EoGRE mit VLANs (retagging) über IKEV2

Henri · Beitrag von **Henri** » 26 Dez 2024, 15:11

Hallo,

ich sollte einen Windows Terminal Server (an dem jede Menge unangenehmes Layer2 Zeug hängt) in einen Proxmox Cluster verschieben.
Die Netzwerktopologie muss allerdings erhalten werden, nur der Server (mit Backup VM) wird verschoben.
Beide Seiten sind segmentiert, die VLAN IDs gibts also mehrfach.

SideA VLAN 2105 --- Bridge Tagging Hybrid 2105 --- GRE-TUNNEL-4 --- Side B --- Bridge Tagging Hybrid 5 -- VLAN 5

Das funktioniert wie gedacht, bis auf den Rückweg. Auf der SideA scheint dann ein Paket aus dem Tunnel zu kommen, welches mit VLAN 30 getaggt wird, nicht mit 2105 wie ich gedacht hätte. VLAN 30 ist das PVID ist des LAN Interfaces.

Ich vermute mal, ich mache etwas falsch oder das ist nicht vorgesehen, ich würde aber sehr gerne verstehen, wieso es nicht funktioniert.
Ich hatte bisher immer verstanden, dass beim Hybrid Tagging die PVID an die Pakete die aus dem Interface kommen gehangen wird, wenn diese Untagged sind.

Danke

Henri

--- SIDE A --- Sender

ping 172.21.5.17

[VLAN] 2024/12/26 14:35:37,519
VLAN egress filter on GRE-TUNNEL-4 for packet from 00:a0:57:72:bc:51 (LANCOM 72:bc:51) to ff:ff:ff:ff:ff:ff (Broadcast) Type 0x0806 assigned to VLAN 2105:
destination port is member of VLAN, allowing egress

[VLAN] 2024/12/26 14:35:37,519
VLAN egress filter on GRE-TUNNEL-4 for packet from 00:a0:57:72:bc:51 (LANCOM 72:bc:51) to ff:ff:ff:ff:ff:ff (Broadcast) Type 0x0806 assigned to VLAN 2105:
destination port is member of VLAN, allowing egress

[GRE] 2024/12/26 14:35:37,520[info] : GRE-TUNNEL-4 send 42 bytes packet to 172.21.0.1

[VLAN] 2024/12/26 14:35:39,198
VLAN egress filter on GRE-TUNNEL-4 for packet from 00:a0:57:72:bc:51 (LANCOM 72:bc:51) to ff:ff:ff:ff:ff:ff (Broadcast) Type 0x0800 assigned to VLAN 30:
destination port is not member of VLAN, disallowing egress

[VLAN] 2024/12/26 14:35:39,198
VLAN egress filter on GRE-TUNNEL-4 for packet from 00:a0:57:5c:2d:62 (LANCOM 5c:2d:62) to ff:ff:ff:ff:ff:ff (Broadcast) Type 0x0800 assigned to VLAN 30:
destination port is not member of VLAN, disallowing egress

--- SIDE A ---

--- SIDE B --- Empfänger

[Bridge] 2024/12/26 14:35:41,624
Bridge frame coming from ifc GRE-TUNNEL-4:
00:a0:57:72:bc:51 (LANCOM 72:bc:51) to ff:ff:ff:ff:ff:ff (Broadcast), 42 bytes
VLAN Id 5 Prio 0
-->multi/broadcast
--> GRE-TUNNEL-4's forwarding mask is [LAN-1 LAN-4 LAN-5 WLC-TUNNEL-3 WLC-TUNNEL-5 BUNDLE-1]
-->VLAN egress filter forbids forwarding to LAN-4
-->VLAN egress filter forbids forwarding to LAN-5
-->VLAN egress filter forbids forwarding to WLC-TUNNEL-3
-->forwarding 42 bytes to ifc LAN-1
-->forwarding 42 bytes to ifc WLC-TUNNEL-5
-->forwarding 42 bytes to ifc BUNDLE-1
-->forwarding into own LSL stack

[VLAN] 2024/12/26 14:35:41,624
VLAN ingress filter for packet received from 00:a0:57:72:bc:51 (LANCOM 72:bc:51) via port GRE-TUNNEL-4 destined to 01:80:c2:00:00:00 (Bridge-PDU) Type 0x0027
Frame Tag: none
assign network 5 from port VLAN

[ARP] 2024/12/26 14:35:41,628
ARP RX (GRE-TUNNEL-4, DMZ): ARP-REQ
SrcIp=172.21.5.2 @ LANCOM_72:bc:51 (00:a0:57:72:bc:51)
DstIp=172.21.5.17 @ 00:00:00_00:00:00 (00:00:00:00:00:00)

[VLAN] 2024/12/26 14:35:41,628
VLAN egress filter on GRE-TUNNEL-4 for packet from 00:04:13:62:09:67 (SNOM 62:09:67) to 00:a0:57:72:bc:51 (LANCOM 72:bc:51) Type 0x0806 assigned to VLAN 5:
destination port is member of VLAN, allowing egress

[Bridge] 2024/12/26 14:35:41,628
Bridge frame coming from ifc LAN-1:
00:04:13:62:09:67 (SNOM 62:09:67) to 00:a0:57:72:bc:51 (LANCOM 72:bc:51), 60 bytes
VLAN Id 5 Prio 0
-->unicast to address on interface GRE-TUNNEL-4
-->forwarding 60 bytes to ifc GRE-TUNNEL-4

[GRE] 2024/12/26 14:35:41,632[info] : GRE-TUNNEL-4 send 60 bytes packet to 172.20.0.2

--- SIDE B ---