wonder how hard adding it to Ubiquiti would be.

@adam-ierymenko has anyone tested on VyOS?

Deleted74295

@scottalanmiller said:

I wonder how hard adding it to Ubiquiti would be.

They'd probably do it but updates or new features would take light-years.

scottalanmiller

I meant for us to add ourselves. It's VyOS under there, you should be able to just install to it.

Dashrender

@scottalanmiller said:

I meant for us to add ourselves. It's VyOS under there, you should be able to just install to it.

The idea of installing software on a hardware firewall just seems creepy

dafyre

@JaredBusch said:

@dafyre said:

@adam.ierymenko said:

@dafyre We've considered making a little appliance for this, or a ready-to-run Raspberry Pi image.

Appliance isn't a bad idea.

In regards to your other posts, yeah. I ran into the same issues, kinda. I was able to get it to work by adding routes on the devices that needed to talk across networks. A curious thought, though... Why not install a few ZT "routers" on each end of my network... Then I can let the local DHCP server hand out static routes to the ZeroTier subnets?

I think you and I are thinking at different levels of the stack, in some regards, aren't we? You're thinking down at the ethernet level, and I am thinking one notch up at the IP level?

Also when thinking about a bridge set up... what I envision when you say that is something like this:

192.168.100.1-128/24 --> ZT BRIDGE --> (other site) --> 192.168.100.129 - 254 / 24 ?

That description is a nightmare waiting to happen. You described a pair of /25 networks setup as a single /25 and want it all to be magic across a VPN.

It is an extremely bad idea.

That is just what I see in my head when thinking about bridging ZT to an Ethernet device... but that's not how I've done it in practice.

dafyre

@scottalanmiller said:

I meant for us to add ourselves. It's VyOS under there, you should be able to just install to it.

I could build a VyOS VM and try to install it on that and see if it works or not.

wirestyle22

This is all interesting stuff. I can't wait to finish my server build. Here it is if you're interested: http://pcpartpicker.com/p/9gPqjX

travisdh1

@wirestyle22 said:

This is all interesting stuff. I can't wait to finish my server build. Here it is if you're interested: http://pcpartpicker.com/p/9gPqjX

Is this server for a home lab?

wirestyle22

@travisdh1 said:

@wirestyle22 said:

This is all interesting stuff. I can't wait to finish my server build. Here it is if you're interested: http://pcpartpicker.com/p/9gPqjX

Is this server for a home lab?

Yessir

travisdh1

@wirestyle22 said:

@travisdh1 said:

@wirestyle22 said:

This is all interesting stuff. I can't wait to finish my server build. Here it is if you're interested: http://pcpartpicker.com/p/9gPqjX

Is this server for a home lab?

Yessir

Nice!