Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gre without legacy IP #234

Open
AiyionPrime opened this issue Apr 29, 2022 · 3 comments
Open

gre without legacy IP #234

AiyionPrime opened this issue Apr 29, 2022 · 3 comments
Assignees
@lemoer @1977er @AiyionPrime
Labels
enhancement question

Comments

@AiyionPrime
Copy link
Member

Currently the field ip4 in group_vars/all/nodes.yml is mandatory for the supernode role regarding gre- and gt-netdevs:

roles/ffh.supernode/templates/gt-netdev.j2:7:Remote={{ supernodes[item.key].ip4 }}
roles/ffh.supernode/templates/gt-netdev.j2:9:Local={{ supernodes[servername].ip4 }}
roles/ffh.supernode/templates/gre-netdev.j2:7:Local={{ supernodes[servername].ip4 }}
roles/ffh.supernode/templates/gre-netdev.j2:8:Remote={{ exitnodes[item.key].ip4 }}

on the exitnodeside their pendants:

roles/ffh.exitnode/templates/gre-netdev-super.j2:7:Local={{ exitnodes[servername].ip4 }}
roles/ffh.exitnode/templates/gre-netdev-super.j2:8:Remote={{ supernodes[item.key].ip4 }}

similarly

roles/ffh.exitnode/templates/gre-netdev-exit.j2:7:Local={{ exitnodes[servername].ip4 }}
roles/ffh.exitnode/templates/gre-netdev-exit.j2:8:Remote={{ exitnodes[item.key].ip4 }}

each with corresponding ferm parts:

roles/ffh.supernode/templates/ferm.gre.conf.j2:8:       saddr {{ item.value.ip4 }}/32 proto gre ACCEPT; # {{ item.key }}
roles/ffh.supernode/templates/ferm.gre.conf.j2:12:       saddr {{ item.value.ip4 }}/32 proto gre ACCEPT; # {{ item.key }}

and

roles/ffh.exitnode/templates/ferm.conf.j2:29:          saddr {{ item.value.ip4 }}/32 ACCEPT; # {{ item.key }}
roles/ffh.exitnode/templates/ferm.conf.j2:32:          saddr {{ item.value.ip4 }}/32 ACCEPT; # {{ item.key }}

Looking at the first block above, could we do this connections in v6 if v4 was not defined for a host?
Or possibly simpler, could we switch this to IPv6?
@lemoer
Copy link
Contributor

lemoer commented Apr 29, 2022

Not directly. In systemd, ip6gre and ip6gretap are different interface types. See man systemd.netdev.

Currently all our supernodes support ipv4 anyways. So there was no need to support ip6gre or ip6gretap yet.

@AiyionPrime
Copy link
Member Author

Currently all our supernodes support ipv4 anyways. So there was no need to support ip6gre or ip6gretap yet.

Well, let me introduce you to our new sn03...

Not directly. In systemd, ip6gre and ip6gretap are different interface types. See man systemd.netdev.

That I know, you've shown me that before I think.
I'd propose we configure ipv6 gre(tap)s between sn03 and an exitnode, and if we get thaat working, rewrite that part in ansible, to configure IPv6 tunnels between the super and exitnodes and use v4 as fallback.

Or do you expect performance issues if we let them work their traffic via v6 instead of v4?

@AiyionPrime
Copy link
Member Author

I'd really like the Idea of not having mandatory v4 addresses for our supernodes.
Regarding sn03: it won't have IPv4 for the duration of the testphase (six weeks starting yesterday) but will likely have it later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lemoer lemoer

@1977er 1977er

@AiyionPrime AiyionPrime

Labels
enhancement question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lemoer @1977er @AiyionPrime