Looking for a GigE tunnel box - no firewall, security, etc.

[Terry Kennedy]

I have been unsuccessful in finding a box to meet a specific requirement - take a Gigabit Ethernet and IP tunnel it over an arbitrary Internet path to the other end and another of the same box and reconstitute it.

Specific requirements:

• Work at full GigE line rate
• Not be restricted to IP - any valid Ethernet packet goes in one box, comes out the other
• Be able to reconstitute the original packet - for example, break up an MTU 9000 packet into chunks that can be sent over whatever the tunnel MTU is, then put it back together and emit it as a single MTU 9000 packet on the far end
• Be [relatively] inexpensive

Specific non-requirements:

• No encryption needed
• No firewall / packet inspection / etc. needed

Don't cares:

• No special method needed to "find the other end". In this case, both ends have static IP addresses. Might be nice for some other use cases to be able to have one end be a static IP and the other end be a dynamic IP.

There used to be boxes that did this general type of thing over different media - for example, sending 10Mbit or 100Mbit Ethernet over a point-to-point T3 connection. These days everything seems to be a complete VPN + security solution. For example, Peplink makes a box that can do this, but because of all the other features that come standard (and wouldn't be used in this application) the cost is extremenly prohibitive.

I would prefer not to have to "roll my own" solution if I don't have to. Any suggestions?

 

[MiniKnight]

I think that's what most people use IPsec on Fortinet, pfSense, or others. Just leaving off the extra features right? Maybe I'm missing something?

 

[Terry Kennedy]

I think that's what most people use IPsec on Fortinet, pfSense, or others. Just leaving off the extra features right? Maybe I'm missing something?

Possibly, but I'm looking for something that can handle non-IP packets as well (and do the packetizing / reassembly to pass large MTUs). Generally the hardware to do this at GigE speeds and support the features I don't need becomes quite expensive. Hardware to handle something this simple should be quite inexpensive - after all, a Raspberry Pi 4B can run a single GigE port at essentially wire speed. It is when you add encryption / firewall rules / etc. that the hardware gets complicated and more expensive.

 

[azev]

how about a vm running vyos, you can configure GRE over internet and let it fragment packets before it goes over the tunnel if no df flag.
I never test throughput since my internet is fairly small, but it has no issue tunneling up to 50Mbps with 2 core and 8gig of ram. I assume if you need more performance you can always increase the CPU.

 

[Terry Kennedy]

how about a vm running vyos, you can configure GRE over internet and let it fragment packets before it goes over the tunnel if no df flag.

I am looking for little boxes I can deploy at the network perimeter on both sides, so a VM on an existing server would be problematic. The vyos mention did give me an idea, though. See below. The DF flag is an IP construct, so it will likely be better to just fragment / reassemble in the boxes than to decide what can get fragmented at the IP level. In at least one of the use cases for this, IP traffic will only be around 50% of what goes through the boxes.

I never test throughput since my internet is fairly small, but it has no issue tunneling up to 50Mbps with 2 core and 8gig of ram. I assume if you need more performance you can always increase the CPU.

This is for between sites that have full GigE service from various providers (it is a lot cheaper to buy GigE Internet from providers than to purchase point-to-point GigE links, even from those same providers). So the hardware needs to be capable of running at full GigE speeds.

The mention of vyos did remind me about Ubiquiti and some of their products I've played with in the past. The last I looked, they were running something Vyatta-derived with their own (incomplete) GUI on top. They tended to have high performance at a decent price. I could probably do this on one of their boxes like an Edgerouter 4. I could start with an Edgerouter X for testing, but then I'd have spent 25% of what I'd spend for a pair of 4's on a pair of X's that would be underpowered for the eventual deployment. My only concern is that Ubiquiti seems to have gone a bit weird(er?) since I dealt with them last. Horror stories about boxes delivering ads to customers of resellers, etc. Any thoughts as to how well this might work as a solution?

 

[Stephan]

"Not be restricted to IP - any valid Ethernet packet goes in one box, comes out the other"

This requires an OpenVPN tap-style tunnel. Wireguard would be most performant but is L3 - IP. You need a L2 bridge to see e.g. broadcasts on the other side. Hardware should be Intel i210 or better, although these days gigabit is nothing too fancy anymore. You will need a Skylake-class CPU or later with hardware-AES to do line-rate 1000 MBit/s. AES itself should be 10 times faster than line-rate to not create a bottleneck. With static secrets, AES-128-CBC should be enough i.e. reasonably secure. CPU power should be sufficient to include LZ4 packet compression to utilize the link better and also to run some computationally cheap authentication of packets like HMAC-MD5, both optional though. Theoretically even the cipher is optional.

Since OpenVPN runs in usermode, this will eat alot of performance. Expect some major mssfix/fragment/tun-mtu trickery to drive the tunnel above 500 Mbps throughput. See Gigabit_Networks_Linux – OpenVPN Community for more info on that.

 

[tomaash]

Not sure whether it covers all your needs but you could look into eoip on Mikrotik or egre (and eoip) on OpenBSD.

 

[azev]

vyos can be deployed on baremetal, and they do perform quite well actually, and if you are familiar with junos the syntax is very similar.
As for the non IP traffic do you mind giving sample what kind of protocols that you are using ?