Results 1 to 28 of 28
  1. #1
    Join Date
    Nov 2005
    Posts
    1,224

    Ethernet Bridge (WAN)

    We have some storage devices that communicate with each other via TCP/IP but are not WAN-aware. They work on the LAN within the same subnet only.

    We'd like to move one of these devices to another location, which presents an obvious communications problem for a LAN-only device.

    I am looking for recommendations for an ethernet bridge that works across the WAN, so hosts on both sides of the bridge can reside in the same (RFC 1918) subnet.

    I know that OpenVPN has some level of support for WAN bridges, but I'm not interested in a "software running on a PC server" approach. A hardware appliance is a must.

    All ideas welcome.

  2. #2
    Join Date
    Jul 2009
    Location
    The backplane
    Posts
    1,790
    What kind of packet rate and throughput speed do you need? Budget?

  3. #3
    Join Date
    Nov 2004
    Location
    Chicago
    Posts
    413
    Sekweta:

    You can use a SonicWall to accomplish this.
    Lee Evans, Owner/Operator
    LeeWare Development
    Linux Dedicated Server Grids
    http://www.leeware.com

  4. #4
    Join Date
    Apr 2009
    Posts
    1,143
    how about running a vpn tunnel from one location to the other? - this can be done with hardware routers/switches from say cisco or simular

  5. #5
    Join Date
    Nov 2005
    Posts
    1,224
    Quote Originally Posted by mazedk View Post
    how about running a vpn tunnel from one location to the other? - this can be done with hardware routers/switches from say cisco or simular
    VPNs have different subnets at either end of the tunnel, which means routed traffic. These devices only talk to others on the same subnet.

  6. #6
    Join Date
    Nov 2005
    Posts
    1,224
    Quote Originally Posted by leeware View Post
    Sekweta:

    You can use a SonicWall to accomplish this.
    Are you positive it's a transparent bridge and not a routed VPN?

  7. #7
    Join Date
    Apr 2007
    Posts
    3,513
    What about something like a Cisco PIX VPN using L2TP?

    Edit: Also have a look at - http://www.webhostingtalk.com/showthread.php?t=519169
    - Buying up websites, side-projects and companies - PM Me! -

  8. #8
    Join Date
    Nov 2004
    Location
    Chicago
    Posts
    413
    Quote Originally Posted by Sekweta View Post
    Are you positive it's a transparent bridge and not a routed VPN?
    Yes, I do this all the time. I have geographically distributed resources that I want to appear as a single LAN. Here are your choices:

    1. Buy services from a carrier (AT&T OPT-E-WAN) Layer2 services from Cogent (both are expensive) and don't meet your requirement of being an appliance.

    2. You can do it with multiplexers and LAN bridges (Yuk) more trouble than it is worth.

    3. You can use a SonicWall or some other appliance the solution would look like this:


    Clients <--192.168.0.x-> Remote VPN Appliance <--192.168.0.x-> LAN

    You can statically assign your clients to be part of the same LAN subnet or they can get their IP info from a DHCP server on the LAN. The routing is handled in the tunnel and is therefore transparent to the end devices.
    Lee Evans, Owner/Operator
    LeeWare Development
    Linux Dedicated Server Grids
    http://www.leeware.com

  9. #9
    Join Date
    Oct 2001
    Posts
    1,315
    Quote Originally Posted by Sekweta View Post
    VPNs have different subnets at either end of the tunnel, which means routed traffic. These devices only talk to others on the same subnet.
    You can use openvpn ethernet bridging to bridge tap0 and ethX - http://openvpn.net/index.php/open-so...-bridging.html - then enable proxy_arp (echo 1 > /proc/sys/net/ipv4/conf/[ethX/tap0]/proxy_arp) and you're good to go

    All the best,
    Avi Brender
    Reliable Web Hosting by Elite Hosts, Inc
    CPANEL Reseller Hosting - Fantastico - Rvskins - ClientExec

  10. #10
    Join Date
    Nov 2005
    Posts
    1,224
    Quote Originally Posted by MaB View Post
    You can use openvpn ethernet bridging to bridge tap0 and ethX - http://openvpn.net/index.php/open-so...-bridging.html - then enable proxy_arp (echo 1 > /proc/sys/net/ipv4/conf/[ethX/tap0]/proxy_arp) and you're good to go

    All the best,
    Thanks, but that doesn't fit my requirement of an appliance. Over my 28 year career I've run a lot of gateway-type applications (firewalls, routers, caches, etc.) on PC servers, and have learned through experience that nothing beats purpose-built appliances.

    Fanless, diskless, solid state appliances have proven more reliable than PC based servers running some manner of software on top of some flavor of OS.

    Good example is our last PC based firewall-- OpenBSD running PF. The colo had a sudden power outage and when the power came back up, OpenBSD sat there grinding through a mandatory disk consistency check (while the rest of our gear was sitting there waiting and ready to go). Then when the consistency check failed, the machine wouldn't boot and we were in deep poo because-- well-- the firewall itself wouldn't operate.

    That would never happen with any of the Juniper firewall appliances we use now.
    Last edited by Sekweta; 04-23-2011 at 11:20 AM.

  11. #11
    Join Date
    Apr 2003
    Location
    Lebanon, PA
    Posts
    420
    EoMPLSoGRE would work. You would need a router at each end which supports these features and required throughput. You can do this on most cisco routers and can encrypt the gre tunnel if you need to. I used this on the ASR platform but without the encryption and works. Our WAN link are 1Gb (cisco recommends 600Mbps if you want vmotion) and vmotion works fine between DC's.

  12. #12
    Join Date
    Jun 2001
    Location
    Denver, CO
    Posts
    3,301
    Quote Originally Posted by Sekweta View Post
    Good example is our last PC based firewall-- OpenBSD running PF. The colo had a sudden power outage and when the power came back up, OpenBSD sat there grinding through a mandatory disk consistency check (while the rest of our gear was sitting there waiting and ready to go). Then when the consistency check failed, the machine wouldn't boot and we were in deep poo because-- well-- the firewall itself wouldn't operate.

    That would never happen with any of the Juniper firewall appliances we use now.
    Given that JunOS lives on top of FreeBSD, I see no reason why this couldn't happen on a Juniper box. Also, I have had flash cards fail on me on my Cisco gear. Talk about a **** storm ...
    Jay Sudowski // Handy Networks LLC // Co-Founder & CTO
    AS30475 - Level(3), HE, Telia, XO and Cogent. Noction optimized network.
    Offering Dedicated Server and Colocation Hosting from our SSAE 16 SOC 2, Type 2 Certified Data Center.
    Current specials here. Check them out.

  13. #13
    Join Date
    Aug 2009
    Location
    Orlando, FL
    Posts
    1,063
    Quote Originally Posted by Sekweta View Post
    Thanks, but that doesn't fit my requirement of an appliance. Over my 28 year career I've run a lot of gateway-type applications (firewalls, routers, caches, etc.) on PC servers, and have learned through experience that nothing beats purpose-built appliances.

    Fanless, diskless, solid state appliances have proven more reliable than PC based servers running some manner of software on top of some flavor of OS.

    Good example is our last PC based firewall-- OpenBSD running PF. The colo had a sudden power outage and when the power came back up, OpenBSD sat there grinding through a mandatory disk consistency check (while the rest of our gear was sitting there waiting and ready to go). Then when the consistency check failed, the machine wouldn't boot and we were in deep poo because-- well-- the firewall itself wouldn't operate.

    That would never happen with any of the Juniper firewall appliances we use now.
    I couldn't agree with you more. I had this argument with a PFsense fanboy. I brought up the same facts, to which he said he could build a PC with flash cards and blah blah blah...

    I ended up getting an infraction over it.

  14. #14
    Join Date
    Nov 2005
    Posts
    1,224
    Quote Originally Posted by skullbox View Post
    I couldn't agree with you more. I had this argument with a PFsense fanboy. I brought up the same facts, to which he said he could build a PC with flash cards and blah blah blah...
    A premium quality SSD hooked to a battery-backed write cache controller, in a top quality server, is probably close enough to a solid state device in reliability for many scenarios because the only moving parts are the fans. But you still have the underlying OS to be mindful of, and updating the flash image on a hardware device is (usually) safer and more foolproof than upgrading binaries and kernel in an OS.

    Our experience with OpenBSD/PF was so poor mainly because of the frequent and chronic power outages at Sago. We really had no choice but to ditch the "firewall on a PC" and go with hardware appliances.

    That completely solved our "network unreachable due to unbootable firewall" problems.

    The underlying power outage problem was fixed by moving OUT of Sago.

  15. #15
    Join Date
    Mar 2010
    Location
    Germany
    Posts
    681
    Quote Originally Posted by skullbox View Post
    I couldn't agree with you more. I had this argument with a PFsense fanboy. I brought up the same facts, to which he said he could build a PC with flash cards and blah blah blah...

    I ended up getting an infraction over it.
    Many people in our industry are just unable to understand what you're telling them.
    So they get stuck in their little bubbly box where it all works as intended.

    They've never seen or heard or thought about telco stuff that has update-in-place for the OS software and modules and keeps routing calls while you're updating. They haven't seen a disk array with N-way mirrored cache memory. And they love their toys.

    I've just had to build *reliable* Xen hosts - they're booting in readonly mode so that they'll come up after any smaller kind of disaster. But I can think a little farther and know this is just a "noob" step where I should instead unzip the OS to a ramdisk and run from memory alone.
    And then I shouldn't be using a fullblown OS like linux in an appliance anyway.

    My point being, if the people only see they little world and don't have enough capability to listen to others they'll keep proposing something that won't work and there's no way explaining to them.

    On the other hand you'll have appliance vendors they lie about their performance numbers, often enough just stuff in an outdated PC where a few ASICs should be and so sometimes it's getting very hard to *not* replace the J-series P4 with an Olive on a Quadcore.

    I never said that.
    Check out my SSD guides for Samsung, HGST (Hitachi Global Storage) and Intel!

  16. #16
    Join Date
    Mar 2010
    Location
    Germany
    Posts
    681
    Quote Originally Posted by Jay Suds View Post
    Given that JunOS lives on top of FreeBSD, I see no reason why this couldn't happen on a Juniper box. Also, I have had flash cards fail on me on my Cisco gear. Talk about a **** storm ...
    Because JunOS has had _many_ years of experienced people going in to solve matters that other people think unsolvable
    Check out my SSD guides for Samsung, HGST (Hitachi Global Storage) and Intel!

  17. #17
    Join Date
    Nov 2005
    Posts
    1,224
    Quote Originally Posted by wartungsfenster View Post
    My point being, if the people only see they little world and don't have enough capability to listen to others they'll keep proposing something that won't work and there's no way explaining to them.
    It's their comfort zone, and it's darned near impossible to wedge them out of it. I run into this frequently when dealing with "consultants" hired by some of our clients to do their on-site in-office stuff.

    They have their goofy little ways of doing things, and no matter how much you tell them it's bad practice, they do it anyway because it's how they've "always done it" and/or they've "never had a problem with it".

  18. #18
    Join Date
    Aug 2009
    Location
    Orlando, FL
    Posts
    1,063
    Quote Originally Posted by Sekweta View Post
    It's their comfort zone, and it's darned near impossible to wedge them out of it. I run into this frequently when dealing with "consultants" hired by some of our clients to do their on-site in-office stuff.

    They have their goofy little ways of doing things, and no matter how much you tell them it's bad practice, they do it anyway because it's how they've "always done it" and/or they've "never had a problem with it".
    You are 100% correct. As far as JunOS being BSD-based, has anyone had any type of boot problems on a Juniper router? I personally have never had such a problem, but I am sure there are people here with more of them in production than me.

  19. #19
    Sekweta,

    The vast majority of routers can accomplish what you need (L2TP, bridge to an IP tunnel, etc) and have been able to for the past 20 years or longer back when we were bridging crap all over the place (go go Netbios and SNA!).

    You're probably using infrastructure that can accomplish this already somewhere else in your network, unless you're dead set on spending additional cash or if your security policy / equipment selection just doesn't allow it.

  20. #20
    Join Date
    Nov 2005
    Posts
    1,224
    It could be from a lack of research, brought on by believing it "probably wasn't possible" to do with our current Juniper gear. I know VPNs are a cinch with what we have, but that requires different subnets at either end. I wasn't thinking they could also be endpoints in a Layer 2 bridge. Obviously it's time to investigate that possiblity.

  21. #21
    Join Date
    Aug 2000
    Location
    Sheffield, South Yorks
    Posts
    3,480
    Your Juniper gear can do either Ethernet over MPLS or even a GRE tunnel or even Q-in-Q VLANs, all of which would accomplish what you need
    Karl Austin :: KDA Web Services Ltd.
    UK Business Hosting and Managed Servers - Hosting for Business Users :: 0800 5429 764
    Call us today and ask about our hosting solutions.

  22. #22
    Join Date
    Nov 2009
    Location
    Cincinnati
    Posts
    1,583
    Quote Originally Posted by skullbox View Post
    I had this argument with a PFsense fanboy
    I ended up getting an infraction over it.
    Yep that sounds right...
    'Ripcord'ing is the only way!

  23. #23
    Join Date
    Nov 2005
    Posts
    1,224
    Quote Originally Posted by KDAWebServices View Post
    Your Juniper gear can do either Ethernet over MPLS or even a GRE tunnel or even Q-in-Q VLANs, all of which would accomplish what you need
    Are you referring to Juniper routers, or the Juniper Netscreens? (or both)

  24. #24
    Join Date
    May 2006
    Location
    New Zealand
    Posts
    6,482
    Quote Originally Posted by Sekweta View Post
    Are you referring to Juniper routers, or the Juniper Netscreens? (or both)
    I don't think Netscreens will do what you require. You could use a proper Juniper router using L2VPN or a VPLS.

    Don't hit me but what about a simple Cisco L2TPv3 with xconnect? Basic as it comes.

    As GeoffreyF said you probably already have some equipment that will do this.
    █ | Brad - Hoopla Hosting - Email or add me to Gtalk! brad [at] hooplahosting.com
    █ | Web Hosting New Zealand - Reseller Hosting - cPanel - Zurmo Hosting - Softaculous - CloudFlare
    █ | VPS - SolusVM - E3-1230 - RAID10 - 1Gbit

  25. #25
    Join Date
    Nov 2005
    Posts
    1,224
    We don't use Cisco routing gear, but I'll check into L2TPv3. If their smaller gear supports it, it might be worth buying a pair just for the L2 bridging.

    Thanks for the info, and to all who responded.

  26. #26
    Join Date
    Mar 2008
    Location
    Los Angeles, CA
    Posts
    555
    Quote Originally Posted by Sekweta View Post
    It could be from a lack of research, brought on by believing it "probably wasn't possible" to do with our current Juniper gear. I know VPNs are a cinch with what we have, but that requires different subnets at either end. I wasn't thinking they could also be endpoints in a Layer 2 bridge. Obviously it's time to investigate that possiblity.
    Huh?

    Since when do you even have to use IP addresses on a VPN'd device? The IP addresses are only used by the VPN software (in this case openvpn) to connect to the other location) but as far as whats plugged into the device it is unaware.

    We have an office that accesses a private network at our data center via a linux box. It uses a VPN to another box at the DC and the VPN and ethernet port is bridged on the other end (the VPN interface doesn't have an assigned IP). Its really no different (from the computer/software) as if that router box was directly hooked up to that switch in the DC. It is even setup for doing 802.1q so it has access to multiple vlans.

    I don't know where you are getting this nonsense about a VPN has to be on a separate subnet. I also use VPN to bond two of my home connections. I have two VPN connetions to the server (VPN01,VPN02) and neither of these two interfaces even have IP addresses assigned to them. They are slaves of a BOND00 device (it has an IP assigned to it) but it can be can easily bu whatever IP I want on it (no subnet restrictions).

    The whole reason I use VPN for bonding is it basically makes a layer2 connection to another network over layer4 (tcp/udp/whatever) where bonding was possible. Again you don't even have to have an IP address assigned to a VPN device.

  27. #27
    Join Date
    Apr 2003
    Location
    Lebanon, PA
    Posts
    420
    Quote Originally Posted by Sekweta View Post
    We don't use Cisco routing gear, but I'll check into L2TPv3. If their smaller gear supports it, it might be worth buying a pair just for the L2 bridging.

    Thanks for the info, and to all who responded.
    Most junipers can do l2circuit which is what you are looking for.

  28. #28
    Join Date
    Nov 2005
    Posts
    1,224
    Quote Originally Posted by houkouonchi View Post
    The whole reason I use VPN for bonding is it basically makes a layer2 connection to another network over layer4 (tcp/udp/whatever) where bonding was possible. Again you don't even have to have an IP address assigned to a VPN device.
    I'm glad you posted, because it got me digging further. Every VPN that I've setup over the years has been routed across subnets, so I wasn't even thinking along the lines of a virtual L2 channel between unnumbered devices.

    Thanks for the heads up.

Similar Threads

  1. Ethernet Bridge over VPN?
    By Sekweta in forum Hosting Security and Technology
    Replies: 9
    Last Post: 06-13-2007, 02:27 AM
  2. 3 ethernet ports on raq 3. Can I run linux with dual WAN?
    By cyr0n_k0r in forum Dedicated Server
    Replies: 2
    Last Post: 04-23-2006, 03:47 AM
  3. Unmetered Ethernet Connection and Fast Ethernet Connection
    By inteltechs in forum Colocation and Data Centers
    Replies: 2
    Last Post: 12-29-2004, 06:10 PM
  4. Setting up a WAN
    By slice16 in forum Web Hosting Lounge
    Replies: 3
    Last Post: 09-13-2004, 04:21 PM
  5. Help: Wireless WAN
    By stron in forum Hosting Security and Technology
    Replies: 1
    Last Post: 03-26-2001, 05:10 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •