You are here

Tunneling within a Network

11 posts / 0 new
Last post
KI6GOA
KI6GOA's picture
Tunneling within a Network

Greetings All,

So first a few disclosures up front. I'm still relatively new to AREDN (this is my first forum post) and while I consider myself an above average computer user I'm certainly not a networking expert. That said, I have a very particular issue that I'm trying to solve in a particular way but I'm having challenges and am looking for some guidance. 

First, please let me describe my setup and what I'm trying to achieve. I have a probably above average home network that supports my home plus some existing servers and IP phones I already have on the AllStar network. Connected to my network is also a Ubiquiti 5AC-500 that is providing internet connectivity to a repeater site I support on top of Sierra Peak (about a five mile hop). The equipment on Sierra Peak, at present, is basically on my home network but running on it's own set of dedicated IP addresses. In addition to the network, I have a VLAN segmented portion on a HP ProCurve switch that provides LAN and DtD connections between my AREDN dedicated hardware. The segmented portion of the switch and the conventional network are physically bridged using a MikroTik hAP AC device. At no time does my home network and my AREDN dedicated network communicate with each other within the switch itself. Basically I'm using the MikroTik as a physical firewall. I realize this is probably a bit overkill but this is because of the nature of both my wife's and my own work and concerns for cybersecurity. 

Now here's the challenge. I have an existing point-to-point connection to Pleasants Peak from my home, but that is the only AREDN site I can hit from my home via RF. For redundancy, I'd like to add two AREDN nodes at my repeater site at Sierra Peak and basically tunnel them back to my MikroTik hAP at home via the home network and the hAP's WAN port. This would allow me to add redundancy without having to completely re-work my home network for VLAN. However, the issue I'm having is I cannot get tunneling to work across the devices involved. I do have one of the GL-iNet USB Wireless Routers that I've tested tunneling on within my own network and that seems to work fine. I know tunneling traffic must come in/out via the designated WAN VLAN but I have not had much success in playing with those settings to make this work. In a post or two I've seen floating around while researching this I've also found that there is supposedly a switch in the advanced settings that can be thrown to allow tunneling over a non-WAN port, but I've had no luck in finding that setting. 

For reference, the tunnel server is the MikroTik hAP and the device I'm trying to tunnel from, and use as a client at least as a testing device, is a Ubiquiti M5 NanoStation Loco. 

I realize my case and problem are a bit unique but if anyone has any suggestions or perhaps knows what stupid simple thing I'm doing wrong I'd sincerely appreciate the input.

Thank you in advance and 73,
Tom, KI6GOA

AJ6GZ
Yeah

This should be do-able. Basically if you have IP connectivity between the two sites and can present that to the 2 nodes, you will treat that path as the "WAN" on both AREDN devices. What's in between, as the with internet, shouldn't matter. It can be the actual Internet, a routed LAN, other link radios, or even a wire. If the hAP's VLAN1 is dumping into your home network for "internet" for the node and that's present on the mountain you should be good to go. If there are firewalls or other routing in the way you'll need to allow tcp 5525 in both directions.

I do a similar thing where I have a real ipsec tunnel between sites which carries an AREDN tunnel in addition to other normal traffic. For encryption over the internet yes, but mainly so I can utilitze the 4G failover between the sites. As long as the two WAN IP's can talk, "anything" works.

I'm curious... can Sierra Pk "see" Pleasants directly or is it too low? Probably a good opportunity to increase coverage in the canyon there with a sector perhaps.

Ian AJ6GZ

KI6GOA
KI6GOA's picture
Sierra - Pleasants Visibility

I have not had the opportunity to test it with an AREDN node personally yet. From the peak at ground level itself you may be right. But, if memory serves me correctly, it is visible from the top of our tower on Sierra (40 Feet).  -Tom

K5DLQ
K5DLQ's picture
did you see this in the 3.22

did you see this in the 3.22.6.0 release notes?

. Tunnels will be prevented from accidentally connecting over the mesh.

Tunnels normally connect via the WAN interface, that being the point of the things. However, if the WAN interface on a node goes down for some reason (the tunnel server/client Internet fails) the node will select a new way to talk to the Internet by first routing over the Mesh. When this happens, tunnels could end up being routed partially over the mesh, which is bad because tunnels are also part of the mesh. So, we now prevent this by default by adding a firewall rule.

KI6GOA
KI6GOA's picture
That makes sense. And my

That makes sense. And my guess is that the node treats the mesh the same as LAN traffic (untagged). Therefore if connected to a dumb switch it probably sees everything as LAN traffic as it's untagged. That's my guess at least, please tell me if I'm off. Does not exactly fix my issue but this at least points me in the right direction. Thanks!  -Tom

K6CCC
K6CCC's picture
This is what I would do...

I gather that the 5AC-500 to Sierra is operating as a Part 15 link.  Since you have the capability for VLANs, this is what I would do.  Make the part 15 link to Sierra a VLAN trunk.  You would need another VLAN capable switch at Sierra, but that is easy...  Connect the 5AC-500 to a trunk port on the VLAN switches at each end.  At your house connect the hAP port 5 to a port on the ProCurve that is configured as VLAN 2 (yes, it is VLAN tagged out of the hAP).  At Sierra have VLAN 2 connect to the node or nodes.  That would result in the hAP at home, and both nodes at Sierra being DtD connected rather than tunneled.  Depending on the node hardware at Sierra, will dictate how you need to connect to them.  For example, as you know on the hAP, there are different ports for LAN vs WAN vs DtD, whereas on single port devices, all three are combined with the LAN being non VLAN tagged, WAN is VLAN 1 and DtD is VLAN 2.  One advantage of doing all this is that you can also route the LAN from each node at Sierra to your house.  You could end up with a port on your ProCurve for each remote node that gives you a back door into that node.  For example, if you need direct access to node 1 at Sierra, plug a computer into port 21 of the ProCurve.  I am doing something similar at home.
BTW, I'm not far from you in Glendora and can likely help with some of this if needed.  Come to think of it, I have an eight port HP managed switch I will likely never use again I might just give you for the Sierra end...

KI6GOA
KI6GOA's picture
Thank you!

Thanks for the advice and offer! I may have to map this one out on paper a bit and play with it here on the ground first, but in my tired head this makes a whole lot of sense. I actually already have a HP switch I purchased specifically for the mountain top, but thanks again for the offer. I'm re-working the power supply on it to run on 12vdc so I can run it on our already existing battery backup system. When I start working on the site soon I'll be sure to reach out!

K6CCC
K6CCC's picture
Which model of ProCurve? 

Which model of ProCurve?  I may be able to tell you exactly how to convert to 12 volt operation.  At least on the 26xx series, it's REALLY easy.
 

kd4e
kd4e's picture
Convert 26xx series ProCurve to 12v

Would you copy this mod info to me, please? Thanks
 

K6CCC
K6CCC's picture
Converting 26xx series ProCurve to 12v

Will do.  Don't have time right now, but I will do so before too long.  If I have not given details in a couple days, remind me please...
 

kd4e
kd4e's picture
Converting 26xx series ProCurve to 12v

It's been three days ...  lol  There's no hurry, but you said to remind you. Thanks

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer