Extend your LAN across the WAN on a Shoestring

Written by James McDonald

IT Tips

0 Comments(s)

September 3, 2023

I was given a Surface Laptop which was a member of a Domain but only had a non administrative login. To gain admin access I needed line of sight to a Domain Controller but that access was on the Corporate LAN a 1000+ kms away.

VXLAN

VXLAN is an encapsulation protocol that provides data center connectivity using tunneling to stretch Layer 2 connections over an underlying Layer 3 network.

This is how I extended the remote LAN into my office so I could authenticate it with a Domain Controller.

Credit goes to this post => https://medium.com/@antongslismith/bare-metal-cloud-provisioning-from-gcp-de4b65747de

See below for scripts and making it persistent across reboots

Layout

A L2 LAN can be stretched across a Layer 3 connection to allow remote hosts to think they are on the same LAN using VXLAN.

I haven’t tried it but I think you could get the following setup working with only one NIC on the VM and Wyse devices as long as the LANs you are bridging allow ZeroTier to connect.

I installed a Wyse 3040 with Ubuntu 22.04 on it and added Belkin Ethernet Dongle

Ubuntu on Wyse terminal network interfaces

# wyse terminal interfaces
$ ip l

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 8c:ec:4b:4e:36:9a brd ff:ff:ff:ff:ff:ff
3: enxe89f802b35d0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br100 state UP mode DEFAULT group default qlen 1000
    link/ether e8:9f:80:2b:35:d0 brd ff:ff:ff:ff:ff:ff
5: ztrtazzuco: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether 0a:eb:87:d8:cf:87 brd ff:ff:ff:ff:ff:ff
6: vxlan100: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br100 state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether 4a:0d:a4:78:ba:a9 brd ff:ff:ff:ff:ff:ff
7: br100: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether e2:98:6f:a7:30:e6 brd ff:ff:ff:ff:ff:ff

Wyse Terminal Bridges

Show bridges command:

 brctl show

Output

bridge name	bridge id		STP enabled	interfaces
br100		8000.e2986fa730e6	no		enxe89f802b35d0
                                        vxlan100

VM Interfaces

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 00:50:56:9e:e8:5d brd ff:ff:ff:ff:ff:ff
    altname enp3s0
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br100 state UP mode DEFAULT group default qlen 1000
    link/ether 00:50:56:9e:91:90 brd ff:ff:ff:ff:ff:ff
    altname enp11s0
4: ztrtazzuco: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether 0a:e3:0d:02:b5:a2 brd ff:ff:ff:ff:ff:ff
6: vxlan100: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br100 state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether d6:57:59:05:47:7d brd ff:ff:ff:ff:ff:ff
7: br100: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 56:36:f5:8f:8d:97 brd ff:ff:ff:ff:ff:ff

VM Bridge Setup

bridge name	bridge id		STP enabled	interfaces
br100		8000.5636f58f8d97	no		ens192
                                        vxlan100

Persistence across reboots

I couldn’t figure out how to get netplan to wait for the zerotier interface to be up before running the vxlan config so I have created a systemd oneshot unit file to run the config scripts after zerotier comes up

https://gist.github.com/toggenation/76d3bc2a5559af2a34e0b2d0901f68c4

[Unit]
Description=Toggen VXLAN
After=zerotier-one.service
Wants=network-online.target

[Service]
# slight delay to wait for the zt interface to be visible
ExecPreStart=/bin/sleep 5
ExecStart=/usr/local/sbin/zt_install.sh
RemainAfterExit=true
Type=oneshot

[Install]
WantedBy=multi-user.target

Swapping to ZeroTier fixes Incaccessble Website Issues with Tailscale

The original config I tried (based on the very good Medium article) used Tailscale but I found that it has an MTU 1280 and when I tried to access certain web sites over the vxlan bridge (e.g. cisco.com) some were inaccessible. So I changed to ZeroTier and now web browsing to all sites seems to work. (Because ZT has a 2800 MTU and handles fragmentation and reassembly if needed I don’t need to worry about the MTU)

VMWare Promiscuous Mode is Critical

A critical step in VMWare config is making sure that the VM will respond to not just it’s own MAC by setting promiscuous mode.

From the VMWare Docs “A virtual machine, Service Console or VMkernel network interface in a portgroup which allows use of promiscuous mode can see all network traffic traversing the virtual switch.” . I think this is needed to pass ARP requests across the VXLAN link.

The a VM connected to the remote LAN I want to access

#!/bin/bash
# put in /usr/local/sbin/zt_install.sh
# remote is the zerto tier interface ip of the other end
ZT_REMOTE=10.11.12.13
# this is the interface on the LAN you want to access remotely
INTERFACE=ens192
# this ends zero tier interface address
export ZT_ADDRESS=$(ip a s ztrabcdefgh | egrep -o 'inet [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d' ' -f2)
sudo ip link add vxlan100 type vxlan id 100 local $ZT_ADDRESS remote $ZT_REMOTE dstport 4789
sudo ip link set vxlan100 up
sudo brctl addbr br100
sudo brctl addif br100 vxlan100
sudo brctl stp br100 off
sudo ip link set br100 up
sudo brctl addif br100 $INTERFACE
sudo ip link set $INTERFACE up
# Add an ip if you want to test the vxlan bridge
# sudo ip addr add 192.168.3.1/24 dev br100

The local end (in my home office)

#!/bin/bash
# put in /usr/local/sbin/zt_install.sh
ZT_REMOTE=10.11.12.14
# this is the interface name assigned to my Belkin Dongle
# this interface is the one you plug into to access the remote LAN
INTERFACE=enxe89f802b35d0
export ZT_ADDRESS=$(ip a s ztrabcdefgh | egrep -o 'inet [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d' ' -f2)
sudo ip link add vxlan100 type vxlan id 100 local $ZT_ADDRESS remote $ZT_REMOTE dstport 4789
sudo ip link set vxlan100 up
sudo brctl addbr br100
sudo brctl addif br100 vxlan100
sudo brctl stp br100 off
sudo ip link set br100 up
sudo brctl addif br100 $INTERFACE
sudo ip link set $INTERFACE up
# Add an ip if you want to test the vxlan bridge
# sudo ip addr add 192.168.3.2/24 dev br100

Using tcpdump to view interface traffic

sudo tcpdump -i enxe89f802b35d0

Performance

I have an assymmetric NBN100 HFC Service and the other end is a 250Mbps Service

But accross the ZeroTier VXLAN link with the Ubuntu’d Wyse Terminal I’m getting good speed.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.

You May Also Like…

Robocopy exclude Directories

Jul 22, 2024

Just trying to copy everything except a couple of directories from a drive to my NAS This is the secret incantation of...